When it comes to IoT security, authentication is one of the foundational concepts that should be implemented first in your design. The trust between the device identity and the cloud platform relies on a chain of trust. AWS IoT Core supports generic certificate-based authentication, but the trust in the device identity will depend entirely on how well the device’s private key is protected. If the private key is spoofed, the device can be impersonated by an unauthorized user who can then control the device’s transactions. However, adding authentication presents you with several challenges: securely storing the private key in the device, shipping the private key across the globe for any project and system size, creating a possibly cost-prohibitive chain of trust and ensuring a secure manufacturing flow. These challenges can be addressed by using the Trust&GO ATECC608B-TNGTLS secure element from our Trust Platform family of solutions on AWS IoT Core.
Defining a secure authentication model without expertise can be a daunting task. Finding and implementing a certificate authority provider to securely provision keys increases the cost and complexity of your project. The Trust&GO ATECC608B-TNGTLS comes pre-configured and pre-provisioned with a generic certificate for thumbprint authentication and key to significantly reduce costs and simplify your development. On the cloud side, the AWS IoT Core architecture offers you a simple Application Programming Interface (API) to implement generic certificate-based authentication called Multi-Account Registration. Since the implementation relies only on a single certificate layer, the controller code is extremely streamlined. A signature is issued using the private key in the secure element based on a challenge issued from the cloud. The controller uses the CryptoAuthLib™ library APIs to trigger the signature that will be verified by the generic certificate. The corresponding generic certificate is provided in a manifest file downloadable from our online store after the devices have shipped.
At the device level, our ATECC608B-TNGTLS provides a JIL “high” rated secure key storage to isolate keys in the nodes. This is especially valuable in TLS networks that are based on a certificate security model and leverage a wide variety of traditional low-power microcontrollers (MCUs).
Product | Provisioning | Algorithm Type | Density | Interface Type | Temp (C) |
---|---|---|---|---|---|
ATECC608B-TCSM | TrustCUSTOM | ECC-P256 (ECDH and ECDSA), SHA256, AES128-GCM | 10.5Kb | Single-wire; I2C | -40 to 85 |
ATECC608B-TFLXTLS | TrustFLEX | ECC P256 (ECDH and ECDSA), SHA256, AES-GCM | 10.5Kb | Single-wire; I2C | -40 to 85 |
ATECC608B-TNGTLS | Trust&GO | ECC-P256 (ECDH and ECDSA), SHA256, AES128-GCM | 10.5Kb | Single-wire; I2C | -40 to 85 |
ATSHA204A-TCSM | TrustCUSTOM | SHA256 | 4.5Kb | Single-wire; I2C | -40 to 85 |
Credentials: Identity verification tools or methods that include X.509 certificates, generic certificates for thumbprint authentication, keys and data packets
Customization: The action of creating a unique device/system through its configuration and set of secrets
Firmware Verification: When a key and cryptographic operation are used to verify a signed image on a device at boot up or during run time
IP Protection: When a key and a cryptographic operation are used to verify signed (or hashed) firmware that is considered Intellectual Property (IP) of a product
Key(s): A set of binary numbers that is used to trigger a cryptographic algorithm that implements asymmetric or symmetric encryption
Over-the-Air (OTA) Verification: When a key and a cryptographic operation are used to verify a signed image that has been loaded into a connected device by a push notification from a cloud service
PKI: Public Key Infrastructure
Provisioning: The action of generating a credential into an embedded storage area
Thumbprint Certificate: An X.509 certificate not issued by a certificate authority that is used for authentication to the cloud
Q: How can I get started with the Trust Platform?
A: Use the “Let Us Guide You to the Right Option” on the Trust Platform page, which will help you take the first step. You will find additional information about getting started with Trust&GO, TrustFLEX and TrustCUSTOM on their pages.
Q: I am a distribution partner. How do I enroll in the Trust Platform program?
A: Contact your local Microchip sales office to request assistance with joining the program.
Q: Do I need to contact Microchip to provision my Trust&GO secure element?
A: No. When you buy the device, it is already provisioned with keys and certificates specific to the use case you have selected that are locked inside the device. Trust&GO cannot be altered and is intended to be used as is.
Q: Where can I obtain the public keys and certificates for my Trust&GO device?
A: Log into your customer account at the ecommerce website where you purchased the device after device shipment, and you should be able to download a manifest file containing all the necessary public keys and certificates. Contact the vendor if you have any trouble finding this file.
Q: Do I need to contact Microchip to provision my TrustFLEX secure elements?
A: Yes. When you buy the device, it comes pre-configured with your selected use case(s). By default, the TrustFLEX device also come with keys and generic certificates for thumbprint authentication that are overwritable internally if you have not already locked them using the lock bit. While the configuration cannot be altered, the default credentials can be changed if you have not already locked them. If you decide to use the default credentials, you will have to lock them after receiving the device. If you don’t want to use the default credentials, you can replace them with yours and then lock them. After you have made your decision, create the secret packet exchange, encrypt it and upload it into a support ticket on Microchip’s technical support portal. We will provision your devices and ship them according to your instructions.
Q: Where can I obtain the public keys and certificates for my TrustFLEX device when I use the default credentials?
A: Log into your customer account at the ecommerce website where you purchased the device after device shipment, and you should be able to download a manifest file containing all the necessary public keys and certificates. Contact the vendor if you have any trouble finding this file. WARNING: If you have overwritten the default credentials in your device, the manifest file will no longer be compatible with the device’s new credentials.
Q: Do I need to contact Microchip to provision my TrustCUSTOM secure element?
A: Yes. When you buy the device, it will be blank. You will need to use the TrustCUSTOM configurator, which is available under Non-Disclosure Agreement (NDA) to define the configuration, create the secret packet exchange, encrypt it and upload it into a support ticket on Microchip’s technical support portal. We will provision your devices and ship them according to your instructions.
Q: Where can I obtain the secret packet exchange for my TrustCUSTOM device?
A: This utility is only available through a Non-Disclosure Agreement (NDA). Contact your local Microchip sales office or distributor to request it.
Q: Where can I get the full data sheet for my TrustCUSTOM device?
A: This document is only available through a Non-Discloser Agreement (NDA). Contact your local Microchip sales office or distributor to request it.
Microchip explains how hardware root of trust works using the ATECC608B secure element and AWS IoT. The Just In Time Registration and Use Your Own certificates functions from AWS IoT allow large-scale authentication of automated systems, while maintaining security by protecting private keys from users, software and manufacturing backdoors.
In this session from AWS re:Invent 2016, AWS explains the value of Just in Time Registration (JITR) and Bring you Own Certificate (BYOC) using an ATECC508A secure element.
In this session from AWS re:Invent 2016, an AWS IoT product manager discusses why protecting a devices identity is important and how it can be implemented using the ATECC508A secure element with the AWS IoT service.
The threat model for IoT devices is very different from the threat model for cloud applications. During this session at AWS re:Invent, we discussed how all IoT solutions must incorporate end-to-end security from the start, how to mitigate threats and how to avoid common pitfalls. You will also learn about the steps to take in the manufacturing process, how to provision and authenticate devices in the field and how to comply with IT requirements during the maintenance phase of the product lifecycle.