Hardware security on a silicon level: minimum effort for maximum protection
As the fourth industrial revolution gains momentum, demands for reliable yet cheap and simple IoT security solutions rise exponentially. Fast technological advancement brings easy access to the latest technologies for everyone. Unfortunately, that also includes potential attackers, who are given an opportunity to improve their tools and attack methods. Cyber-attacks are becoming more sophisticated and harder to detect.
This is where specialized secure elements such as the EdgeLock™ SE050 from NXP Semiconductors come into play. The secure element provides a root of trust at the IC level, offering multiple logical and physical protection layers, metal shielding, end-to-end encryption, memory encryption, and tamper detection, making it virtually impenetrable to hacker attacks.
As a turnkey solution ready to be used out of the box, the EdgeLock™ SE050 IoT secure element is fully supported with software libraries for many different MCUs and MPUs. It offers seamless integration with the most commonly used OSs, allowing for a simplified and flexible design-in, reduced development costs, and shorter time to market.
A closer look at the EdgeLock™ SE050
The EdgeLock™ SE050 is an IoT secure element, based on NXP’s Integral Security Architecture 3.0™. This turnkey solution provides everything required for the implementation of real end-to-end security in a variety of use cases. The SE050 is CC EAL 6+ certified up to OS level, providing a secure environment for the pre-installed NXP IoT applet. It provides edge-to-cloud security for IoT platforms, which is easy and cheap to implement, yet extremely safe and reliable.
The device allows simplified implementation for a wide range of use-cases, reducing the design-in time. Supported by the Plug & Trust Middleware, it offers pre-integration with the main OS (Android™, Linux®, and RTOS), example codes for various use cases, secure communication protocols, services, and interfaces, including Android KeyMaster, OPC-UA, MQTT, and PKCS11. An API layer allows communication with the IoT Applet on a hardware level.
The SE050 IoT secure element works as an auxiliary device connected to a host controller over the I2C interface, offering a powerful security stack. The SE050 secure element itself runs the embedded Java® Card Open Platform OS (JCOP OS) with a pre-installed IoT applet. Direct memory access is limited to the IoT applet itself and it is completely isolated from the host system.
Communication with the host controller is established over the SLAVE I2C interface which can be operated in HS mode, up to 3.4MHz. The SE050 commands are wrapped using the smartcard T=1 over I2C (T=1oI2C) protocol. The SCP03 protocol (bus encryption and encrypted credential injection) is also supported, allowing for secured binding with the host controller. For more details about the SE050 commands and T=1oI2C protocol encapsulation, please visit the NXP DocStore.
ISO/IEC7816 and ISO/IEC14443 communication standards are both supported on the SE050.
The ISO/IEC7816 interface is used to emulate an I2C Master interface so that locally collected data can be verified before encrypting and transmitting it securely to the host MCU/MPU along to the cloud or server for further treatment and analysis. The ISO/IEC14443 interface with a connected antenna enables the device to be pre-provisioned during manufacturing without being powered.
The SE050 supports a generic file system within the IoT applet, running on the embedded JCOP OS. It allowing privilege management and storing of so-called “secure objects” (entries in its filesystem). Basic file operations on secure objects are allowed, including read, write, delete, and update.
There are several types of secure objects supported by the SE050:
- Symmetric Key (AES, DES)
- ECC Key
- RSA Key
- HMAC Key
- Binary File
- User ID
- Hash-Extend Register
Each of these objects allows object-specific actions to be performed upon them, such as the key encryption/decryption, signing, verification, importing and generating the ECC and RSA keys, etc. In addition, the SE050 allows secure objects to be linked to specific access control policies, scaling the functionality to a wide range of different ecosystems. A set of several different authentication options is also available on the SE050 secure element:
- User-ID based authentication
- Symmetric key-based authentication with and without secure messaging
- Asymmetric key-based authentication with and without secure messaging
SE050 secure element comes with pre-provisioned security credentials, deployed in a trusted environment. This ensures that the chain of trust is preserved. Without ever having to generate the private-public key pair externally, chances of a security breach are virtually eliminated when the SE050 secure element is used, as the private key never leaves the secure environment of the device.
Another advantage of having pre-provisioned credentials is that they are already registered on some of the existing cloud services (such as the Google Cloud IoT Core Platform), which makes the SE050 a real turnkey solution.
However, besides providing commercial key deployment in a trusted environment, NXP Semiconductors also provides evaluation boards such as the OM-SE050ARD. It allows custom keys to be generated and injected manually, which is useful for testing purposes. More info about the evaluation board can be found on their official web page.
Why using the EdgeLock™ SE050 ?
The EdgeLock™ SE050 is an enhanced IoT security solution which can be implemented in many different use cases. Supported by the Plug & Trust middleware, it allows very simple implementation. It is produced in several different variants (A, B, C), offering features based on a specific use case. Packaged in a tiny HX2QFN20 (SOT1969-1) 20-pin case measuring only 3 x 3 mm, this is one of the most compact and affordable, yet reliable security solutions currently on the market.
Get more information and support with the new EdgeLock™ SE050 secure element by contacting EBV Elektronik support experts.