- Mature Products
- Design Partners
- Trust Platform
AWS IoT Greengrass Hardware Security Interface (HSI)
For the ATECC608B Secure Element
When it comes to IoT security, private keys are the most sensitive material. If a private key is accessed by an unintended party, that person can now impersonate the IoT hardware and undertake undesired or malicious operations. Because of this, the most basic security practice to follow is to implement a secured hardware root of trust to remove exposure of private keys to software, firmware, manufacturing sites, end users or other third parties. Microchip’s ATECC608B secure element provides a JIL “high” rated secure key storage area to isolate keys. This is especially valuable in Linux® environments where software is a living entity and software backdoors to keys are likely to show up.
To further help adding hardware secure key storage, Amazon Web Service (AWS) offers IoT Greengrass Hardware Security Integration as part of its IoT Greengrass Core software. It is an interface between the IoT Greengrass Core and a hardware secure module based on PKCS#11. The ATECC608B is used in this implementation as the hardware secure key storage to isolate private keys needed for the authentication between AWS IoT and AWS IoT Greengrass from the Linux-based system enabled with IoT Greengrass. This microprocessor-agnostic solution adds true hardware secure key storage to any Linux-based IoT products. The ATEC608B is now part of the AWS Device Qualification Program supporting AWS IoT Greengrass.
Benefits of using the AWS IoT Greengrass Hardware Security Integration:
- Leverage secure elements for AWS IoT Greengrass ecosystems
- Provide a unique, trusted and protected
- Optimum hardware security with secure key storage
- Anti-tampering protection
- Side-channel attack protections
- JIL rated “high” secure key storage
PKCS#11 is part of the Public Key Cryptography Standard (PKCS). To put it simply, it’s an interface or API that defines the communication between a controller (microcontroller or
Security if often mistaken with encryption. Encryption alone doesn’t solve security. It’s not either because a key is encrypted and stored that the system can be secure as firmware and software bugs will always exists. Bugs are a natural part of coding. In addition, there is another considerable attack surface to consider during the manufacturing process where keys and other cryptographic assets can be severely exposed to employees and equipment. All these backdoors are attack surface to spoof a private key. The usage an ATECC608B secure element combined with Microchip’s provisioning service will help to reduce significantly the exposure of your keys from software, firmware, manufacturing, third-party companies and users. The ATECC608B has been rated JIL “High” demonstrating its high robustness on protecting keys.
There are two authenticated links that IoT Greengrass Hardware Security Integration will look in for a signature:
- The authentication between the IoT Greengrass Core to AWS IoT
- The authentication from the IoT Greengrass Core to the IoT edge node connected to the gateway.
Both authentication paths are relying on a mutual TLS1.2 protocol. Consequently, the system could require two private keys to address the two authentication links, one for each. Alternatively, a single private key can be used to authenticate both links. The choice will depend on the application and the security model decided on by the designer. The IoT edge node will still require having its own private key to be stored in a secure element like the ATECC608B within the end-node itself.
The scalable IoT Greengrass Hardware Security Integration relies on a PKCS#11 interface. This architecture makes the usage of a secure element very portable from one Linux-based design to another, saving significant development time and accelerating time to market.
Start Developing Your IoT Greengrass Hardware Security Integration Solution
- Step one: Buy the “Secure 4 click” and the adapter that already includes the ATECC608B and the Raspberry Pi to MikroBUS™ adapter from MikroElektronika.
- Step two: Procure a Linux system such as a Raspberry Pi (example documented) or a Microchip SAMA5Dx MPU.
- Step three: Go to the user manual hosted on GitHub and start implementing the ATECC608B secure element within your IoT Greengrass-enabled system.
- Step four: Use AWS IoT Greengrass documentation to get started with IoT Greengrass and deploy IoT Greengrass Core software to your device. Follow directions for making changes to your
config.json file to use the ATECC608B private key.
- Benefit from strong authentication between AWS IoT Core and AWS IoT Greengrass with secure key storage.