Microchip logo
  • All
  • Products
  • Documents
  • Applications Notes

TrustFLEX ATECC608A Secure Element for AWS IoT Core Secure Authentication

Start with the Most Popular Pre-configured Use Cases and Use Your Own Credentials

When it comes to IoT security, authentication is one of the foundational concepts that should be implemented first in your design. The trust between the device identity and the cloud platform relies on a chain of trust. AWS IoT supports certificate-based authentication, but the trust in the device identity will depend entirely on how well the device’s private key is protected. If the private key is spoofed, the device can be impersonated by an unauthorized user who can then control the device’s transactions. However, adding authentication presents you with several challenges: securely storing the private key in the device, shipping the private key across the globe for any project and system size and ensuring a secure manufacturing flow. These challenges can be addressed by using the TrustFLEX ATECC608A-TFLXTLS secure element from our Trust Platform family of solutions.

Defining the secure element’s configuration is generally a time-consuming task. The TrustFLEX ATECC608A-TFLXTLS comes pre-configured with the most commonly used use cases to speed up your development and reduce the complexity of the onboarding process. To further simplify onboarding, the device also comes with default generic certificates for thumbprint authentication and overwritable keys. This allows you to either choose the default certificates and keys and lock them afterwards or overwrite the default credentials with your own. When combined with AWS IoT Core Application Program Interfaces (APIs), such as Just-In-Time-Registration and Use Your Own Certificate, you can use a Certificate Authority provider of your choice to create an end-to-end secure authentication. The device’s private keys will have to be provisioned in the secure element using our provisioning infrastructure and the Hardware Secure Modules (HSMs) that are installed in our factories. The key will then be isolated from exposure to software, firmware, manufacturing sites, end users and other third parties. Our ATECC608A-TFLXTLS provides a common criteria JIL “high” rated secure key storage to isolate keys in the nodes. This is especially valuable in TLS networks that are based on a Public Key Infrastructure (PKI) security model and leverage a wide variety of traditional low-power microcontrollers (MCUs).

Benefits of Using the TrustFLEX ATECC608A with AWS IoT Core:

  • Pre-configured with most popular use cases
  • Turn-key code examples available for each use case 
  • Leverage Microchip’s secure provisioning service
  • Simplify logistics of shipping private keys and reduce manufacturing costs
  • Microcontroller-agnostic implementation
  • JIL rated “high” secure key storage
  • Protection against known tamper, side-channel attacks
ATECC608A AWS_DeviceQualification_LogoLockup_iot_500px

TrustFLEX ATECC608A-TFLXTLS Use Cases

Each of the device slots are pre-configured to offer the following use cases:

  • Custom Certificate Authentication: Use the default generic certificates for thumbprint authentication already inside the TrustFLEX device or overwrite them with your own certificates.
  • Token Authentication: Leverage a private key to perform an Elliptic Curve Digital Signature Algorithm (ECDSA) sign operation on a token that will be verified by its corresponding public key somewhere else in the network.
  • Secure Boot (with key attestation): Perform an ECDSA verification at boot using a public key corresponding to a private key used to sign the code which the system will boot from. The public key becomes highly sensitive as it will allow a system to boot.
  • Over-the-Air (OTA) Verification: Perform an ECDSA verification after an update using a public key corresponding to a private key used to sign the code the system will be updated with. The public key becomes highly sensitive as it will allow a system to be updated with a new code that needs to be trusted.
  • Firmware Intellectual Property (IP) Protection: Perform a verification during the system runtime using a key corresponding the one used to sign the code the system will run on. The verification key becomes highly sensitive as it will allow a system to run on a genuine code image.
  • Message Encryption: Provides the capability to encrypt a very small packet of data using the integrated hardware Advanced Encryption Standard (AES) engine.
  • Key Rotation: Provides the capability to rotate private keys within the secure boundaries of the secure element.
  • I/O Protection Key: Provides the capability to uniquely pair the MCU and the secure element.
  • Host Accessory Authentication: Provides the capability to create an ecosystem control strategy by having a main host authenticate its peripherals using a basic PKI architecture.

Visit the ATECC608A-TFLXTLS product page to learn more about the device’s features.

Ready to Get Started with TrustFLEX and AWS IoT?

Just follow these steps:

Step 1: Download the data sheet.


Step 2: Use the Trust Platform Design Suite, available for Windows® and macOS® operating systems, to prototype your secure element with the AWS IoT code example located inside the Design Suite.

Step 3: Buy the Trust Platform hardware featuring an Arm® Cortex®-M0+ based SAM D21 MCU and our WINC1500 Wi-Fi® IoT network controller.

Step 4: Once the C code for the secure element is working in your embedded application, you are ready to create the configuration file using the TrustFLEX configurator that is available in the Design Suite. After the configuration file is finalized, submit a support ticket to obtain your encryption key. After it's finalized, submit a support ticket to obtain your encryption key. Encrypt the configuration file using the provided utility, load it in the support ticket and you will receive provisioned validation devices from our Hardware Secure Module (HSM) equipped factories.

After you have completed the provisioning process with the TrustFLEX platform, you will receive your securely provisioned devices from Microchip delivered directly to your destination of choice

Are You Interested in AWS IoT Greengrass Hardware Security Integration?

Find out how to develop an IoT Greengrass Hardware Security Integration solution using the ATECC608A secure element.