Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
PUBLIC
JORDI JOFRE
24/04/2018
A71CH – Plug & trust for IoTSession 1: A71CH product introduction
1
A71CH – Plug & trust for IoT
Session 1: A71CH product introduction
Get familiar with A71CH key security features, key
benefits, use cases and product support package.
April 24th, 2018 - 10 AM CEST and 08 AM PDT
Session 2: Getting started with A71CH product
support package
Learn how to get started with A71CH and its support
package, including an example with i.MX6UltraLite.
April 26th, 2018 - 10 AM CEST and 08 AM PDT
Registration link:
https://register.gotowebinar.com/rt/6148121966411079939
2
Agenda
• A71CH motivation
• A71CH product positioning
• A71CH product overview and features
• A71CH product support package
− A71CH development boards
− A71CH Host software package
− A71CH documentation
• Q&A
3
A71CH motivation
4
IoT ecosystem
Gateway
IoT device
Connectivity
Sensors / Actuator
Host processor
Fig. Simplified IoT device architecture
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
Servers
The IoT is a network of physical objects (or “things”) embedded
with electronics, software, sensors and connectivity which enable
those objects to exchange data with the operator, manufacturer,
service provider, and / or other connected devices.
Connections · Data · Control
IoT is about …
Network
5
IoT devices are vulnerable to security threats
Gateway
IoT device
IoT device
IoT device
IoT device
Network
Servers
Security is like a chain that is only as
strong as the weakest link
Execution of malware
Extraction of
device keys
Exploit a
SW bug
Personal data leakage
Disclosure of
company secrets
Insertion of counterfeit devices
IoT device
IoT device
IoT device
Connectivity
Sensors / Actuator
Host processor
Fig. Simplified IoT device architecture
Insecure
connection
6
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
IoT devices must follow a secure-by-design approach
Gateway
Fig. Simplified IoT device architecture
IoT device
IoT device
IoT device
IoT device
IoT device
Connectivity
Sensors / Actuator
HostSecurity
IC
IoT device
IoT device
Network
Execution
of malware
Extraction of
device keysExploit a
SW bug
Personal data
leakage
Disclosure of
company secrets
Insertion of
counterfeit devices
Insecure
connection
Security IC provides protected
storage the device keys.
Security IC provides protected storage of the device keys
for creating a trusted and authenticated TLS connection.
Security IC provides protected storage of
the device credentials signed by a CA.
Security IC contributes to the chain
of trust for provisioning public key
Security IC contributes by
preventing the device
credentials to be compromised
Security IC contributes by enabling an
encrypted TLS connection with the endpoint.
Security IC contributes by enabling an
encrypted TLS connection with the endpoint.
7
Reasons to consider a security IC in IoT devices
Root of trust
Why a discrete security IC in IoT devices?
Out-of-the-box
security
Closed system
Security and key management through the whole value
chain right from the start
Scalable and ready to deploy
No need to develop secure SW
On Chip NV Memory with access policy
Closed system architecture to isolate memory access
from host system.
NV memory only accessible via Chip OS / Applet
Keep secrets secret
8
A71CH product positioning
9
A71CH: The fast, easy way to deploy secure IoT connections
Plug & Trust, ready-to-use security IC for the IoT ecosystem
IoT solution for secure connection with public and private clouds
Easy to integrate with different MCU platforms
Fast design-in with complete product support package
www.nxp.com/A71CH
10
A71CH Plug & Trust for IoT
Product Overview & Features
• I2C-bus slave interface: up to 400kbit/s
• Protected access to credentials
• ECC key generation & signature verification
• ECC-based authentication and key agreement (TLS-PKI, NIST P-256)
• Pre-shared secret based authentication (TLS-PSK, TLS-ECDH-PSK)
• Connectionless message authentication (HMAC), message hashing (SHA-256)
• Encrypted/authenticated interface as secure channel with host MCU
• Secure vault for product master secrets with key wrapping, derivation and locking
mechanism
• Symmetric key derivation
• Trust provisioning service by NXP and partners
• Temperature range: -40C to +90C operational ambient temperature
• Sleep & deep sleep modes
• Complete product support package including development kit, host SW package for
easy integration with the most common MCU/MPU platforms.
• Secure connection to public/private clouds, edge computing
platforms, infrastructure
• Device-to-device authentication
• Proof of origin / anti-counterfeiting
• Protected key storage
• Secure provisioning of credentials
• Secure data protection
Use Cases
Interfaces
• Root of trust for IoT applications
• End-to-end security, from chip to edge to cloud
• Plug & Trust: Ready to use solution for easy system integration
Customer benefits
• HVSON-8
Packaging
• The A71CH security concepts include multiple security
measures to protect the chip.
• The A71CH operates completely autonomously based on an
integrated Java Card operating system and applet. Direct
memory access is possible by the fixed functionalities of the
applet only. With that, the content from the memory is entirely
isolated from the host system.
• Protection from attack by integrated design measures in the
chip layout, the logic and the functional blocks.
Security features
11
Chain of trust based on Secure Element
Cloud / Network onboarding & device ID management
Mutual authentication based on credential stored on SE (e.g., certificate based TLS). No key handling necessary at insecure stages of supply chain.
SoC
SE
Hardware Protection for the secrets
Pre-injected keys stored in hardware to identify genuine devices, all cryptographic calculations isolated in A71CH with its own resources (CPU, NVM, Co-Processors, etc.), hardware design with basic measures against physical attacks, such as probing, hardware manipulation, glitches and light.
Physical / Logical separation
Only indirect access by the instruction set of the A71 applet, no direct memory access from SoC. Lifecycle Management protects keys throughout product lifecycle from unauthorized access (overwriting, deleting, manipulation, etc.).
12
A71CH for protected key storage & provisioning of credentials
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
A71CHHost
MCU
A71CH
Secure Storage
Key pair #1
Key pair #2
Public key #1
Public key #2
Sym key #1
Sym key #2
Sym key #5
Sym key #6
General purpose
storage
Secure storage of two
monotonic counters (32 bit)
Secure storage, generation
and insertion of 4 key pairs
(ECC NIST P-256)
Secure storage and
insertion of 3 public keys
Secure storage,
insertion of eight
symmetric secrets
(8X128 bits)
Secure storage of
general purpose data
(e.g. digital certificates)
A71CH can be integrated as a slave device into the IoT to
provide secure storage of credentials and crypto operations
Public key #3
Key pair #3
Key pair #4
Sym key #3
Sym key #4
Sym key #7
Sym key #8
Monotonic
counter #1
Monotonic
counter #2
13
A71CH for secure connection to public or private clouds
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
A71CHHost
MCU
Gateway Network Cloud
End-to-end TLS connection
001010 001010
A71CH Cloud servers
The keys and certificates used to authenticate the
cloud connection remain secure in A71CH
Authenticity
Trusted connection
Data privacy
A71CH security IC supports the TLS
Handshake protocol version 1.2
Public and private
cloud service
providers
14
A71CH for device proof of origin / anti-counterfeit
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
A71CHHost
MCU
A71CH
The keys and certificates used to
verify device authenticity remain
secure in A71CH
Servers
I want to authenticate the device’s
origin in order to detect clones and
make sure there’s no counterfeit
I want to make sure I am
communicating with the
genuine server
Server
IoT device
authenticity
verification
Server
authenticity
verification
Authenticity is proved by the
verification of signed random numbers
967949 125697
Certificates are used to bind
public key with its owner.
15
A71CH for encrypted / authenticated interface to host processor
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
IoT device
A71CHHost
MCU
I2C
Host interface
When using SCP03, Host processor and
A71CH are mutually authenticated
Setting up the SCP03 channel requires 3 128-
bit AES keys (both on Host and A71CH side).
A71CH provides the option to bind the
Host processor to the security IC by
configuring it to use an SCP03 channel.
A71CH Host MCU
I2C
SCP03 secure
channelSCP03 keys SCP03 keys
16
A71CH trust provisioning models
17
A71CH Trust Provisioning
Secure injection of keys and credentials, volume independent.
• For prototyping during development through A71CH Configure tool (part of
A71CH Host software package)
• For high volumes by NXP Trust Provisioning Service
• Through distributors and partners in programming centers
• To offer secure programming for mass market, we have partnered
with Data I/O, a leading company providing secure programming
solutions.
• Data I/O has implemented programming scripts for A71CH on their
SentriX system.
IoT device
A71CHHost
MCU
I2C
A71CH
Secure Storage
Key pair #0
Key pair #1
Public key #0
Public key #1
Sym key #0
Sym key #1
Sym key #4
Sym key #5
General purpose
storage
Public key #2
Key pair #2
Key pair #3
Sym key #2
Sym key #3
Sym key #6
Sym key #7
Monotonic
counter #0
Monotonic
counter #1
Trust
provisioning
Config keys (3)
18
Customer
(SP, OEM)
AWS Just-In-Time Registration of Device Certificates Launched in Nov 2016 – A71CH AWS
CA either provided by programming facility or customer
AWS Service
Provider AccountNXP
A71CH
4. Register signing/intermediate
CA with AWS IoT.
6. Auto-registering device
certificates when devices connect
to AWS IoT for the first time
Programming
facility
Per customer set up
1. Create root CA (can be customer or
programming facility)
2. Create intermediate CA signed by
Root CA
3. Install intermediate CA in
programming equipment
5. Provisioning of the individual
device certificate signed by
customer signing/intermediate
certificate and a corresponding
device individual key pair
19
A71CH product support package
20
A71CH product support package
DocumentationA71CH Host software packageA71CH development boards
Extensive support documentation for facilitating product evaluation as well as the
implementation process of the main use cases.
Includes an A71CH Mini PCB board and an Arduino adaptor for i.MX,
Kinetis and LPC boards.
Comprehensive software package including A71CH Host SW API, sample
applications, source code and API documentation
21
A71CH development boards
22
A71CH Arduino compatible development kitOM3710/A71CHARD
A71CH Arduino compatible dev kit
Part number complete kit: OM3710/A71CHARD
12NC: 935368997598
Ordering: eCommerce
OM3710/A71CHARD contents
• A71CH mini PCB board (OM3710/A71CHPCB)
• Arduino interface header board
OM3710/A71CHARD features
• Arduino development kit based on Arduino adaptor
board and A71CH mini PCB board.
• A71CH development kit to connect the A71CH security
IC to any host featuring an Arduino compatible header.
www.nxp.com/OM3710
23
Kinetis board as VCOM port
USB / I2C bird /Ascot adaptor and VCOM board to PC
USB / I2C bird (OM3710/B001)
Note: For availability please contact your
NXP representative.
OM3710/B001 contents
• I2C/USB dongle
• I2C data cable
OM3710/B001 features
• Complete I2C/USB set enabling connection to PC.
• It shall be complemented with A71CH Mini PCB board.
Features
• FRDM-K64F and FRDM-K82F can be configured as
VCOM boards after downloading a dedicated firmware.
• The VCOM port acts as a USB to I2C adaptor.
Part number complete kit: FRDM-K64F
12NC: 935326293598
Ordering: eCommerce
Part number complete kit: FRDM-K82F
12NC: 935327211598
Ordering: eCommerce
24
A71CH Host software package
25
A71CH Host software package contents
A71CH Configure toolA71CH Host API documentationA71CH Host API source code
A71CH API usage examplesA71CH OpenSSL Engine examples
26
Host MCU
A71CH Host software architecture
OpenSSL
Application
Host Library
OpenSSL Engine
I2C
A71CH
I2C
The A71CH Host Library behaves as the
interface between a host microcontroller
application and the A71CH security IC.
The A71CH Host Library translates
function calls into APDUs that are
transferred through an I2C interface to the
A71CH security IC.
Host MCU
Application
Host Library
mbedTLS ALT
mbedTLS
I2C VCOM
A71CH
I2C
27
A71CH Configuration tool
Host MCU
I2C
A71CH
configure tool
A71CH
Host API
The A71CH Configure tool is a command line tool that
supports the insertion of credentials into the A71CH.
The A71CH Configure tool source code is part of the
A71CH Host SW support package as well
Serial port(SSH possible)
e.g. i.MXUltraLite
e.g. TeraTerm command
line bash tool
Configuration
commandsAPDU
commands
Development PC
A71CH design tools: www.nxp.com/products/:A71CH?tab=Design_Tools_Tab
e.g.OM3710/A71CHARD
A71CH
Secure Storage
Key pair #0
Key pair #1
Public key #0
Public key #1
Sym key #0
Sym key #1
Sym key #4
Sym key #5
General purpose
storage
Public key #2
Key pair #2
Key pair #3
Sym key #2
Sym key #3
Sym key #6
Sym key #7
Monotonic
counter #0
Monotonic
counter #1
Config keys (3)
28
A71CH API usage examples
A71CH
Host MCU
I2C
A71CH
API examples
A71CH
Host API
The A71CH Host API usage example application is a sample
project oriented to show the functionality of the A71CH Host library
Development PC e.g. i.MXUltraLite e.g.OM3710/A71CHARD
e.g. TeraTerm command
line bash tool
A71CH
responsesAPDU
command / responses
Serial port
The A71CH Host API usage examples:
ex_aes, ex_config, ex_ecc_nohc, ex_gpstorage, ex_misc, ex_psk,
ex_scp, ex_sst_kp, ex_boot, ex_walkthrough, ex_debug.
A71CH design tools: www.nxp.com/products/:A71CH?tab=Design_Tools_Tab
29
A71CH OpenSSL Engine TLS communication examples
Host MCU
I2C
A71CH
OpenSSL client-
side scripts
A71CH
Host API
The A71CH OpenSSL Engine TLS connection
examples show how to initiate a TLS/SSL-
based communication between two devices
acting as a client and a server
Serial port
Development PC
e.g. i.MXUltraLite
e.g.OM3710/A71CHARD
e.g. TeraTerm command
line bash tool
APDUs
A71CH
OpenSSL Engine
e.g. Linux machine (e.g. Ubuntu VM)
A71CH
OpenSSL server-
side scripts
TLS
connection
A71CH
A71CH design tools: www.nxp.com/products/:A71CH?tab=Design_Tools_Tab
30
A71CH Host API documentation
31
A71CH documentation
32
A71CH documentation (I)
IoT security brochure
A71CH product leaflet
A71CH product short datasheet
AN12121 – How to start a development with A71CH
• Scope: Highlights about A71CH key benefits, use cases, target applications and ordering details
• Link: https://www.nxp.com/docs/en/fact-sheet/A71CH-LEAFLET.pdf
• Scope: Educational whitepaper about IoT security needs and NXP value proposition.
• Link: https://www.nxp.com/docs/en/brochure/A71CH-IOT.pdf
• Scope: Provides a functional description, features, applications, pinning, operational conditions and characteristics
• Link: https://www.nxp.com/docs/en/data-sheet/A71CH-SDS.pdf
• Scope: Describes the support material available for designs based on the A71CH solution.
• Link: https://www.nxp.com/docs/en/application-note/AN12121.pdf
A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab
33
A71CH documentation (II)
AN12119 – A71CH Quick start guide for OM3710A71CHARD and i.MXUltraLite
AN12133 – A71CH Host software package documentation
AN12131 – A71CH for secure connection to AWS cloud
AN12132 – A71CH for secure connection to OEM cloud
• Scope: Provides a detailed view of the A71CH Host software architecture and the A71CH application examples
• Link: https://www.nxp.com/docs/en/application-note/AN12133.pdf
• Scope: Guide for setting up the development environment for A71CH Arduino development kit and i.MX6UltraLite
• Link: https://www.nxp.com/docs/en/application-note/AN12119.pdf
• Scope: Detailed description on how the A71CH can be used to create a secure connection with AWS Cloud
• Link: https://www.nxp.com/docs/en/application-note/AN12131.pdf
• Scope: Detailed description on how the A71CH can be used to create a secure connection with the OEM Cloud
• Link: https://www.nxp.com/docs/en/application-note/AN12132.pdf
A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab
34
A71CH documentation (III)
AN12120 – A7CH for electronic anti-counterfeit protection
AN12135 – A71CH Quick start guide for OM3710A71CHARD and Kinetis
AN12134 – A71CH Quick start guide for Windows
AN – A71CH Host software porting guidelines
• Scope: Guide for setting up the development environment for A71CH Arduino development kit and Kinetis boards
• Link:
• Scope: Describes how the A71CH can be used to implement a mutual authentication mechanism based on ECC crypto
• Link: https://www.nxp.com/docs/en/application-note/AN12120.pdf
• Scope: Guide for setting up the development environment for A71CH Arduino development kit in Windows
• Link
• Scope: Detailed guide for porting A71CH Host software to different MCU and MPU platforms.
• Link:
Available
soon
Available
soon
Available
soon
A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab
35
A71CH documentation (IV)
AN – A71CH trust provisioning options
AN – A71CH for secure connection to more private and public cloud providers
• Scope: x
• Link:
• Scope: x
• Link:
Available
soon
Available
soon
A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab
Stay tuned
More coming!
36
Closure
37
A71CH Plug & trust for IoT: Summary
A71CH key benefits
• Root of trust for IoT applications
• End-to-end security, from chip to edge to cloud
• Plug & Trust: Ready to use solution for easy system integration
Support for:
• MPU with i.MX 6 available now
• MCU with Kinetis K64F, KW41Z, K82 and more in April
Product website: www.nxp.com/A71CH
Development kit: www.nxp.com/OM3710
Order info:
Item Description Package 12NC
A7101CHTK2 Security IC with standard temp range (-25 to +85 °C) HVSON8, Reel, MoQ = 6k 9353 680 97118
A7102CHTK2 Security IC with extended temp range (-40 to +90 °C) HVSON8, Reel, MoQ = 6k 9353 635 15118
OM3710/A71CHARD OM3710/A71CHARD A71CH Arduino-compatible development kit 9353 689 97598
MCU/
MPU
A71CH as an easy add-on to MPU & MCU for
Secure Cloud Connection & Mutual Authentication
38
Thank you for your kind attention!
Please remember to fill out our evaluation survey (pop-up)
Check your email for material download and on-demand video
addresses
Please check NXP and MobileKnowledge websites for upcoming
webinars and training sessions
http://www.nxp.com/support/classroom-training-events:CLASSROOM-TRAINING-EVENTS
www.themobileknowledge.com/content/knowledge-catalog-0
A71CH - Plug & trust for IoT
Jordi Jofre (Speaker)
Angela Gemio (Host)
39
MobileKnowledge
MobileKnowledge is a team of HW, SW and system engineers, experts in smart, connected and
secure technologies for the IoT world. We are your ideal engineering consultant for any specific
support in connection with your IoT and NFC developments. We design and develop secure HW
systems, embedded FW, mobile phone and secure cloud applications.
Our services include:
▪ Secure hardware design
▪ Embedded software development
▪ NFC antenna design and evaluation
▪ NFC Wearable
▪ EMV L1 pre-certification support
▪ Mobile and cloud application development
▪ Secure e2e system design
We help companies leverage
the secure IoT revolution www.themobileknowledge.com