Security in the Cloud
Microchip Collaborates with Amazon Web Services to Facilitate Mutually Authenticated IoT Connections with Cloud Servers
Securing the Internet of Things (IoT) is fraught with complex design challenges. After safeguarding the data inside an IoT gateway or node, the next frontier for system designers is securing device communication with cloud servers. Recognizing this important requirement, Microchip has recently collaborated with Amazon Web Services (AWS)—the world’s largest cloud services provider—to develop an end-to-end security solution for devices that connect to AWS IoT. This convergence of Microchip’s embedded networking technology and the AWS cloud helps pave the pathway for implementing security and cryptography during the early stages of an IoT product’s development. It adds a high level of security, simplifies the supply chain, and is now one of the fastest and easiest ways to connect your design to AWS IoT.
In order to comply with AWS IoT’s mutual authentication security model, an IoT device manufacturer must preregister their security authority to establish a trust model. Next, they must generate unique cryptographic keys that are mathematically linked to the preregistered security authority to establish a trust model. Finally, these cryptographic keys have to remain secret for the entire life cycle of a device. This process ensures a high degree of security, but can introduce or increase complexities in the manufacturer’s supply chain, especially when third parties offer different trust and compliance levels.
Enter the Security Co-Processor
Microchip’s IC solution for securely connecting to AWS IoT is the ATECC508A security co-processor, a small (3 × 2 mm) device that comes preloaded with cryptographic codes and unique keys to ensure that data is safely transmitted from an IoT device to the cloud. It uses Elliptic Curve Cryptography (ECC) technology to create secure hardware-based key storage and ensures mutual authentication with the use of Elliptic Curve Digital Signature Algorithm (ECDSA) techniques and key agreement with Elliptic Curve Diffie-Hellman (ECDH) technology. It is well suited for use in IoT devices designed to serve the home automation, industrial networking, medical and other markets.
The ATECC508A safeguards private keys, certificates and other sensitive security data to ensure authentication and protection against threats such as physical tampering, cloning and backdoor attacks. It is also equipped with hardware cryptographic acceleration to carry out strong authentication, which offloads cryptographic code and math from the central processor of an IoT node. This is a vital factor, as most IoT devices consist of a small, 8-bit microcontroller (MCU) and are battery powered. Therefore, they lack the processing and memory resources to meet the security demands of their cost-constrained designs. The ATECC508A saves precious CPU cycles that would otherwise be required to accelerate the authentication of applications and firmware. This is a significant reason why security solutions that are built on top of a microprocessor (MPU) or MCU haven’t seen much success in the IoT market. Their compute-intensive authentication slows down the overall device performance.
The low-cost ATECC508A security co-processor also simplifies mutual authentication with cloud ecosystems like AWS IoT by eliminating the complexity associated with software-centric security implementations. Dispelling the perception that hardware-based security solutions increase BOM costs—a notion that generally drives IoT developers toward less secure software-based solutions—the ATECC508A delivers significant cost savings by simplifying supply chain logistics.
How it Works
AWS and the ATECC508 device naturally complement each other with comprehensive mutual authentication security capabilities. The device has strong resistance against environmental and physical tampering including countermeasures against expert intrusion attempts. In addition, the device features a high-quality random number generator, the internal generation of secure unique keys and the ability to seamlessly accommodate various production flows in the most cost-effective manner.
The ATECC508A is simply soldered onto the board and then connected to the host MPU or MCU over I2C. The host MPU or MCU runs an AWS Software Development Kit (SDK) to ensure that the ATECC508A—and the private keys and certificates that come with it—is automatically recognized by AWS IoT. This also allows IoT node-to-cloud environments to be deployed even at smaller scales. To ease your design phase, Microchip provides the Zero Touch Secure Provisioning Kit for AWS IoT (AT88CKECC-AWS-XSTK) that allows you to seamlessly connect to the AWS platform while complying with AWS IoT’s mutual authentication security model.
Next, during your prototyping and preproduction phase, the ATECC508A co-processor will generate the individual device identity with unique keys and certificates. When the IoT device connects to AWS IoT, mutual authentication and key provisioning will be automatically carried out. This eliminates the need for you and your OEMs to externally generate keys for each device. The low-cost ATECC508A reduces expenses while accelerating the design-to-production cycle for IoT products.
Another crucial advantage of the ATECC508A security co-processor is how it simplifies the manufacturing process and product supply chain. It comes preloaded with unique keys for each device, ensuring that private keys are safe throughout the manufacturing process and that device users can seamlessly connect to cloud servers without any hassle. Alternate approaches to provisioning require a secure supply chain, which means a significant investment in Hardware Secure Modules (HSM) and a secure database infrastructure to store, protect and manage keys. For similar reasons, computer industry-centric Trusted Platform Module (TPM) chips are not well positioned for use in low-cost IoT applications.
If you are ready to start building a secure and scalable IoT solution for deployment on the AWS cloud, you will find all the resources you need at www.microchip.com/ecc508. For more information, contact your local Microchip sales office.