We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X

Start with the Most Popular Pre-Configured Use Cases and Use Your Own Credentials


When it comes to IoT security, authentication is one of the foundational concepts to implement first in your design. The trust between the device identity and the cloud platform relies on a chain of trust. Microsoft Azure supports custom certificate-based authentication, but the trust in the device identity will depend entirely on how well the device private key is protected. Because of this, you will need answers to a few challenging questions:

  • Is the private key securely stored in the device?
  • How will you securely ship the private key around the globe for a variety of projects and system sizes?
  • How can you ensure secure manufacturing?
  • Have you considered securing all your authentication use cases?

These challenges can be addressed by using the TrustFLEX ATECC608B-TFLXTLS from the Trust Platform family. In addition to offering  pre-configured use cases, this solution allows  to use your certificate authority of choice.

Benefits of Using the TrustFLEX ATECC608B with Microsoft Azure IoT Hub


  • Create secure authentication to IoT devices powered by Microsoft Azure IoT Hub
  • Most popular use cases already pre-configured
  • Provide a unique, trusted, protected and managed device identity
  • Use your own certificate authority
  • Leverage Microchip’s secure provisioning service
  • Simplify logistics of shipping private keys and reduce manufacturing costs
  • Microcontroller-agnostic implementation
  • JIL rated “high” secure key storage
  • Protection against anti-tampering, side-channel attacks

TrustFLEX ATECC608B-TFLXTLS Pre-Configured Use Cases:


Each of the device slots are pre-configured to offer the following use cases:

  • Custom Certificate Authentication: Use the default generic certificates for thumbprint authentication already inside the TrustFLEX device or overwrite them with your own certificates.
  • Token Authentication: Leverage a private key to perform an Elliptic Curve Digital Signature Algorithm (ECDSA) sign operation on a token that will be verified by its corresponding public key somewhere else in the network.
  • Secure Boot (with key attestation): Perform an ECDSA verification at boot using a public key corresponding to a private key used to sign the code which the system will boot from. The public key becomes highly sensitive as it will allow a system to boot.
  • Over the Air (OTA) Verification: Perform an ECDSA verification after an update using a public key corresponding to a private key used to sign the code the system will be updated with. The public key becomes highly sensitive as it will allow a system to be updated with a new code that needs to be trusted.
  • Firmware Intellectual Property (IP) Protection: Perform a verification during the system runtime using a key corresponding the one used to sign the code the system will run on. The verification key becomes highly sensitive as it will allow a system to run on a genuine code image.
  • Message Encryption: Provides the capability to encrypt very small packet of data using the integrated hardware Advanced Encryption Standard (AES) engine.
  • Key Rotation: Provides the capability to rotate private keys within the secure boundaries of the secure element.
  • I/O Protection Key: Provides the capability to uniquely pair the MCU and the secure element.
  • Host Accessory Authentication: Provides the capability to create an ecosystem control strategy by having a main host authenticate its peripherals using as basic PKI architecture.

Visit the ATECC608B-TFLXTLS product page to learn more about the device’s features.

Ready to Get Started with TrustFLEX and Microsoft Azure IoT Hub?


Just follow these steps:

Step 1: Download the data sheet.

Step 2: Use the Microsoft code example located inside the Trust Platform Design Suite, available for Windows® and macOS® operating systems, to prototype your secure element. (Coming soon: code example for the ATECC608B-TFLXTLS)

Step 3: Buy the Trust Platform hardware featuring an Arm® Cortex®-M0+ based SAM D21 MCU and our WINC1500 Wi-Fi® IoT network controller.

Step 4: Once the C code for the secure element is working in your embedded application, you are ready to move on to production. Use our Secret Exchange package to obtain your provisioned validation devices from our Hardware Secure Module (HSM) equipped factories. The Secret Exchange package includes a TrustFLEX configurator and an encryption utility. Open a Microchip support ticket to upload your TrustFLEX encrypted secret package exchange and request “Provisioning for TrustFLEX.”

After you have completed the provisioning process with the TrustFLEX platform, you will receive  your securely provisioned devices from Microchip delivered directly to your destination of choice.

Trust Platform Devices


View All Parametrics
Product Provisioning Algorithm Type Density Interface Type Temp (C)
ATECC608B-TCSM TrustCUSTOM ECC-P256 (ECDH and ECDSA), SHA256, AES128-GCM 10.5Kb Single-wire; I2C -40 to 85
ATECC608B-TFLXTLS TrustFLEX ECC P256 (ECDH and ECDSA), SHA256, AES-GCM 10.5Kb Single-wire; I2C -40 to 85
ATECC608B-TNGTLS Trust&GO ECC-P256 (ECDH and ECDSA), SHA256, AES128-GCM 10.5Kb Single-wire; I2C -40 to 85
ATSHA204A-TCSM TrustCUSTOM SHA256 4.5Kb Single-wire; I2C -40 to 85

Development Tools


Development Tool Description
Trust Platform Design Suite Install the Trust Platform Design Suite software package to get started with any of the Trust&GO or TrustFLEX secure elements available with our Trust Platform. Our tutorial will guide you through the installation of the tools that will simplify your development from prototyping to production and accelerate your time to market.
CryptoAuth Trust Platform Development Kit
(DM320118)
This USB-based development kit includes a SAM D21 MCU, debugger, mikroBUS™ socket and on-board ATECC608B secure element with Trust&GO, TrustFLEX and TrustCUSTOM options.
ATECC608B Trust Platform Kit
(DT100104)
For use as an add-on board to the CryptoAuth Trust Platform Development Kit (DM320118), this kit provides a mikroBUS footprint for adding soldered-down versions of Trust&GO, TrustFLEX or TrustCUSTOM secure elements.
CryptoAuthentication™ SOIC Socket Kit
(AT88CKSCKTSOIC-XPRO)
This board provides an SOIC8 socket to accommodate an ATECC608B or ATSHA204A secure element and an Xplained Pro (XPro) interface to develop solutions using the microcontrollers featured on our Xplained Pro boards.
CryptoAuthentication UDFN Socket Kit
(AT88CKSCKTUDFN-XPRO)
This board provides a uDFN8 socket to accommodate an ATECC608B or ATSHA204A secure element and an Xplained Pro (XPro) interface to develop solutions using the microcontrollers featured on our Xplained Pro boards.
Secure UDFN click This Click board™ from MikroElektronika provides a uDFN8 socket to accommodate an ATECC608B or ATSHA204A secure element and operate it on the CryptoAuth Trust Platform Development Kit (DM320118).
WiFi 7 click This Click board™ from MikroElektronika includes an ATWINC1500 Wi-Fi® module which can be used to add TCP/IP and TLS links to the CryptoAuth Trust Platform Development Kit (DM320118).
Shuttle click This Click board™ from MikroElektronika provides an easy and elegant solution for stacking up to four Click boards on a single mikroBUS™ socket.
mikroBUS Shuttle This small add-on board is intended to be used with Shuttle click to expand the mikroBUS™ socket with additional stacking options. One Shuttle click can support up to four mikroBUS Shuttles, allowing a simple and elegant stacking solution for the Click board™ line of products.

Definitions


Credentials: Identity verification tools or methods that include X.509 certificates, generic certificates for thumbprint authentication, keys and data packets

Customization: The action of creating a unique device/system through its configuration and set of secrets

Firmware Verification: When a key and cryptographic operation are used to verify a signed image on a device at boot up or during run time

IP Protection: When a key and a cryptographic operation are used to verify signed (or hashed) firmware that is considered Intellectual Property (IP) of a product

Key(s): A set of binary numbers that is used to trigger a cryptographic algorithm that implements asymmetric or symmetric encryption

Over-the-Air (OTA) Verification: When a key and a cryptographic operation are used to verify a signed image that has been loaded into a connected device by a push notification from a cloud service

PKI: Public Key Infrastructure

Provisioning: The action of generating a credential into an embedded storage area

Thumbprint Certificate: An X.509 certificate not issued by a certificate authority that is used for authentication to the cloud

FAQS


General Questions:

Q: How can I get started with the Trust Platform?
A:
 Use the “Let Us Guide You to the Right Option” on the Trust Platform page, which will help you take the first step. You will find additional information about getting started with Trust&GOTrustFLEX and TrustCUSTOM on their pages.

Q: I am a distribution partner. How do I enroll in the Trust Platform program?
A:
 Contact your local Microchip sales office to request assistance with joining the program.

Trust&GO Questions:

Q: Do I need to contact Microchip to provision my Trust&GO secure element?

A: No. When you buy the device, it is already provisioned with keys and certificates specific to the use case you have selected that are locked inside the device. Trust&GO cannot be altered and is intended to be used as is.

Q: Where can I obtain the public keys and certificates for my Trust&GO device?
A: Log into your customer account at the ecommerce website where you purchased the device after device shipment, and you should be able to download a manifest file containing all the necessary public keys and certificates. Contact the vendor if you have any trouble finding this file.

TrustFLEX Questions:

Q: Do I need to contact Microchip to provision my TrustFLEX secure elements?  
A:
 Yes. When you buy the device, it comes pre-configured with your selected use case(s). By default, the TrustFLEX device also come with keys and generic certificates for thumbprint authentication that are overwritable internally if you have not already locked them using the lock bit. While the configuration cannot be altered, the default credentials can be changed if you have not already locked them. If you decide to use the default credentials, you will have to lock them after receiving the device. If you don’t want to use the default credentials, you can replace them with yours and then lock them. After you have made your decision, create the secret packet exchange, encrypt it and upload it into a support ticket on Microchip’s technical support portal. We will provision your devices and ship them according to your instructions.

Q: Where can I obtain the public keys and certificates for my TrustFLEX device when I use the default credentials?
A:
 Log into your customer account at the ecommerce website where you purchased the device after device shipment, and you should be able to download a manifest file containing all the necessary public keys and certificates. Contact the vendor if you have any trouble finding this file. WARNING: If you have overwritten the default credentials in your device, the manifest file will no longer be compatible with the device’s new credentials.

TrustCUSTOM Questions:

Q: Do I need to contact Microchip to provision my TrustCUSTOM secure element?
A:
 Yes. When you buy the device, it will be blank. You will need to use the TrustCUSTOM configurator, which is available under Non-Disclosure Agreement (NDA) to define the configuration, create the secret packet exchange, encrypt it and upload it into a support ticket on Microchip’s technical support portal. We will provision your devices and ship them according to your instructions.

Q: Where can I obtain the secret packet exchange for my TrustCUSTOM device?
A:
 This utility is only available through a Non-Disclosure Agreement (NDA). Contact your local Microchip sales office or distributor to request it.

Q: Where can I get the full data sheet for my TrustCUSTOM device?
A:
 This document is only available through a Non-Discloser Agreement (NDA). Contact your local Microchip sales office or distributor to request it.

Training

Title Description
Asymmetric Authentication Use Case Example The purpose of authentication is to prevent cloning and counterfeiting and to ensure that an object is genuine and authorized to connect to a product. In this use case example, find out how to authenticate an object, such as an accessory, peripheral, battery or cartridge, that is typically removable and replaceable by the consumer.
Secure Firmware Download Use Case Example In this use case example, you will see a demonstration of the authentication of a firmware update. The example uses asymmetric cryptography to establish a chain of trust to validate the update.
Symmetric Authentication Use Case Example The purpose of authentication is to prevent cloning and counterfeiting and to ensure that an object is genuine and authorized to connect to a product. In this use case example, find out how to authenticate an object, such as an accessory, peripheral, battery or cartridge, that is typically removable and replaceable by the consumer.
Symmetric Authentication with a Non-Secure MCU Use Case Example In this use case example, you will learn how to authenticate an object using one-way symmetric authentication, which avoids the need for an Internet connection and white (or black) list. A white list is a lookup table for identifying approved units and a blacklist is a lookup table for identifying non-approved units.

Cryptography Primer (Part 1): Why Security Today?

During this tutorial about embedded security, Microchip discusses why security is an important consideration.

Cryptography Primer (Part 2): Authenticity, Integrity and Confidentiality

During this tutorial about embedded security, Microchip discusses the three key pillars of security: authentication, integrity and confidentiality.

Cryptography Primer (Part 3): Hashing, Secret Key and Symmetric Cryptography

In this video, learn about the basics of embedded security and how and when to use hashing.

Cryptography Primer (Part 4): Public Key and Asymmetric Authentication

During this tutorial about embedded security, Microchip discusses the concepts of asymmetric cryptography, illustrates how authentication can be implemented and highlights the importance of protecting private keys in hardware secure key storage.

Cryptography Primer (Part 5): Chain of Trust

In this cryptography primer tutorial, Microchip discusses how to implement robust authentication between a host and a client using Public Key Infrastructure (PKI).

Secure Boot for Small Microcontrollers

Learn how to implement a secure boot architecture on very small microcontrollers using the ATECC608B secure element. Keys are protected from users, factory operators and equipment as well as software.

Secure Boot with ATECC608B

Learn how to architect a secure boot with Microchip's ATECC608B secure element. This solution implements strong security by verifying the signed boot image of a small microcontroller with an immutable public key kept in the secure element.

Secure Download Firmware Update (DFU)

Learn how to implement a secure, Over-the-Air (OTA) firmware update with a traditional microcontroller using a Microchip secure element such as the ATECC608B. This simple-to-use, cost-efficient and robust security implementation protects the key by verifying the signed code comes from a legitimate source. The key remains protected by leveraging the ATECC608B secure element. Both asymmetric and symmetric architectures are covered in the video.

Partners


Partner Location Contact
Cerberus Bristol BS34 8RB, 
United Kingdom
info@cerb-labs.com
Crosshill logo Tampere,
Finland
jouni.hautamaki@crosshill.fi
Golden Bits logo San Diego, CA
USA
Dean Gereaux
deang@goldenbits.com
Occam Technology Group logo Tampa, FL
USA
info@occamtechgroup.com
OptimalDesign logo Chicago, IL
USA
info@optimaldesignco.com
Panna logo BSD City, 
Indonesia
Edy Gunawan
edy@mailc.net
Munich,
Germany
sales@sematicon.com