Microchip logo
  • All
  • Products
  • Documents
  • Applications Notes

Trust&GO ATECC608B Secure Element for Microsoft Azure Secure Authentication

Leverage the Simplicity of Generic Certificate Authentication

When it comes to IoT security, authentication is one of the foundational concepts that should be implemented first in your design. The trust between the device identity and the cloud platform relies on a chain of trust. Microsoft Azure supports generic certificate-based authentication, but the trust in the device identity will depend entirely on how well the device’s private key is protected. If the private key is spoofed, the device can be impersonated by an unauthorized user who can then control the device’s transactions. However, adding authentication presents you with several challenges: securely storing the private key in the device, shipping the private key across the globe for any project and system size, creating a possibly cost-prohibitive chain of trust and ensuring a secure manufacturing flow. These challenges can be addressed by using the Trust&GO ATECC608B-TNGTLS secure element from our Trust Platform family of solutions on Microsoft Azure cloud.

Defining a secure authentication model without expertise can be a daunting task. Finding and implementing a certificate authority provider to securely provision keys increases the cost and complexity of your project. The Trust&GO ATECC608B-TNGTLS comes pre-configured and pre-provisioned with a generic certificate for thumbprint authentication and key to significantly reduce costs and simplify your development. On the cloud side, the Microsoft Azure architecture offers a simple Application Programming Interface (API) to implement thumbprint certificate-based authentication. Since the implementation relies only on a single certificate layer, the controller code is extremely streamlined. A signature is issued using the private key in the secure element based on a challenge issued from the cloud. The controller uses the CryptoAuthLib™ library APIs to trigger the signature to be verified by the generic certificate. The corresponding generic certificate is provided in a manifest file downloadable from our online store after your devices have shipped.

At the device level, our ATECC608B-TNGTLS provides a JIL “high” rated secure key storage to isolate keys in the nodes. This is especially valuable in TLS networks that are based on a certificate security model and leverage a wide variety of traditional low-power microcontrollers (MCUs).

Benefits of Using the TrustFLEX ATECC608B with Microsoft Azure IoT Hub

  • Pre-configured device and pre-provisioned private key
  • Create secure authentication to IoT devices powered by Microsoft Azure IoT Hub
  • Benefit from the scalability of Azure IoT Hub
  • Leverage the simplicity of generic certificate authentication
  • Implement a unique, trusted, protected and managed device identity
  • Turn-key code examples available for 32-bit microcontrollers
  • Leverage Microchip’s secure provisioning service
  • Simplify logistics of shipping private keys and reduce manufacturing costs
  • Microcontroller-agnostic implementation
  • JIL rated “high” secure key storage
  • Protection against known tamper, side-channel attacks
AWS_DeviceQualification_LogoLockup_iot_500px ATECC608B

Trust&GO ATECC608B-TNGTLS Features:

Each of the device slots are pre-configured and pre-provisioned to offer the following use cases:

  • Generic Certificate Authentication: Use the default generic certificates for thumbprint authentication already locked inside the Trust&GO device; the cloud architecture will not need to use a root certificate to verify the thumbprint certificate but the server will have to be set up to implement this policy.
  • Token Authentication: Leverage a private key to perform an Elliptic Curve Digital Signature Algorithm (ECDSA) sign

Visit the ATECC608B-TNGTLS product page to learn more about the device’s features.

Ready to Get Started with Trust&GO and Microsoft Azure IoT Hub?

Just follow these steps:

Step 1: Download the data sheet.

Step 2: Buy the Trust Platform hardware featuring an Arm® Cortex®-M0+ based SAM D21 MCU and our WINC1500 Wi-Fi® IoT network controller.

Step 3: As you work with the development kit, use the tutorial and code example and create the manifest file using the Trust Platform Design Suite, available for Windows® and macOS® operating systems.  (Coming soon: code example for the ATECC608B-TNGTLS)

Step 4:  Once the C code for the secure element is working in your embedded application, you are ready to go to production. Order the pre-provisioned device and download the manifest file from our online store or from our distribution partners. Upload the list of public credentials in the Microsoft Azure environment.