We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Why Would You Harden Your IoT Security with the ATECC508A for AWS IoT?


This solution is archived and will no longer be updated. We recommend that you use the TrustFLEX ATECC608A-TFLXTLS for AWS IoT Core instead.

Securing communication with a Cloud service and manipulating keys comes with many challenges: storing and using keys in the microcontroller exposes them, operating systems and software have bugs, the Heartbleed bug for OpenSSL was notable by easily exposing keys. Consequently, governments and corporations across the globe are working to protect individual identities and privacy. Strong authentication is the start of robust security. This leads cloud providers to push towards hardware-based security to obtain strong device identity protection, prevent identity spoofing, but also to protect against unauthorized firmware updates and prevent proliferation.

An easy way to hack an IoT device today is to physically attack the embedded system and spoof the private key which is likely located in the clear of a microcontroller memory. But hacking a single device or transaction is typically not of value to an attacker. Hackers are looking for weaknesses that will enable them to exploit a large number of connected devices. Once the keys are spoofed, the devices are accessed, a scalable remote attack can be launched leveraging the corrupted IoT devices as entry points.

AWS re:Invent 2016: Introduction to AWS IoT in the Cloud (IOT204)

What’s new with AWS IoT? This is an Introduction to the AWS IoT Platform and an overview of new features. Join us for a discussion on the features launched over the last year, and the best practices on how to use the AWS IoT Platform to get your device data into the cloud.

Zero Touch Secure Provisioning for AWS IoT Kit Version B


A truly secure end-to-end IoT solution:

The end-to-end concept starts from prototyping through manufacturing to delivering a product to market, all with security in mind. The kit helps devices comply with the AWS IoT security model which states a device must use mutual authentication to be authorized on the AWS cloud.

There are two main challenges to achieving this goal: providing a trusted authentication and handling securely the private keys in a large-scale production environment. The pre-configured ATECC508MAHAW meets these challenges by leveraging AWS IoT Just-In-Time Registration (JITR). The JITR combined with the mutual authentication handshake enables bulk certificate upload from IoT devices to the AWS IoT service once a system is deployed.

There are two main challenges to achieving this goal: providing a trusted authentication and handling securely the private keys in a large-scale production environment. The pre-configured ATECC508MAHAW meets these challenges by leveraging AWS IoT Just-In-Time Registration (JITR). The JITR combined with the mutual authentication handshake enables bulk certificate upload from IoT devices to the AWS IoT service once a system is deployed.

The AT88CKECC-AWS-XSTK-B kit for AWS IoT has been designed to help the engineer starting to prototype and learn the basics of secure provisioning. The secure element is pre-configured but not provisioned with keys out of the box. The Python based scripts are here to guide the user through the steps of provisioning and illustrate the process their company will go through when implementing certificate based authentication in a production environment. Once the kit is provisioned, it provides a unique, trusted and protected identity.

Trust cannot rely only on the device but also on the manufacturing process. Exploiting third party weaknesses is one of the top targets for hackers. Isolating keys and secrets from manufacturing is equally vital. Customers can leave this burden to Microchip's secure factories and leverage our trusted provisioning service already used by thousands of companies. It's zero touch, the private keys are never exposed.

20 Years of Experience in Secure Provisioning


Microchip is here the all way through.

Prototype

  • Educate yourself about the AWS IoT Security model
  • Understand why private key isolation is vital to your design
  • Learn how to code with CryptoAuthLib library
  • Learn how to configure the memory zone and set your expected policies
  • Learn the basics of provisioning a secure element

Personalize

  • Memory configuration is defined and locked
  • Your Certificate Authority is decided
  • AWS IoT production account is configured with AWS
  • Secret exchange with Microchip completed
  • The ATECC508AMHAW is set up with your customized part number

Mass Production

  • All the provisioning—keys/certificates generation and manipulation—is done within Microchip's secure factories
  • Keys are internally generated and never exposed to the outside world ever; it’s zero touch
  • Elimination of any software or manufacturing backdoors
  • The device ships pre-provisioned with the secrets

AWS IoT Authentication Products


View All Parametrics
Product Status 5K Pricing Algorithm Type Zones Key Size Density Configuration RNG Unique ID Interface Type TempNo Range Min (deg C) TempNo Range Max (deg C) Operating Current Typical (mA) Operating Voltage Min (Vcc) Operating Voltage Max (Vcc) Secure Provisioning Service Standby Typical (uA) Packages
ATECC608A Not Recommended for new designs Consider: ATECC608B $0.50 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Standard FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC, 4/WLCSP
ATECC608A-TCSM Not Recommended for new designs Consider: ATECC608B-TCSM $0.84 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Standard FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC
ATECC608A-TFLXLORA Not Recommended for new designs Consider: ATECC608B-TNGLORA Call for pricing ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-configured FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 Please call for package information
ATECC608A-TFLXTLS Not Recommended for new designs Consider: ATECC608B-TFLXTLS $0.79 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-configured FIPS 72 bit serial number Single-wire; I2C -40 0 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC
ATECC608A-TNGACT Not Recommended for new designs Consider: ATECC608B-TNGACT $0.88 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-provisioned FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 Please call for package information
ATECC608A-TNGLORA Not Recommended for new designs Consider: ATECC608B-TNGLORA $0.88 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-provisioned FIPS 72 bit serial number Single-wire; I2C -40 0 1 2 5.5 Yes 0.04 Please call for package information
ATECC608A-TNGTLS Not Recommended for new designs Consider: ATECC608B-TNGTLS $0.75 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-provisioned FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC

Tools and Software