Microchip logo
  • All
  • Products
  • Documents
  • Applications Notes

TrustFLEX ATECC608A Secure Element for TLS-Based Networks

Leverage the Simplicity of Thumbprint Certificate Authentication

The vast majority of networks mandate Transport Layer Security (TLS), which relies on certificate-based authentication. Whether you are using a public cloud or a private cloud, the trust in the device identity will depend entirely on how well the device’s private key is protected. If the private key is spoofed, the device can be impersonated by an unauthorized user who can then control the device’s transactions. The TLS stack is good for managing the key agreement and the encryption. However, implementing secure authentication presents you with several challenges: securely storing the private key in the device, shipping the private key across the globe for any project and system size, and creating a possibly cost-prohibitive, weak and hard-to-scale manufacturing flow. These challenges can be addressed by using the TrustFLEX ATECC608A-TFLXTLS secure element from our Trust Platform family with TLS stack providers. This solution also provides you with the flexibility to choose your own certificate authority in addition to leveraging the integrated authentication use cases in the same secure element.

Benefits of Using the TrustFLEX ATECC608A with TLS

  • Leverage multiple use cases with our pre-configured devices
  • Use your own certificate authority
  • Leverage the simplicity of thumbprint certificate authentication
  • Implement a unique, trusted, protected and managed device identity
  • Turn-key code examples
  • Leverage Microchip’s secure provisioning service
  • Simplify logistics of shipping private keys and reduce manufacturing costs
  • Microcontroller-agnostic implementation
  • JIL rated “high” secure key storage
  • Protection against known tamper, side-channel attacks
ATECC608A

TrustFLEX ATECC608A-TNGTLS features

  • Custom Certificate Authentication: Use either the default thumbprint certificates already inside the TrustFLEX device or overwrite them with your own certificate.
  • JSON Web Token (JWT) Authentication: Leverage a private key to perform an Elliptic Curve Digital Signature Algorithm (ECDSA) sign operation on a token that will be verified by its corresponding public key somewhere else in the network.
  • Secure Boot (with key attestation): Perform an ECDSA verification at boot using a public key corresponding to a private key used to sign the code that the system will boot from. The public key becomes highly sensitive as it will allow a system to boot.
  • OTA Verification: Perform an ECDSA verification after an update using a public key corresponding to a private key used to sign the code the system will be updated with. The public key becomes highly sensitive as it will allow a system to be updated with a new code that needs to be trusted.
  • Firmware Intellectual Property (IP) Protection: Perform a verification during the system runtime using a key corresponding the one used to sign the code the system will run on. The verification key becomes highly sensitive as it will allow a system to run on a genuine code image.
  • Message Encryption: Provides the capability to encrypt a very small packet of data using the integrated hardware Advanced Encryption Standard (AES) engine.
  • Key Rotation: Provides the capability to rotate private keys within the secure boundaries of the secure element.
  • I/O Protection Key: Provides the capability to uniquely pair the MCU and the secure element.
  • Host Accessory Authentication: Provides the capability to create an ecosystem control strategy by having a main host authenticate its peripherals using as basic PKI architecture.

Ready to Get Started with TrustFLEX and a TLS Stack Provider?

mBedTLS

WolfSSL

Linux® OS