Tag Archives: ATECC508A

Atmel launches the industry’s first hardware interface library for TLS stacks used in IoT edge node apps

The new HW-TLS platform provides an interface between software TLS packages and the ATECC508A cryptographic co-processor.

With the rise of the Internet of Things, security has become a pressing topic because autonomous remote devices are now routinely connecting to wireless networks to form complex smart device and cloud-service ecosystems. As a result, autonomous IoT gadgets constitute a significant part of those networks and must be able to authenticate themselves to the network resources to maintain the integrity of the ecosystem. In addition, these remote, resource-constrained clients must be able to perform this authentication using minimal processing, memory and power.

Cognizant of this, Atmel has launched the industry’s first hardware interface library for TLS stacks used in Internet of Things edge node applications. Hardening is a method used for reducing security risks to a system by applying additional hardware security layers and eliminating vulnerable software. This new Hardware-TLS (HW-TLS) platform provides an API that allows TLS packages to utilize hardware key storage and cryptographic acceleration even in resource constrained edge node designs. HW-TLS is a comprehensive solution pre-loaded with unique keys and certificates designed to eliminate the complexities of generating secure keys in the manufacturing supply chain.

OpenSSL is a general-purpose cryptography library that provides an open source implementation of the Secure Sockets Layer (SSL) and TLS protocols. wolfSSL is a cryptography library that provides lightweight, portable security solutions with a focus on speed and size. Atmel’s new ATECC508A-OpenSSL and ATECC508A-wolfSSL are available for immediate download at their respective software distribution repositories, offering seamless adoption of more secure elements without disruption to the developer workflow.

OpenSSL

Secure hardening for both OpenSSL and wolfSSL is made possible with HW-TLS which enables those TLS software packages to interface seamlessly with the ATECC508A CryptoAuthentication co-processor. This IC provides protected key storage as well as hardware acceleration of Elliptic Curve Cryptography (ECC) cipher suites including mutual authentication (ECDSA) and Diffie-Hellman key agreement (ECDH). As such, HW-TLS allows developers to substantially harden Transport Layer Security (TLS), enhancing security for IoT ecosystems.

When used together, HW-TLS and the ATECC508A let even extremely small, low-cost IoT nodes implement strong cryptographic security. All private keys, certificates and other sensitive security data used for authentication are stored in secure hardware and protected against software, hardware and back-door attacks. Beyond that, the integrated ECC accelerators in the ATECC508A offload cryptographic code and math from the MCU allowing even a low-end processor to perform strong authentication.

ATEC

“Everyone with an interest in IoT security should be excited about Atmel HW-TLS with wolfSSL,” explains Larry Stefonic, wolfSSL CEO. “The combination of our secure software and Atmel’s new chips brings TLS performance and security to a level unrivaled in the industry. Atmel’s HW-TLS platform also makes it easier than ever for developers to incorporate truly hardened security into our TLS stack.”

Traditionally, TLS performed authentication and stored private keys in software. However, Atmel’s latest platform closes the vulnerability gap in this arrangement by offloading the crucial key management responsibility to dedicated, tamper-resistant secure elements such as the ATECCC508A crypto engine. What’s more, the intensive crypto algorithms are processed in the CryptoAuthentication device, offloading the MCU on the remote devices and enabling the IoT edge node to authenticate to the cloud without a user-perceptible delay. Furthermore, Atmel Hardware-TLS comes as a complete platform pre-loaded with unique keys and certificates for eliminating the complexities of adding secure keys to each device in a manufacturing supply chain.

“With more and more remote devices being connected to the cloud every day in the era of the IoT, it becomes increasingly critical to ensure these devices are not vulnerable to attack,” adds Nicolas Schieli, Senior Director of Atmel’s Secure Products Group. “Such devices can be entirely secure only when they are hardware secure, meaning the ‘secret’ keys are stored in a separate hardware unit. We are excited to bring this innovation to market, enabling device manufacturers that need to connect to the cloud to take advantage of hardware security.”

Cry

The Hardware-TLS complements Atmel Certified-ID, a seamless and secure keys provisioning platform for assigning trusted identities to devices joining the IoT.

Security coprocessor marks a new approach to provisioning for IoT edge devices

A New Approach to Provisioning

It’s worth noting that security breaches rarely involve breaking the encryption code; hackers mostly use techniques like spoofing to steal the ID. So, the focus of the ATECC508A crypto engine is the tasks such as key generation and authentication. The chip employs ECC math to ensure sign-verify authentication and subsequently the verification of the key agreement.

The IoT security — which includes the exchange of certificates and other trusted objects — is implemented at the edge node in two steps: provisioning and commissioning. Provisioning is the process of loading a unique private key and other certificates to provide identity to a device while commissioning allows the pre-provisioned device to join a network. Moreover, provisioning is carried out during the manufacturing or testing of a device and commissioning is performed later by the network service provider and end-user.

Presently, snooping threats are mostly countered through hardware security module (HSM), a mechanism to store, protect and manage keys, which requires a centralized database approach and entails significant upfront costs in infrastructure and logistics. On the other hand, the ATECC508A security coprocessor simplifies the deployment of secure IoT nodes through pre-provisioning with internally generated unique keys, associated certificates and certification-ready authentication.

It’s a new approach toward provisioning that not only prevents over-building, as done by the HSM-centric techniques, but also prevents cloning for the gray market. The key is controlled by a separate chip, like the ATECC508A coprocessor. Meaning, if there are 1,000 IoT systems to be built, there will be exactly 1,000 security coprocessors for them.

Certified-ID Security Platform

Back at ARM TechCon 2015, Atmel went one step ahead when it announced the availability of Certified-ID security platform for the IoT entry points like edge devices to acquire certified and trusted identities. This platform leverages internal key generation capabilities of the ATECC508A security coprocessor to deliver distributed key provisioning for any device joining the IoT network. That way it enables a decentralized secure key generation and eliminates the upfront cost of building the provisioning infrastructure for IoT setups being deployed at smaller scales.

Atmel, a pioneer in Trusted Platform Module (TPM)-based secure microcontrollers, is now working with cloud service providers like Proximetry and Exosite to turn its ATECC508A coprocessor-based Certified-ID platform into an IoT edge node-to-cloud turnkey security solution. TPM chips, which have roots in the computer industry, aren’t well-positioned to meet the cost demands of low-price IoT edge devices.

Additionally, the company has announced the availability of two provisioning toolkits for low volume IoT systems. The AT88CKECCROOT toolkit is a ‘master template’ that creates and manages certificate root of trust in any IoT ecosystem. On the other hand, AT88CKECCSIGNER is a production kit that allows designers and manufacturers to generate tamper-resistant keys and security certifications in their IoT applications.

Develop secure IoT apps with the Atmel Certified-ID platform

1 Reply

The Atmel Certified-ID security platform prevents unauthorized reconfiguration of an edge node to access protected resources on the network.

Atmel has announced a comprehensive security platform that enables businesses of all sizes to assign certified and trusted identities to devices joining the secure Internet of Things. The Atmel Certified-ID security platform prevents unauthorized reconfiguration of an edge node to access protected resources on the network. This new platform is available on the Atmel SmartConnect Wi-Fi, Bluetooth, Bluetooth Smart and ZigBee solutions that connect directly to Atmel Cloud Partners, providing a secure turnkey solution for IoT edge node-to-cloud connection.

The Atmel Certified-ID platform delivers a distributed key provisioning solution, leveraging internal key generation capabilities of the ATECC508A CryptoAuthentication device, without invoking large scale infrastructure and logistics costs. This platform even allows developers to create certified and trusted identities to any device before joining an IoT network.

With billions of devices anticipated by 2020 in the rapidly growing IoT market, security is a critical element to ensuring devices can safely and conveniently access protected assets through the Internet. Today, secure identities are commonly created through a centralized approach where IoT device keys and certificates are generated offline and managed in secure databases in Hardware Security Modules (HSM) to protect the keys. These keys are then programmed into the IoT devices by connecting the HSM to automation equipment during device manufacturing. This approach is indispensable in large deployments consisting of millions of devices. It can also entail significant upfront costs in infrastructure and logistics which must be amortized over a large number of devices for cost effectiveness.

By utilizing the unique internal key generation capabilities of ATECC508A device, the recently-unveiled platform enables decentralized secure key generation, making way for distributed IoT device provisioning regardless of scale. This method eliminates the upfront costs of the provisioning infrastructure which can pose a significant barrier in deploying devices in smaller scales. On top of that, developers will be able to create secure IoT devices compatible with partner cloud services and to securely join ecosystems.

Atmel is currently working with several cloud service companies, including Proximetry and Exosite, on the Certified-ID platform. These collaborations will give developers a wide range of ecosystem partners to choose from for a secure connection between the edge nodes and the IoT. Other partners will be announced as they are integrated in the Certified-ID platform.

“As a leader in the security space with a track record of over two decades, enabling secure networks of all sizes is our mission,” said Nuri Dagdeviren, Atmel Vice President and General Manager of Secure Products Group. “Streamlining secure processes and simplifying deployment of real world secure networks will be key to unlocking the potential and enabling rapid growth of IoT. We will continue delivering industry-leading solutions in security, a critical element in enabling billions of ‘things’ to be connected to the cloud.”

Atmel now offers security provisioning tool kits to enable independent provisioning for pilot programs or production runs when used in conjunction with the ATECC508A ICs. These devices are pre-provisioned with internally generated unique keys, associated certificates, and certification-ready authentication once it is connected to an IoT ecosystem.

Developers will need two kits to securely provision their gadgets: the AT88CKECCROOT tool kit, a ‘master template’ that creates and manages certificate root of trust in any ecosystem, and the AT88CKECCSIGNER tool kit, a production kit that enables partners to provision IoT devices.

The AT88CKECCSIGNER kit lets designers and manufacturers generate tamper-resistant keys and security certifications requiring hardware security in their IoT applications. These keys provide the level of trust demanded by network operators and allows system design houses to provision prototypes in-house—saving designers overall investment costs.

The tool kits also include an easy-to-use graphical user interface that allow everyone to seamlessly provision their IoT devices with secure keys and certificates without special expertise. With distributed provisioning, developers are not required to use expensive HSM for key management and certificate acquisition fees.

In addition to secure IoT provisioning, the new Certified-ID platform provides high-quality random number generation to guarantee a diverse set of public and private keys. It delivers solutions to a variety of IoT security needs including node anti-cloning protection, data confidentiality, secure boot, and secure firmware upgrades over-the-air. The tamper resistance built into the ATECC508A device continues to provide the desired protection even when the device is under physical attack.

Ready for the Internet of Trusted Things? Both the Atmel AT88CKECCROOT and AT88CKECCSIGNER are available today.

Secure your Raspberry Pi and Linux applications with ZymKey

1 Reply

ZymKey makes it easy to secure your IoT applications and manage them in the real world.

More times than not, developers are faced with two bad options: either deliver a substandard product quickly, or reinvent the wheel and miss the market altogether. Luckily, one Santa Barbara-based startup has come up with a solution, not just a band-aid but a true fix to the all too common conundrum. Introducing ZymKey, a tiny, low-cost piece of hardware for authenticating and encrypting data between Internet of Things devices.

The key integrates silicon and software into a simple, ready-to-go package that will automatically work with Raspberry Pi and other Linux gadgets. What’s nice is that the ZymKey integrates seamlessly with Zymbit’s existing IoT platform, which includes Zymbit.Connect software, the Zymbit.City community and the Zymbit.Orange secure IoT motherboard that was on display back at Maker Faire Bay Area. Together, Zymbit enables IoT professional developers and Makers innovate faster with the confidence of data security and integrity.

“The Internet of Things will reach its full potential when real people like you and I begin to connect our devices and share data streams,” explained Zymbit CEO Phil Strong. “Then we can work together to solve real problems that impact our everyday lives. Funding our Kickstarter campaign is not just about building the ZymKey, it’s about enabling an entire community of people to collaborate around secure data streams and ideas.”

Ideally, Zymbit will make it easy to not only collect but to share data in a trusted manner. The platform embraces open technologies and gives people the freedom to innovate quickly without having to compromise security or performance. Aside from that, the so-called Zymbit.City will serve as a forum for those with common interests to collaborate on ideas powered by such verified and authenticated information.

ZymKey works by attaching to IoT Linux platforms like the Raspberry Pi. When combined with Zymbit’s Linux APIs, it offers true authentication and cryptographic services of remote devices, as well as a real-time clock and accelerometer to timestamp security events and detect physical tampering, respectively. For its Kickstarter launch, ZymKey is available in two versions: a header-mounted crypto key for the RPi and a USB stick that plugs into the port of a Linux board, including BeagleBone, UDOO and Dragon.

For the RPi model, the low-profile hardware attaches directly to the Pi’s expansion header while still allowing Pi-Plates to be added on top. Lightweight firmware drivers run on the RPi core interface with software services through Zymbit.Connect. Meanwhile, the USB version adds more functionality and is usable on any Linux unit with a USB host.

“Great security has to be designed end to end. From silicon to software, from point of manufacture through end-of-life. ZymKey brings all this together and makes it easy to manage your applications and devices out in the real world, without compromising security,” the team explains. “ZymKey integrates speciality silicon with firmware drivers on the host device and the corresponding software services in the cloud. The result is a robust and secure communication workflow that meets some of the highest standards in the industry.”

Both ZymKeys are embedded with an ATECC508A CryptoAuthentication IC for bolstered security, while the USB version also features an Atmel | SAM D21 Cortex-M0+ core. Once connected to the Zymbit platform, you will have the unprecedented ability to transparently manage all of your remote devices from a single console — upgrade over the air, configure admin rights, and so much more. Additionally, you will be able to publish, subscribe and visualize secure data. Each ZymKey comes pre-packed with dashboard widget that make it simple to customize and share with others.

So whether you’re connecting one Linux gizmo in your garage to a public forum or have tens of thousands of Raspberry Pis deployed throughout the world, ZymKey seems to be an excellent option for everyone. Interested? Head over to its Kickstarter page, where the Zymbit team is seeking $15,000. Delivery is slated for December 2015.

Enhance Raspberry Pi security with ZymKey

1 Reply

In this blog, Zymbit’s Scott Miller addresses some of the missing parts in the Raspberry Pi security equation.

Raspberry Pi is an awesome platform that offers people access to a full-fledged portable computing and Linux development environment. The board was originally designed for education, but has since been embedded into countless ‘real world’ applications that require remote access and a higher standard of security. One of, if not, the most notable omissions is the lack of a robust hardware-based security solution.

At this point, a number of people would stop here and say, “Scott, you can do security on RPi in software just fine with OpenSSL/SSH and libgcrypt. And especially with the Model 2, there are tons of CPU cycles left over.” Performance is not the primary concern when we think about security; the highest priority is to address the issue of “hackability,” particularly through remote access.

What do you mean by “hackability?”

Hackability is a term that refers to the ease by which an attacker can:

take over a system;
insert misleading or false data in a data stream;
decrypt and view confidential data.

Perhaps the easiest way to accomplish any or all of the aforementioned goals is for the attacker to locate material relating to security keys. In other words, if an attacker can gain access to your secret keys, they can do all of the above.

Which security features are lacking from Raspberry Pi?

Aside from not having hardware-based security engines to do the heavy lifting, there’s no way to secure shared keys for symmetric cryptography or private keys for asymmetric cryptography.

Because all of your code and data live on a single SD card, you are exposed. Meaning, someone can simply remove the SD card, pop it into a PC and have possession of the keys and other sensitive material. This is particularly true when the device is remote and outside of your physical control. Even if you somehow try to obfuscate the keys, you are still not completely safe. Someone with enough motivation could reverse engineer or work around your scheme.

The best solution for protecting crypto keys is to ensure the secret key material can only be read by standalone crypto engines that run independently from the core application CPU. This basic feature is lacking in the Raspberry Pi.

Securing Raspberry Pi with silicon and software

With this in mind, Zymbit has decided to extract some of the core security features from the Zymbit.Orange and combine them into a tiny device that embeds onto the Raspberry Pi, providing seamless integration with Zymbit’s remote device management console. Meet the ZymKey!

ZymKey for secure remote device management

ZymKey brings together silicon, firmware drivers and software services into a coherent package that’s compatible with Zymbit’s secure IoT platform. This enables a Raspberry Pi to be accessed and managed remotely, firmware to be upgraded and access rights to be administered.

Secure software services

Zymbit’s Connect libraries enhance the security and utility of Raspberry Pi in the following ways:

Add message authentication to egress messages to the Zymbit cloud by attaching a digital signature, which proves that the data originated to a specific Raspberry Pi/Key combination. (Meaning that it was not forged or substituted along the way).
Assist in providing security certificates to the Zymbit cloud.
Authenticate security certificates from the Zymbit cloud.
Optionally help to encrypt/decrypt the content of messages to/from the Zymbit cloud.

Data that is encrypted/authenticated through ZymKey will be stored in this encrypted/authenticated form, thereby preserving the privacy and integrity of the data.

In addition to its standard attributes, developers can access lower level features through secure software services, including general cryptography (SHA-256 MAC and HMAC with secure keys, public key encryption/decryption), password validation, and ‘fingerprint’ services that bind together specific hardware configurations.

Stealth hardware

ZymKey’s low-profile hardware plugs directly into the Pi’s expansion header while still allowing Pi-Plates to be added on top. Lightweight firmware drivers run on the RPi core and interface with software services through zymbit.connect. It should also be noted that a USB device is in the works for other Linux boards.

At the heart of the ZymKey is the newly released ATECC508A CryptoAuthentication IC. Among some of its notable specs are:

ECC asymmetric encryption engine
SHA digest engine
Random number generator
Unique 72-bit ID
Tamper prevention
Secure memory for storing:
- Sensitive key material – an important thing to point out is that private keys are unreadable by the outside world and, as stated above, are only readable by the crypto engine.
- X.509 security certificates.
- Temporary items: nonces, random numbers, ephemeral keys
Optional encryption of transmitted data across the I2C bus for times when sensitive material must be exchanged between the Raspberry Pi and the ATECC508A

Life without ZymKey

Raspberry Pi can be used with the Zymbit Connect service without the ZymKey; however, the addition of ZymKey ensures that communications with Zymbit services are secured to a higher standard. Private keys are unreadable by the outside world and usable only by the ATECC508A, thus making it difficult (if not practically impossible) to compromise.

Each ZymKey has a unique set of keys. So, if, on the off chance that a key is compromised, only that key is affected. Simply stated, if you have several Raspberry Pi/ZymKey pairs deployed and one is compromised, the others will still be secure.

Once again, it is certainly possible to achieve the above goals purely through software (OpenSSL/libgcrypt/libcrypto). However, especially regarding encryption paths, without ZymKey’s secure storage, key material must be stored on the Raspberry Pi’s SD card, exposing private keys for anyone to exploit.

Stay tuned! The ZymKey will be making its debut on Kickstarter in the coming days.

4 reasons why Atmel is ready to ride the IoT wave

3 Replies

The IoT recipe comprises of three key technology components: Sensing, computing and communications.

In 2014, a Goldman Sachs’ report took many people by surprise when it picked Atmel Corporation as the company best positioned to take advantage of the rising Internet of Things (IoT) tsunami. At the same time, the report omitted tech industry giants like Apple and Google from the list of companies that could make a significant impact on the rapidly expanding IoT business. So what makes Atmel so special in the IoT arena?

The San Jose, California–based chipmaker has been proactively building its ‘SMART’ brand of 32-bit ARM-based microcontrollers that boasts an end-to-end design platform for connected devices in the IoT realm. The company with two decades of experience in the MCU business was among the first to license ARM’s low-power processors for IoT chips that target smart home, industrial automation, wearable electronics and more.

Goldman Sachs named Atmel a leader in the Internet of Things (IoT) market.

Goldman Sachs named Atmel a leader in the Internet of Things (IoT) market

A closer look at the IoT ingredients and Atmel’s product portfolio shows why Goldman Sachs called Atmel a leader in the IoT space. For starters, Atmel is among the handful of chipmakers that cover all the bases in IoT hardware value chain: MCUs, sensors and wireless connectivity.

1. A Complete IoT Recipe

The IoT recipe comprises of three key technology components: Sensing, computing and communications. Atmel offers sensor products and is a market leader in MCU-centric sensor fusion solutions than encompass context awareness, embedded vision, biometric recognition, etc.

For computation—handling tasks related to signal processing, bit manipulation, encryption, etc.—the chipmaker from Silicon Valley has been offering a diverse array of ARM-based microcontrollers for connected devices in the IoT space.

Atmel has reaffirmed its IoT commitment through a number of acquisitions.

Finally, for wireless connectivity, Atmel has cobbled a broad portfolio made up of low-power Wi-Fi, Bluetooth and Zigbee radio technologies. Atmel’s $140 million acquisition of Newport Media in 2014 was a bid to accelerate the development of low-power Wi-Fi and Bluetooth chips for IoT applications. Moreover, Atmel could use Newport’s product expertise in Wi-Fi communications for TV tuners to make TV an integral part of the smart home solutions.

Furthermore, communications across the Internet depends on the TCP/IP stack, which is a 32-bit protocol for transmitting packets on the Internet. Atmel’s microcontrollers are based on 32-bit ARM cores and are well suited for TCP/IP-centric Internet communications fabric.

2. Low Power Leadership

In February 2014, Atmel announced the entry-level ARM Cortex M0+-based microcontrollers for the IoT market. The SAM D series of low-power MCUs—comprising of D21, D10 and D11 versions—featured Atmel’s signature high-end features like peripheral touch controller, USB interface and SERCOM module. The connected peripherals work flawlessly with Cortex M0+ CPU through the Event System that allows system developers to chain events in software and use an event to trigger a peripheral without CPU involvement.

According to Andreas Eieland, Director of Product Marketing for Atmel’s MCU Business Unit, the IoT design is largely about three things: Battery life, cost and ease-of-use. The SAM D microcontrollers aim to bring the ease-of-use and price-to-performance ratio to the IoT products like smartwatches where energy efficiency is crucial. Atmel’s SAM D family of microcontrollers was steadily building a case for IoT market when the company’s SAM L21 microcontroller rocked the semiconductor industry in March 2015 by claiming the leadership in low-power Cortex-M IoT design.

Atmel’s SAM L21 became the lowest power ARM Cortex-M microcontroller when it topped the EEMBC benchmark measurements. It’s plausible that another MCU maker takes over the EEMBC benchmarks in the coming months. However, according to Atmel’s Eieland, what’s important is the range of power-saving options that an MCU can bring to product developers.

“There are many avenues to go down on the low path, but they are getting complex,” Eieland added. He quoted features like multiple clock domains, event management system and sleepwalking that provide additional levels of configurability for IoT product developers. Such a set of low-power technologies that evolves in successive MCU families can provide product developers with a common platform and a control on their initiatives to lower power consumption.

3. Coping with Digital Insecurity

In the IoT environment, multiple device types communicate with each other over a multitude of wireless interfaces like Wi-Fi and Bluetooth Low Energy. And IoT product developers are largely on their own when it comes to securing the system. The IoT security is a new domain with few standards and IoT product developers heavily rely on the security expertise of chip suppliers.

Atmel offers embedded security solutions for IoT designs.

Atmel, with many years of experience in crypto hardware and Trusted Platform Modules, is among the first to offer specialized security hardware for the IoT market. It has recently shipped a crypto authentication device that has integrated the Elliptic Curve Diffie-Hellman (ECDH) security protocol. Atmel’s ATECC508A chip provides confidentiality, data integrity and authentication in systems with MCUs or MPUs running encryption/decryption algorithms like AES in software.

4. Power of the Platform

The popularity of 8-bit AVR microcontrollers is a testament to the power of the platform; once you learn to work on one MCU, you can work on any of the AVR family microcontrollers. And same goes for Atmel’s Smart family of microcontrollers aimed for the IoT market. While ARM shows a similarity among its processors, Atmel exhibits the same trait in the use of its peripherals.

Low-power SAM L21 builds on features of SAM D MCUs.

A design engineer can conveniently work on Cortex-M3 and Cortex -M0+ processor after having learned the instruction set for Cortex-M4. Likewise, Atmel’s set of peripherals for low-power IoT applications complements the ARM core benefits. Atmel’s standard features like sleep modes, sleepwalking and event system are optimized for ultra-low-power use, and they can extend IoT battery lifetime from years to decades.

Atmel, a semiconductor outfit once focused on memory and standard products, began its transformation toward becoming an MCU company about eight years ago. That’s when it also started to build a broad portfolio of wireless connectivity solutions. In retrospect, those were all the right moves. Fast forward to 2015, Atmel seems ready to ride on the market wave created by the IoT technology juggernaut.

Interested? You may also want to read:

Atmel’s L21 MCU for IoT Tops Low Power Benchmark

Atmel’s New Car MCU Tips Imminent SoC Journey

Atmel’s Sensor Hub Ready to Wear

Majeed Ahmad is author of books Smartphone: Mobile Revolution at the Crossroads of Communications, Computing and Consumer Electronics and The Next Web of 50 Billion Devices: Mobile Internet’s Past, Present and Future.

Atmel and Sequitur Labs bring robust adaptive security to the IoT

1 Reply

The recent partnership highlights a new approach to IoT security and management along with ultra-secure hardware at Embedded World 2015.

Sequitur Labs, a developer of advanced security solutions and policy management for the mobile computing and connected devices markets, and Atmel will be demonstrating a joint platform for enhanced security and manageability of Internet of Things (IoT) devices and applications at Embedded World 2015 in Nuremberg, Germany.

The Seattle-based company has integrated their programmable, context aware security and manageability platform for embedded and smart gadgets with Atmel’s SAMA5D4 and SAM D21 MCUs, ATWINC1500 Wi-Fi modules, as well as ATECC508A crypto element devices employing ultra-secure hardware-based key storage. The joint solution significantly raises the bar on countering threats aimed at the IoT by implementing a system-wide, dynamic approach to security policy enforcement.

As recent reports suggest, the IoT market is projected to grow significantly with 69% of U.S. consumers planning to buy network-connected technology for their homes by 2019. And, with the number of intelligent devices entering the market on the rise, enhanced security and manageability of data becomes critical for IoT adoption. Threat vectors are expected to multiply quickly as connected nodes increase in volume with immense potential repercussions for business, critical infrastructure, medical systems, transport systems and personal data.

“Security and manageability of IoT nodes are the primary needs in this market. ‘Thing’ makers must stay ahead of the game by creating devices that are ‘secure by design’ and that employ a systems-driven approach. This means robust security and management need to be designed right from the outset and not added as an afterthought,” explained Phil Attfield, CEO of Sequitur Labs.

It should be noted that Sequitur’s security framework includes secure, policy driven command and control, enhanced data protection and hardware encryption, secure firmware updates, and programmable policy for greater customization.

“As a leader in security, Atmel is committed to delivering comprehensive, ultra-secure solutions to the billions of forthcoming connected devices,” said Bill Boldt, Atmel Senior Marketing Manager for Crypto Products. “Atmel’s innovative ecosystem partner, Sequitur Labs, is accelerating and simplifying IoT and embedded system development to provide the full complement of security capabilities, specifically confidentiality, data integrity and authentication. We are excited to work with Sequitur Labs to continue bringing ultra-secure, hardware-based key storage solutions to a wide range of applications including IoT, wireless, consumer, medical, and industrial, among others.”

The Sequitur Labs and Atmel product demonstration platform can be seen in the Atmel booth (4A-230) all week long at Embedded World. Additionally, Sequitur Labs CEO Phil Attfield will present “Reducing Risk and Liability of IoT with a Systems-based Approach to the 20 Critical Security Controls,” while Atmel’s very own Kerry Maletsky will explore “Making IoT a Reality—Leveraging Hardware Security Devices.”

Interested in learning more? Head over to Sequitur Labs’ official page here.

Forward secrecy made real easy

3 Replies

Taking a closer look at how ATECC508A CryptoAuthentication devices can help in providing robust authentication.

Forward secrecy, which is often referred to as Perfect Forward Secrecy (PFS), is essentially the protection of ciphertext with respect to time and changes in security of your cryptographic session keys and/or primary keying material over time.

A cryptographic session key is used to authenticate messages and encrypt text into ciphertext before it is transmitted. This thwarts a “man in the middle” from understanding the message and/or altering that message. These keys are derived from primary keying material. In the case of Public Key Cryptography, this would be the private key.

Unless you are implementing your own security in the application layer, you probably rely on the TLS/SSL in the transport layer.

The Problem

One can envision a scenario in which ciphertext was recorded by an eavesdropper over time. For a variety of reasons out of your control, your session keys and/or primary keying material are eventually discovered and this eavesdropper could decipher all of those recorded transmissions.

Release of your secret keys could be the result of a deliberate act, as with a bribe, a disgruntled employee, or even someone thinking they are “doing the right thing” by exposing your secrets. Or, it could be the result of an unwitting transgression from protocol. Equipment could be decommissioned and disposed of improperly. The hard drives could be recovered using the infamous dumpster dive attack methodology, thus exposing your secrets.

If you rely solely on transport layer security, your security could be challenged knowingly or unknowingly by third parties controlling the servers you communicate with. Recently leaked NSA documents shows powerful government agencies can (and do) record ciphertext. Depending on how clever or influential your snoopers are, they could manipulate the server system against you.

There are many ways your forward security could be compromised at the server level, including server managers unwittingly compromise it due to bad practices, inadequate cipher suites, leaving session keys on the server too long, the use of resumption mechanisms, among countless others.

Let’s just say there are many, many ways the security of your session keys and/or primary keying material could eventually be compromised. It only takes one of them. Nevertheless, the damage is irreversible and the result is the same: Those recorded ciphertext transmissions are now open to unintended parties.

The Solution

You can wipe out much of your liability by simply changing where encryption takes place. If encryption and forward secrecy are addressed in the application layer, session keys will have no relationship with the server, thereby sidestepping server based liabilities.This, of course, does not imply transport layer security should be discarded.

A public/private key system demonstrates the property of forward secrecy if it creates new key pairs for communication sessions. These key pairs are generated on an as-needed basis and are destroyed after a single use. Their generation must be truly random. In fact, they cannot be the result of a deterministic algorithm. Once a session key is derived from the public/private key pair, that key pair must not be reused.

Atmel’s newly-revealed ATECC508A CryptoAuthentication device meets this set of criteria. It has the ability to generate new key pairs using a high quality truly random number generator. Furthermore, the ATECC508A supports ECDH, a method to spawn a cryptographic session key by knowing the public key of the recipient. When these spawned session keys are purposely short-lived, or ephemeral, the process is known as ECDHE.

Using this method, each communication session has its own unique keying material. Any compromise of this material only compromises that one transmission. The secrecy of all other transmissions remains secure.

The Need for Robust Authentication

Before any of the aforementioned instances can occur, the identity of the correspondents needs to be robustly authenticated. Their identities need to be assured without doubt (non-repudiation), because accepting an unknown public key without robust authentication of origin could authorize an attacker as a valid user. Atmel’s ATECC508A provides this required level of authentication and non-repudiation.

Not only is the ATECC508A a cost-effective asymmetric authentication engine available in a tiny package, it is super easy to design in and ultra-secure. Moreover, it offers protective hardware key storage on-board as well a built-in ECC cryptographic block for ECDSA and ECDH(E), a high quality random number generator, a monotonic counter, and unique serial number.

With security at its core, the Atmel CryptoAuthentication lineup is equipped with active defenses, such as an active shield protecting the entire device, tamper monitors and an active power supply circuit which disallows the ability to “listen” for bits changing. The ECC-based solutions offer an external tamper pin, so unauthorized opening of your product can be detected.

Atmel launches next-generation CryptoAuthentication device

2 Replies

Atmel becomes first to ship ultra-secure crypto element enabling smart, connected and secure systems.

Just announced, the Atmel ATECC508A is the first device to integrate ECDH (Elliptic Curve Diffie–Hellman) security protocol — an ultra-secure method to provide key agreement for encryption/decryption, along with ECDSA (Elliptic Curve Digital Signature Algorithm) sign-verify authentication — for the Internet of Things (IoT) market including home automation, industrial networking, accessory and consumable authentication, medical and mobile, among many others.

Atmel’s ATECC508A is the second integrated circuit (IC) in the CryptoAuthentication portfolio with advanced Elliptic Curve Cryptography (ECC) capabilities. With built-in ECDH and ECDSA, this device is ideal for the rapidly growing IoT market by easily providing confidentiality, data integrity and authentication in systems with MCU or MPUs running encryption/decryption algorithms (such as AES) in software. Similar to all Atmel CryptoAuthentication products, the new ATECC508A employs ultra-secure hardware-based cryptographic key storage and cryptographic countermeasures which are more secure than software-based key storage.

This next-generation CryptoAuthentication device is compatible with any microcontroller or microprocessor on the market today including Atmel | SMART and Atmel AVR MCUs and MPUs. As with all CryptoAuthentication devices, the ATECC508A delivers extremely low-power consumption, requires only a single general purpose I/O over a wide voltage range, and available in a tiny form factor, making it ideal for a variety of applications that require longer battery life and flexible form factors.

“As a leader in security, Atmel is committed to delivering innovative secure solutions to the billions of devices to be connected in the IoT market,” explained Rob Valiton, SVP and GM of Atmel’s Automotive, Aerospace and Memory Business Units. “Atmel’s newest CryptoAuthentication IC is the first of its kind to apply hardware-based key storage to provide the full complement of security capabilities, specifically confidentiality, data integrity and authentication. We are excited to continue bringing ultra-secure crypto element solutions to a wide range of applications including IoT, wireless, consumer, medical, industrial, and automotive, among others.”

Key security features of the ATECC508A include:

Optimized key storage and authentication
ECDH operation using stored private key
ECDSA (elliptic-curve digital signature algorithm) sign-verify
Support for X.509 certificate formats
256-bit SHA/HMAC hardware engine
Multilevel RNG using FIPS SP 800-90A DRBG
Guaranteed 72-bit unique ID
I2C and single-wire interfaces
2 to 5.5V operation, 150-nA standby current
10.5-kbit EEPROM for secret and private keys
High-Endurance Monotonic Counters
UDFN, SOIC, and 3-lead contact packages

In the wake of recent incidents, it is becoming increasingly clear that embedded system insecurity impacts everyone and every company. The effects of insecurity may not only be personal, such as theft of sensitive financial and medical data, but a bit more profound on the corporate level. Products can be cloned, software copied, systems tampered with and spied on, and many other things that can lead to revenue loss, increased liability, and diminished brand equity.

Data security is directly linked to how exposed the cryptographic key is to being accessed by unintended parties including hackers and cyber-criminals. The best solution to keeping the “secret key secret” is to lock it in protected hardware devices. That is exactly what this latest iteration of security devices have, are and will continue to do. They are an inexpensive, easy, and ultra-secure way to protect firmware, software, and hardware products from cloning, counterfeiting, hacking, and other malicious threats.

Interested in learning more? Discover the latest in hardware-based security here. Meanwhile, you may also want to browse through recent articles on the topic, including “Is the Internet of Things just a toy?,” “Greetings from Digitopia,” “What’s ahead this year for digital insecurity?,” and “Don’t be an ID-IoT.”

Share this:

Like this:

A New Approach to Provisioning

Certified-ID Security Platform

Share this:

Like this:

Share this:

Like this:

Share this:

Like this:

What do you mean by “hackability?”

Which security features are lacking from Raspberry Pi?

Securing Raspberry Pi with silicon and software

ZymKey for secure remote device management

Secure software services

Stealth hardware

Life without ZymKey

Share this:

Like this:

Goldman Sachs named Atmel a leader in the Internet of Things (IoT) market

Share this:

Like this:

Share this:

Like this:

The Problem

The Solution

The Need for Robust Authentication

Share this:

Like this:

Share this:

Like this: