We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
microchip-search-icon microchip-user-icon microchip-cart-icon

Search products, tools, resources and more!

Start typing your search term, your results will display here.

Trusted and Secure Authentication with ATECC608A for Google Cloud IoT Core

Why Would You Harden Your IoT Security with the ATECC608A for Google Cloud IoT Core?

This solution is archived and will no longer be updated. We recommend that you use the Trust&GO ATECC608B-TNGTLS for Google IoT Core instead.

Securing communication with a Cloud service and manipulating keys comes with many challenges: storing and using keys in the microcontroller exposes them, operating systems and software have bugs (the Heartbleed bug for OpenSSL was notable by easily exposing keys). Consequently, governments and corporations across the globe are working to protect individual identities and privacy. Strong authentication is the start of robust security. This leads Cloud providers to push towards hardware-based security to obtain strong device identity protection, prevent identity spoofing, but also to protect against unauthorized firmware updates and prevent proliferation.

An easy way to hack an IoT device today is to physically attack the embedded system and spoof the private key, which is likely located in the clear of a microcontroller memory. But hacking a single device or transaction is typically not of value to an attacker. Hackers are looking for weaknesses that will enable them to exploit a large number of connected devices. Once the keys are spoofed, the devices are accessed, a scalable remote attack can be launched leveraging the corrupted IoT devices as entry points.

Buy the Google IoT Core Hardware

Google Webinar on Security with the ATECC608a and Cloud IoT Core

Check out how to improve IoT security by securing the authentication between Google Cloud IoT core and IoT devices using a secure element (ATECC608A) from Microchip.

Watch Video

Cloud IoT Core Authentication Use Case

Hardware-Based Root of Trust for Google Cloud IoT Core

Simple to implement, flexible and agnostic.

In this use case, we illustrate how the ATECC608A combined with Google Cloud IoT Core from Google Cloud Platform enables secure authentication. The philosophy with secure elements in IoT is to provide a unique, trusted and protected identity. To achieve the objective, the identity provisioned to the hardware must be genuine and the cloud platform needs to be able to trust it. Consequently, a chain of trust must be created. 

Google IoT Core ATECC608A

First a word on Google Cloud IoT Core. Cloud IoT Core uses Cloud Pub/Sub underneath that can aggregate dispersed device data into a single global system that integrates seamlessly with Google Cloud data analytics services.

The links in the "Getting started" tab explain how to provision the ATECC608A with Python based provisioning scripts as well as how to setup the Google Cloud IoT Core account and policies.

The advantages of such implementation are:

  • The hardware is completely agnostic of the source of the TLS stack due to the usage of the JWT token
  • The usage of CryptoAuthLib library enables an agnostic choice of microcontroller
  • The code size for the JWT implementation is very light (less than 10kb) and enable secure authentication on small microcontrollers when relying on the ATWINC1500 or ATWINC3400 TLS; here, the SAMD21 Arm® Cortex®-M0+ based MCU is used

20 Years of Experience in Secure Provisioning

Microchip is here the all way through.

Trust cannot rely only on the device but also on the manufacturing process. Exploiting third party weaknesses is one of the top targets for hackers. Isolating keys and secrets from manufacturing is equally vital. Customers can leave this burden to Microchip's secure factories and leverage our trusted provisioning service already used by thousands of companies. It's zero touch, the private keys are never exposed.

In a mass production environment, a secret exchange between Microchip customer and our secure provisioning service occurs. The device certificates (last leaf) are provisioned in our secure factories using HSM (Hardware Secure Module) networks in the ATECC608A. The secure element uses the device certificate and the RNG (Random Number Generator) to generate the private key inside the device, inside the factory. The private keys are never exposed to user, manufacturing or software. 

Prototype

  • Educate yourself about the Google Cloud IoT Core Security model for light embedded systems
  • Understand why private key isolation is vital to your design
  • Learn how CryptoAuthLib manipulates the JWT token
  • Learn how to configure the memory zone and set your expected policies
  • Learn the basics of provisioning a secure element

Personalize

  • Memory configuration is defined and locked
  • Your Certificate Authority is decided
  • Google Cloud IoT Core production account is configured with Google Cloud Platform
  • Secret exchange with Microchip completed
  • The ATECC608A is set up with your customized part number

Mass Production

  • All the provisioning—keys/certificates generation and manipulation—is done within Microchip's secure factories
  • Keys are internally generated and never exposed to the outside world; it’s zero touch
  • Elimination of any software or manufacturing backdoors
  • The device ships pre-provisioned with the secrets

Google IoT Authentication Products

View All Parametrics
Product Status 5K Pricing Algorithm Type Zones Key Size Density Configuration RNG Unique ID Interface Type TempNo Range Min (deg C) TempNo Range Max (deg C) Operating Current Typical (mA) Operating Voltage Min (Vcc) Operating Voltage Max (Vcc) Secure Provisioning Service Standby Typical (uA) Packages
ATECC608A Not Recommended for new designs Consider: ATECC608B $0.50 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Standard FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC
ATECC608A-TCSM Not Recommended for new designs Consider: ATECC608B-TCSM $0.84 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Standard FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC
ATECC608A-TFLXLORA Not Recommended for new designs Consider: ATECC608B-TNGLORA Call for pricing ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-configured FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 Please call for package information
ATECC608A-TFLXTLS Not Recommended for new designs Consider: ATECC608B-TFLXTLS $0.79 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-configured FIPS 72 bit serial number Single-wire; I2C -40 0 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC
ATECC608A-TNGACT Not Recommended for new designs Consider: ATECC608B-TNGACT $0.88 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-provisioned FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 Please call for package information
ATECC608A-TNGLORA Not Recommended for new designs Consider: ATECC608B-TNGLORA $0.88 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-provisioned FIPS 72 bit serial number Single-wire; I2C -40 0 1 2 5.5 Yes 0.04 Please call for package information
ATECC608A-TNGTLS Not Recommended for new designs Consider: ATECC608B-TNGTLS $0.75 ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 16 256 10.5Kb Pre-provisioned FIPS 72 bit serial number Single-wire; I2C -40 85 1 2 5.5 Yes 0.04 8/UDFN, 8/SOIC

Tools and Software

Getting Started

Legal |

© Copyright 1998- Microchip Technology Inc. All rights reserved.

This website uses cookies for analytics, personalization, and other purposes. Click to learn more. By continuing to browse, you agree to our use of cookies as described in our Cookies Statement.
Accept Cookies