Single-chip end-to-end security for IoT devices connected to the Amazon cloud

August 18, 2016

Max The Magnificent-August 18, 2016

The Internet of Things (IoT) has the potential to change the world, but only if it's secure. Securing the IoT is currently one of the greatest challenges for the creators of IoT devices and the providers of cloud services.

In order for an IoT device to be trusted, its creators need the ability to secure the identity of the device throughout the entire manufacturing chain. Meanwhile, cloud service providers need to know that they can trust connecting IoT devices in order to control security risks and uphold business models.


(Source: Microchip / Atmel)

Amazon is one of the major cloud players with its Amazon Web Services (AWS). The folks at Amazon have stepped up to the plate by adopting a mutual authentication security model that requires a unique identifier (digital certificate) for every device that connects into the cloud. This includes an industry-first called the Just in Time Registration (JITR) certificate registration process.

As you can imagine, creating trustworthy unique device certificates presents the creators of IoT devices with a number of challenges, including the following:

  • How to securely generate the unique keys needed to create device certificates.
  • How to protect the confidentiality of the keys throughout the manufacturing chain.
  • How to onboard the devices to cloud services.
  • How to continually protect the keys -- and therefore the identity of the devices -- after onboarding.

Until now, existing solutions to this problem share attributes that result in significant logistic costs, including the following:

  • Having to install expensive hardware secure modules (HSM) at factories for key generation.
  • Having to install or lease secure rooms at factories.
  • Having to perform periodic factory security audits.
  • Having to use convoluted time-boxed protocols to onboard the devices to cloud services.
  • Lacking measures to protect the identities of devices in the field.

In order to address this problem, the folks at Amazon have teamed with the guys and gals at Microchip to create a seamless solution in the form of the ECC508A crypto-companion chip, which is presented in a variety of packaging options.


(Source: Microchip / Atmel)

A typical IoT device consists of a small (often 8-bit) microcontroller and is battery powered. Such a device is typically constrained for resources like central processing unit (CPU) performance necessary to provide the required low latency responsiveness, memory, and code space for security protocols. The system is also constrained by how much power the security protocols can consume in order to preserve battery life.

The ECC508 device boasts low-power processor-agnostic cryptographic acceleration for compatibility with the widest range of resource-constrained IoT devices. Using a physically unclonable function (PUF), the ECC508A features internal generation of unique unreadable private crypto keys, which streamlines production by removing the need for HSMs, secure rooms, and factory audits along with the need to trust custodians in the manufacturing chain. Pre-configuration with AWS IoT server requirements eliminates complicated setup and facilitates the hassle-free automatic registration and onboarding of IoT Devices.

Of particular interest is the fact that the ECC508A provides lifelong tamper-resistant protection for keys, AWS IoT, and custom security policies. The strong multi-level hardware security includes a shield covering the memory and the logic, all the memories being internally encrypted, a high-quality random-number generator, internal clock generation, an isolated power rail and protection against voltage tampering, and secure test methods with no JTAG, test pads, or debug probe points. The ECC508A has been designed from the ground up to defend against microprobe attacks, timing attacks, emissions analysis attacks, fault and invalid command attacks, and power-cycling and clock-glitch-based attacks.

The AWS-ECC508 is currently presented in UDFN and SOIC packages and is available today for sampling, with volume production starting at $0.60 each in 10,000 unit quantities. Click Here for more information about Microchip’s end-to-end security solution for AWS Cloud connected devices.

Loading comments...