A71CH Plug & trust for IoT Session 1: A71CH product introduction - - PowerPoint PPT Presentation

PUBLIC

JORDI JOFRE 24/04/2018

A71CH – Plug & trust for IoT

Session 1: A71CH product introduction

1

A71CH – Plug & trust for IoT

Session 1: A71CH product introduction

Get familiar with A71CH key security features, key benefits, use cases and product support package.

April 24th, 2018 - 10 AM CEST and 08 AM PDT

Session 2: Getting started with A71CH product support package

Learn how to get started with A71CH and its support package, including an example with i.MX6UltraLite.

April 26th, 2018 - 10 AM CEST and 08 AM PDT Registration link: https://register.gotowebinar.com/rt/6148121966411079939

2

Agenda

• A71CH motivation
• A71CH product positioning
• A71CH product overview and features
• A71CH product support package

−A71CH development boards −A71CH Host software package −A71CH documentation

• Q&A

3

A71CH motivation

4

IoT ecosystem

Gateway

IoT device

Connectivity Sensors / Actuator Host processor

• Fig. Simplified IoT device architecture

IoT device IoT device IoT device IoT device IoT device IoT device

Servers

The IoT is a network of physical objects (or “things”) embedded with electronics, software, sensors and connectivity which enable those objects to exchange data with the operator, manufacturer, service provider, and / or other connected devices. Connections · Data · Control

IoT is about …

Network

5

IoT devices are vulnerable to security threats

Gateway

IoT device IoT device IoT device IoT device

Network Servers

Security is like a chain that is only as strong as the weakest link

Execution of malware Extraction of device keys Exploit a SW bug Personal data leakage Disclosure of company secrets Insertion of counterfeit devices

IoT device IoT device

IoT device

Connectivity Sensors / Actuator Host processor

• Fig. Simplified IoT device architecture

Insecure connection

6

IoT device

IoT device IoT device IoT device IoT device IoT device IoT device

IoT devices must follow a secure-by-design approach

Gateway

• Fig. Simplified IoT device architecture

IoT device IoT device IoT device IoT device IoT device

Connectivity Sensors / Actuator Host Security IC

IoT device

IoT device

Network

Execution

• f malware

Extraction of device keys Exploit a SW bug Personal data leakage Disclosure of company secrets Insertion of counterfeit devices Insecure connection Security IC provides protected storage the device keys. Security IC provides protected storage of the device keys for creating a trusted and authenticated TLS connection. Security IC provides protected storage of the device credentials signed by a CA. Security IC contributes to the chain

• f trust for provisioning public key

Security IC contributes by preventing the device credentials to be compromised Security IC contributes by enabling an encrypted TLS connection with the endpoint. Security IC contributes by enabling an encrypted TLS connection with the endpoint.

7

Reasons to consider a security IC in IoT devices

Root of trust

Why a discrete security IC in IoT devices?

Out-of-the-box security Closed system  Security and key management through the whole value chain right from the start  Scalable and ready to deploy  No need to develop secure SW  On Chip NV Memory with access policy  Closed system architecture to isolate memory access from host system.  NV memory only accessible via Chip OS / Applet

Keep secrets secret

8

A71CH product positioning

9

A71CH: The fast, easy way to deploy secure IoT connections

Plug & Trust, ready-to-use security IC for the IoT ecosystem IoT solution for secure connection with public and private clouds Easy to integrate with different MCU platforms Fast design-in with complete product support package www.nxp.com/A71CH

10

A71CH Plug & Trust for IoT

Product Overview & Features

• I2C-bus slave interface: up to 400kbit/s
• Protected access to credentials
• ECC key generation & signature verification
• ECC-based authentication and key agreement (TLS-PKI, NIST P-256)
• Pre-shared secret based authentication (TLS-PSK, TLS-ECDH-PSK)
• Connectionless message authentication (HMAC), message hashing (SHA-256)
• Encrypted/authenticated interface as secure channel with host MCU
• Secure vault for product master secrets with key wrapping, derivation and locking

mechanism

• Symmetric key derivation
• Trust provisioning service by NXP and partners
• Temperature range: -40C to +90C operational ambient temperature
• Sleep & deep sleep modes
• Complete product support package including development kit, host SW package for

easy integration with the most common MCU/MPU platforms.

• Secure connection to public/private clouds, edge computing

platforms, infrastructure

• Device-to-device authentication
• Proof of origin / anti-counterfeiting
• Protected key storage
• Secure provisioning of credentials
• Secure data protection

Use Cases Interfaces

• Root of trust for IoT applications
• End-to-end security, from chip to edge to cloud
• Plug & Trust: Ready to use solution for easy system integration

Customer benefits

• HVSON-8

Packaging

• The A71CH security concepts include multiple security

measures to protect the chip.

• The A71CH operates completely autonomously based on an

integrated Java Card operating system and applet. Direct memory access is possible by the fixed functionalities of the applet only. With that, the content from the memory is entirely isolated from the host system.

• Protection from attack by integrated design measures in the

chip layout, the logic and the functional blocks.

Security features

11

Chain of trust based on Secure Element

Cloud / Network onboarding & device ID management Mutual authentication based on credential stored on SE (e.g., certificate based TLS). No key handling necessary at insecure stages of supply chain.

SoC SE

Hardware Protection for the secrets Pre-injected keys stored in hardware to identify genuine devices, all cryptographic calculations isolated in A71CH with its own resources (CPU, NVM, Co-Processors, etc.), hardware design with basic measures against physical attacks, such as probing, hardware manipulation, glitches and light. Physical / Logical separation Only indirect access by the instruction set of the A71 applet, no direct memory access from SoC. Lifecycle Management protects keys throughout product lifecycle from unauthorized access (overwriting, deleting, manipulation, etc.).

12

A71CH for protected key storage & provisioning of credentials

IoT device IoT device IoT device IoT device IoT device IoT device

IoT device

A71CH Host MCU

A71CH

Secure Storage Key pair #1 Key pair #2 Public key #1 Public key #2 Sym key #1 Sym key #2 Sym key #5 Sym key #6 General purpose storage

Secure storage of two monotonic counters (32 bit) Secure storage, generation and insertion of 4 key pairs (ECC NIST P-256) Secure storage and insertion of 3 public keys Secure storage, insertion of eight symmetric secrets (8X128 bits) Secure storage of general purpose data (e.g. digital certificates)

A71CH can be integrated as a slave device into the IoT to provide secure storage of credentials and crypto operations

Public key #3 Key pair #3 Key pair #4 Sym key #3 Sym key #4 Sym key #7 Sym key #8 Monotonic counter #1 Monotonic counter #2

13

A71CH for secure connection to public or private clouds

IoT device IoT device IoT device IoT device IoT device IoT device

IoT device

A71CH Host MCU

Gateway Network Cloud

End-to-end TLS connection

001010 001010

A71CH Cloud servers

The keys and certificates used to authenticate the cloud connection remain secure in A71CH

Authenticity Trusted connection Data privacy A71CH security IC supports the TLS Handshake protocol version 1.2

Public and private cloud service providers

14

A71CH for device proof of origin / anti-counterfeit

IoT device IoT device IoT device IoT device IoT device IoT device

IoT device

A71CH Host MCU

A71CH

The keys and certificates used to verify device authenticity remain secure in A71CH

Servers

I want to authenticate the device’s

• rigin in order to detect clones and

make sure there’s no counterfeit I want to make sure I am communicating with the genuine server

Server

IoT device authenticity verification Server authenticity verification

Authenticity is proved by the verification of signed random numbers

967949 125697

Certificates are used to bind public key with its owner.

15

A71CH for encrypted / authenticated interface to host processor

IoT device IoT device IoT device IoT device IoT device IoT device

IoT device

A71CH Host MCU

I2C

Host interface When using SCP03, Host processor and A71CH are mutually authenticated Setting up the SCP03 channel requires 3 128- bit AES keys (both on Host and A71CH side).

A71CH provides the option to bind the Host processor to the security IC by configuring it to use an SCP03 channel. A71CH Host MCU

I2C

SCP03 secure channel

SCP03 keys SCP03 keys

16

A71CH trust provisioning models

17

A71CH Trust Provisioning

Secure injection of keys and credentials, volume independent.

• For prototyping during development through A71CH Configure tool (part of

A71CH Host software package)

• For high volumes by NXP Trust Provisioning Service
• Through distributors and partners in programming centers
• To offer secure programming for mass market, we have partnered

with Data I/O, a leading company providing secure programming solutions.

• Data I/O has implemented programming scripts for A71CH on their

SentriX system.

IoT device

A71CH Host MCU

I2C

A71CH

Secure Storage Key pair #0 Key pair #1 Public key #0 Public key #1 Sym key #0 Sym key #1 Sym key #4 Sym key #5 General purpose storage Public key #2 Key pair #2 Key pair #3 Sym key #2 Sym key #3 Sym key #6 Sym key #7 Monotonic counter #0 Monotonic counter #1

Trust provisioning

Config keys (3)

18

Customer (SP, OEM)

AWS Just-In-Time Registration of Device Certificates

Launched in Nov 2016 – A71CH AWS CA either provided by programming facility or customer

AWS Service Provider Account NXP

A71CH

• 4. Register signing/intermediate

CA with AWS IoT.

• 6. Auto-registering device

certificates when devices connect to AWS IoT for the first time

Programming facility

Per customer set up

• 1. Create root CA (can be customer or

programming facility)

• 2. Create intermediate CA signed by

Root CA

• 3. Install intermediate CA in

programming equipment

• 5. Provisioning of the individual

device certificate signed by customer signing/intermediate certificate and a corresponding device individual key pair

19

A71CH product support package

20

A71CH product support package

Documentation A71CH Host software package A71CH development boards Extensive support documentation for facilitating product evaluation as well as the implementation process of the main use cases. Includes an A71CH Mini PCB board and an Arduino adaptor for i.MX, Kinetis and LPC boards. Comprehensive software package including A71CH Host SW API, sample applications, source code and API documentation

21

A71CH development boards

22

A71CH Arduino compatible development kit

OM3710/A71CHARD

A71CH Arduino compatible dev kit

Part number complete kit: OM3710/A71CHARD 12NC: 935368997598 Ordering: eCommerce

OM3710/A71CHARD contents

• A71CH mini PCB board (OM3710/A71CHPCB)
• Arduino interface header board

OM3710/A71CHARD features

• Arduino development kit based on Arduino adaptor

board and A71CH mini PCB board.

• A71CH development kit to connect the A71CH security

IC to any host featuring an Arduino compatible header.

www.nxp.com/OM3710

23

Kinetis board as VCOM port

USB / I2C bird /Ascot adaptor and VCOM board to PC

USB / I2C bird (OM3710/B001)

Note: For availability please contact your NXP representative.

OM3710/B001 contents

• I2C/USB dongle
• I2C data cable

OM3710/B001 features

• Complete I2C/USB set enabling connection to PC.
• It shall be complemented with A71CH Mini PCB board.

Features

• FRDM-K64F and FRDM-K82F can be configured as

VCOM boards after downloading a dedicated firmware.

• The VCOM port acts as a USB to I2C adaptor.

Part number complete kit: FRDM-K64F 12NC: 935326293598 Ordering: eCommerce Part number complete kit: FRDM-K82F 12NC: 935327211598 Ordering: eCommerce

24

A71CH Host software package

25

A71CH Host software package contents

A71CH Configure tool A71CH Host API documentation A71CH Host API source code A71CH API usage examples A71CH OpenSSL Engine examples

26

Host MCU

A71CH Host software architecture

OpenSSL Application Host Library OpenSSL Engine I2C

A71CH I2C The A71CH Host Library behaves as the interface between a host microcontroller application and the A71CH security IC. The A71CH Host Library translates function calls into APDUs that are transferred through an I2C interface to the A71CH security IC. Host MCU

Application Host Library mbedTLS ALT mbedTLS I2C VCOM

A71CH I2C

27

A71CH Configuration tool

Host MCU I2C

A71CH configure tool A71CH Host API

The A71CH Configure tool is a command line tool that supports the insertion of credentials into the A71CH. The A71CH Configure tool source code is part of the A71CH Host SW support package as well

Serial port

(SSH possible) e.g. i.MXUltraLite e.g. TeraTerm command line bash tool Configuration commands APDU commands Development PC

A71CH design tools: www.nxp.com/products/:A71CH?tab=Design_Tools_Tab

e.g.OM3710/A71CHARD

A71CH

Secure Storage Key pair #0 Key pair #1 Public key #0 Public key #1 Sym key #0 Sym key #1 Sym key #4 Sym key #5 General purpose storage Public key #2 Key pair #2 Key pair #3 Sym key #2 Sym key #3 Sym key #6 Sym key #7 Monotonic counter #0 Monotonic counter #1 Config keys (3)

28

A71CH API usage examples

A71CH Host MCU I2C

A71CH API examples A71CH Host API

The A71CH Host API usage example application is a sample project oriented to show the functionality of the A71CH Host library

Development PC e.g. i.MXUltraLite e.g.OM3710/A71CHARD e.g. TeraTerm command line bash tool A71CH responses APDU command / responses Serial port

The A71CH Host API usage examples: ex_aes, ex_config, ex_ecc_nohc, ex_gpstorage, ex_misc, ex_psk, ex_scp, ex_sst_kp, ex_boot, ex_walkthrough, ex_debug.

A71CH design tools: www.nxp.com/products/:A71CH?tab=Design_Tools_Tab

29

A71CH OpenSSL Engine TLS communication examples

Host MCU I2C

A71CH OpenSSL client- side scripts A71CH Host API

The A71CH OpenSSL Engine TLS connection examples show how to initiate a TLS/SSL- based communication between two devices acting as a client and a server

Serial port

Development PC e.g. i.MXUltraLite e.g.OM3710/A71CHARD e.g. TeraTerm command line bash tool APDUs

A71CH OpenSSL Engine

e.g. Linux machine (e.g. Ubuntu VM)

A71CH OpenSSL server- side scripts

TLS connection

A71CH

A71CH design tools: www.nxp.com/products/:A71CH?tab=Design_Tools_Tab

30

A71CH Host API documentation

31

A71CH documentation

32

A71CH documentation (I)

IoT security brochure A71CH product leaflet A71CH product short datasheet AN12121 – How to start a development with A71CH

• Scope: Highlights about A71CH key benefits, use cases, target applications and ordering details
• Link: https://www.nxp.com/docs/en/fact-sheet/A71CH-LEAFLET.pdf
• Scope: Educational whitepaper about IoT security needs and NXP value proposition.
• Link: https://www.nxp.com/docs/en/brochure/A71CH-IOT.pdf
• Scope: Provides a functional description, features, applications, pinning, operational conditions and characteristics
• Link: https://www.nxp.com/docs/en/data-sheet/A71CH-SDS.pdf
• Scope: Describes the support material available for designs based on the A71CH solution.
• Link: https://www.nxp.com/docs/en/application-note/AN12121.pdf

A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab

33

A71CH documentation (II)

AN12119 – A71CH Quick start guide for OM3710A71CHARD and i.MXUltraLite AN12133 – A71CH Host software package documentation AN12131 – A71CH for secure connection to AWS cloud AN12132 – A71CH for secure connection to OEM cloud

• Scope: Provides a detailed view of the A71CH Host software architecture and the A71CH application examples
• Link: https://www.nxp.com/docs/en/application-note/AN12133.pdf
• Scope: Guide for setting up the development environment for A71CH Arduino development kit and i.MX6UltraLite
• Link: https://www.nxp.com/docs/en/application-note/AN12119.pdf
• Scope: Detailed description on how the A71CH can be used to create a secure connection with AWS Cloud
• Link: https://www.nxp.com/docs/en/application-note/AN12131.pdf
• Scope: Detailed description on how the A71CH can be used to create a secure connection with the OEM Cloud
• Link: https://www.nxp.com/docs/en/application-note/AN12132.pdf

A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab

34

A71CH documentation (III)

AN12120 – A7CH for electronic anti-counterfeit protection AN12135 – A71CH Quick start guide for OM3710A71CHARD and Kinetis AN12134 – A71CH Quick start guide for Windows AN – A71CH Host software porting guidelines

• Scope: Guide for setting up the development environment for A71CH Arduino development kit and Kinetis boards
• Link:
• Scope: Describes how the A71CH can be used to implement a mutual authentication mechanism based on ECC crypto
• Link: https://www.nxp.com/docs/en/application-note/AN12120.pdf
• Scope: Guide for setting up the development environment for A71CH Arduino development kit in Windows
• Link
• Scope: Detailed guide for porting A71CH Host software to different MCU and MPU platforms.
• Link:

Available soon Available soon Available soon A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab

35

A71CH documentation (IV)

AN – A71CH trust provisioning options AN – A71CH for secure connection to more private and public cloud providers

• Scope: x
• Link:
• Scope: x
• Link:

Available soon Available soon A71CH documentation: www.nxp.com/products/:A71CH?tab=Documentation_Tab

Stay tuned More coming!

36

Closure

37

A71CH Plug & trust for IoT: Summary

A71CH key benefits

• Root of trust for IoT applications
• End-to-end security, from chip to edge to cloud
• Plug & Trust: Ready to use solution for easy system integration

Support for:

• MPU with i.MX 6 available now
• MCU with Kinetis K64F, KW41Z, K82 and more in April

Product website: www.nxp.com/A71CH Development kit: www.nxp.com/OM3710 Order info:

Item Description Package 12NC A7101CHTK2 Security IC with standard temp range (-25 to +85 °C) HVSON8, Reel, MoQ = 6k 9353 680 97118 A7102CHTK2 Security IC with extended temp range (-40 to +90 °C) HVSON8, Reel, MoQ = 6k 9353 635 15118 OM3710/A71CHARD OM3710/A71CHARD A71CH Arduino-compatible development kit 9353 689 97598

MCU/ MPU A71CH as an easy add-on to MPU & MCU for Secure Cloud Connection & Mutual Authentication

38

Thank you for your kind attention!

Please remember to fill out our evaluation survey (pop-up) Check your email for material download and on-demand video addresses Please check NXP and MobileKnowledge websites for upcoming webinars and training sessions

http://www.nxp.com/support/classroom-training-events:CLASSROOM-TRAINING-EVENTS www.themobileknowledge.com/content/knowledge-catalog-0

A71CH - Plug & trust for IoT

Jordi Jofre (Speaker) Angela Gemio (Host)

39

MobileKnowledge

MobileKnowledge is a team of HW, SW and system engineers, experts in smart, connected and secure technologies for the IoT world. We are your ideal engineering consultant for any specific support in connection with your IoT and NFC developments. We design and develop secure HW systems, embedded FW, mobile phone and secure cloud applications. Our services include:

▪ Secure hardware design ▪ Embedded software development ▪ NFC antenna design and evaluation ▪ NFC Wearable ▪ EMV L1 pre-certification support ▪ Mobile and cloud application development ▪ Secure e2e system design

We help companies leverage the secure IoT revolution

www.themobileknowledge.com mk@themobileknowledge.com