Microchip logo
  • All
  • Products
  • Documents
  • Applications Notes

Trust&GO ATECC608A Secure Element for Google IoT Core Secure Authentication

Leverage the Simplicity of JSON Web Token (JWT) Authentication

When it comes to IoT security, authentication is one of the foundational concepts that should be implemented first in your design. The trust between the device identity and the cloud platform relies on a chain of trust. Google IoT Core supports JSON Web Token-based authentication, but the trust in the device identity will depend entirely on how well the device’s private key is protected. If the private key is spoofed, the device can be impersonated by an unauthorized user who can then control the device’s transactions. However, adding authentication presents you with several challenges: securely storing the private key in the device, shipping the private key across the globe for any project and system size, creating a possibly cost-prohibitive chain of trust and ensuring a secure manufacturing flow. These challenges can be addressed by using the Trust&GO ATECC608A-TNGTLS secure element from our Trust Platform family of solutions on Google IoT Core.

Defining a secure authentication model without expertise can be a daunting task. Finding and implementing a certificate authority provider to securely provision keys increases the cost and complexity of your project. The Trust&GO ATECC608A-TNGTLS comes pre-configured and pre-provisioned with credentials and key to significantly reduce costs and simplify your development. On the cloud side, the Google IoT Core architecture offers you a simple Application Programming Interface (API) to implement JWT token-based authentication. Since the implementation relies only on a single public/private key pair, the controller code is extremely streamlined. No certificates are involved. A JWT token is created by the controller using the CryptoAuthLib™ library. The token is then presented to the secure element that protects the private key. The JWT token is signed with the private key located inside the secure boundary of the ATECC608A-TNGTLS. The corresponding public key is provided in a manifest file downloadable from our online store after your devices have shipped. This public key is used in Google IoT Core to verify that the signed JWT can be trusted. Offloading these cryptographic operations to the secure element allows you to use the microcontroller (MCU) of your choice, ranging from 8-bit devices all the way up to 32-bit devices for use in Linux®-based systems, to leverage this simple yet robust authentication model.

At the device level, our ATECC608A-TNGTLS provides a JIL “high” rated secure key storage to isolate keys in the nodes. This is especially valuable in TLS networks that are based on a public/private key security model and leverage a wide variety of traditional low-power MCUs.

Benefits of Using the Trust&GO ATECC608A with Google IoT Core:

  • Pre-configured device and pre-provisioned private key
  • Create secure authentication to IoT devices powered by Google IoT Core
  • Benefit from the scalability of Google IoT Core
  • Leverage the simplicity of JWT authentication
  • Implement a unique, trusted, protected and managed device identity
  • Turn-key code examples available for 8-bit, 16-bit and 32-bit microcontrollers
  • Leverage Microchip’s secure provisioning service
  • Simplify logistics of shipping private keys and reduce manufacturing costs
  • Microcontroller-agnostic implementation
  • JIL rated “high” secure key storage
  • Protection against known tamper, side-channel attacks
AWS_DeviceQualification_LogoLockup_iot_500px ATECC608A

Trust&GO ATECC608A-TNGTLS Features:

Each of the device slots is pre-configured and pre-provisioned to offer the following use cases:

  • Token Authentication: Leverage a private key to perform an Elliptic Curve Digital Signature Algorithm (ECDSA) sign operation on a token that will be verified by its corresponding public key somewhere else in the network.
  • Custom Certificate Authentication: Use the default generic certificates for thumbprint authentication already inside the Trust&GO device or overwrite them with your own certificates.
  • Secure Boot (with key attestation): Perform an ECDSA verification at boot using a public key corresponding to a private key used to sign the code that the system will boot from. The public key becomes highly sensitive as it will allow a system to boot. The public key that will need to be inside the device is not available in the device at time of purchase. It will have to be loaded separately.

Visit the ATECC608A-TNGTLS product page to learn more about the device’s features.

Ready to Get Started with Trust&GO and Google IoT Core?

Just follow these steps:

Step 1: Download the data sheet.


Step 2: Buy the Trust Platform hardware featuring an Arm® Cortex®-M0+ based SAM D21 MCU and our WINC1500 Wi-Fi® IoT network controller.

Step 3: As you work with the development kit, use the utility located inside the Trust Platform Design Suite, available for Windows® and macOS® operating systems, to create the manifest file. Once the C code for the secure element is working in your embedded application, you are ready to go to production.

Step 4: Order the pre-provisioned device and download the manifest file from our online store or from our distribution partners.