An EBV Elektronik out-of-box secured IoT solution for volume applications: Enabling Espressif ESP32 Wi-Fi module with Microchip ATECC608A Secure Element
Ever
since the early 2000s, when this term was first introduced, the Internet of
Things (IoT) is in steady growth, with no signs of declining anytime soon. The
concept itself is actually old, dating back to the ’70s. However, it has
matured only recently: with the emerge of cheap but powerful microprocessors
and microcontrollers, along with the entire supporting communication
infrastructure, IoT hit the mass market and became one of the most lucrative
businesses of today, with tens of billions devices connected online. However,
with many connected devices participating in so many different aspects of our daily
lives, IoT devices have become very appealing to hackers, presenting an easy
entry point for their cyber-attacks. This is especially true in the industrial
IoT (IIoT) environment, where cyber-attacks can have devastating consequences.
The most common challenges of modern IoT design
Modern IoT design presents many
challenges to a system developer. The most common challenge is how to implement
a robust yet reliable security solution while keeping both development time and
costs to a minimum. Preventing intrusions and system-wide breaches is the top
priority for any network: the security level of the network is as high as it is
at its weakest node. By implementing reliable hardware-based security solutions,
developers can achieve maximum system protection level, reducing the overall
costs and time to market at the same time.
As mentioned before, any IoT node
can represent an easy entry point into the entire IoT system. The potential
attacker can gain easy access to the hardware, due to the very nature of the
IoT network: either he can purchase the IoT device online, or he may attempt to
access the IoT node remotely. With access to the physical hardware, breaking
the security is mostly a matter of time and motivation. Therefore, the main
goal of an advanced security solution is to make sure that the effort is simply
not worth the gain.
A potential attacker can create a
fake ID (ID spoofing) or change the firmware to work in his favor by tampering
with the device itself. It can also eavesdrop on communication with cloud
services if the security implementation is weak enough. A robust IoT secured
implementation implies that all the devices are mutually authenticated with the
cloud server, preserving data integrity, and encrypting traffic using strong
cryptographic ciphers. A secure element can protect the identity of the device,
store sensitive data, and run crypto-operations in a secure environment, providing
a solid basis for a reliable and robust secured solution.
IoT device security threats summary
Microchip ATEC608A Secure Element
A Secure Element (SE) is designed
to be used as a ‘root of trust’ or ‘trust anchor’ in a secure system. One such
SE is the ATECC608A from Microchip, which offers a world-class hardware-based
secure storage in the form of an EEPROM array, combined with an advanced
cryptographic coprocessor. It provides an ultimate level of protection against invasive
and non-invasive side-channel attacks, including chip decapping (delidding) and
laser micro-probing, glitch injection, differential power analysis, execution
time analysis, and similar methods based on different technologies.
The
ATECC608A is a member of the Microchip CryptoAuthentication™ family of
high-security cryptographic devices, supported by a dedicated software library
in C language, which is easily portable to any MCU/MPU architecture. The
ATECC608A is also a very resource-friendly device with very low power
consumption between 14 mA (max) during the full load, and 30 nA (max) while in
Sleep mode. Among other options, it features built-in ECDH and ECDSA
capabilities, and it is compliant with the TLS 1.2/1.3 security protocols,
making it a perfect choice for a reliable end-to-end IoT secured solution.
Why is the Microchip ATECC608A SE the right choice for a reliable IoT
security?
Unlike software protection
algorithms, hardware-based security is very tough to break. This is mostly due
to the fact that once provisioned, the private keys never leave the protected
environment of the SE: during the provisioning process, the private key is
generated internally, using an integrated high-entropy True Random Number
Generator (TRNG). It is then stored to a specific memory slot, configured as
the Elliptic Curve Cryptography (ECC) private key storage. Private keys are
unique to each device and can never be read; they can only be used internally,
for authentication and verification purposes. The ATECC608A has a total of
sixteen memory slots that can be fully configured and programmed by Microchip
personalization service, thus making the part completely unique per customer.
As mentioned before, the Secure
Element itself incorporates cutting-edge security countermeasures on a hardware
level, preventing any physical attempts to obtain the private key from its
secure location. On the other hand, one of the main disadvantages when using
MCU/MPU-based security implementation is that due to their increased complexity,
MCUs and MPUs do not have the luxury of incorporating such an extensive set of
physical security countermeasures; that would significantly increase the
manufacturing costs. As a result, these devices are especially prone to
physical attacks, such as delidding and micro-probing. There are numerous other
advantages and benefits when using Microchip ATECC608A SE:
Microchip Trust
Platform is a cost-effective, flexible on-boarding and
personalization service, open to low volume.
This personalization service offers a unique
part number per customer product, allowing for better control of the supply
chain, and prevents overbuilding.
The entire cloud back-end management can be
simplified: for instance, when using the AWS cloud, there is no need to
register an entire fleet of different IoT devices to a single account. A single
shared intermediate certificate can be used to register multiple devices. The
device registration process is then automated using AWS Just In Time (JIT)
registration.
The firmware can remain generic as credentials
are loaded directly onto the personalized SE, simplifying firmware design, and
firmware upgrade procedure.
For a more in-depth explanation and the complete list of features, be sure to visit Microchip official ATECC608A landing page at this LINK.
Espressif ESP32 module
The Espressif ESP32 series module
is based on a powerful Tensilica Xtensa LX6 dual-core MCU and represents one of
the best-recognized solutions for IoT development on the market. The ESP32
module includes a rich set of peripherals, featuring some of the most commonly
used communication interfaces such as high-speed SPI, UART, I2S and I2C,
Ethernet and SD card interfaces. It also includes a Hall sensor, low noise
sensor amplifiers, and capacitive touch sensors, offering a wide range of
options to work with.
The ESP32 module also includes
some advanced cryptographic capabilities, including secure boot, flash
encryption, and cryptographic hardware acceleration, allowing for improved
security. However, the most distinctive feature of the ESP32 module is its
wireless connectivity. The ESP32 module integrates Wi-Fi and BT/BLE
connectivity, covering a wide range of use cases. Offering very low power
consumption of less than 5 µA while in Sleep mode, Wi-Fi and BT/BLE wireless
connectivity, a rich set of peripherals, and support from an IoT-friendly
ecosystem, the ESP32 series module is the perfect choice for the development of
a secure and cost-effective wireless solution.
Block diagram of the ESP32 module
The EBV ESP32Secure training kit
The ESP32Secure training kit is a solution developed by
EBV Elektronik, offering a solid foundation for a secure and reliable IoT
development. The ESP32Secure kit is designed as a carrier board for the
ESP32-DevKitC V4, a popular ESP32 series development board from Espressif. Its
software is based on the Espressif IoT Development Framework (ESP-IDF). It
features out-of-the-box connectivity with AWS IoT and other AWS services,
making it the perfect choice for rapid IoT prototyping and development.
In addition to the previously mentioned ATECC608A SE, the
ESP32Secure carrier board is also equipped with a set of sensors from several
different manufacturers. The sensors are mounted on a breakaway format PCB,
which allows for greater design reuse and flexibility:
Sensor PCB 1 (NXP Semiconductors):
FXOS8700CQ, a 6-axis sensor with an integrated linear accelerometer and magnetometer.
PCT2075DP, a high accuracy digital temperature sensor, and thermal watchdog.
Sensor PCB 2 (Infineon):
DPS422, a digital XENSIV™ barometric pressure and temperature sensor
for portable and IoT devices.
TLV493D, a 3D magnetic sensor with low power consumption.
Sensor PCB 3 (STMicroelectronics):
LPS22HB, an absolute digital output barometer with a pressure range
from 260 to 1260 hPa.
HTS221, a capacitive digital sensor for relative humidity and
temperature.
LSM303AGR, a high-performance eCompass module: an ultra-low-power 3D
accelerometer and a 3D magnetometer.
Sensor PCB 4 (Renesas):
HS3001, a high-performance relative humidity, and temperature sensor.
Sensor PCB 5 (ams):
CCS811, an ultra-low-power digital gas sensor for indoor air quality
monitoring.
ENS210, a highly accurate relative humidity and temperature sensor.
TSL2572, a light-to-digital converter.
Block diagram of the ESP32Secure Training Kit
The ESP32Secure training kit is
an integral part of a cutting-edge and cost-effective secured wireless
connectivity solution offered exclusively by EBV Elektronik. The package
includes the complete software solution, the whole training kit, and one full
day training. It covers the entire life cycle of the solution: connecting to
Amazon Web Services (AWS) cloud, automatic device registration, secure
Over-The-Air (OTA) update, and ‘Works with Alexa’ functionality.
The training course also explains several important topics, including Espressif ESP32 security features (secure boot with memory encryption), Microchip ATECC608A device personalization with custom secrets, and integration into the Espressif TLS stack.
Please check at this LINK to register for upcoming dates for this course in your area.
ESP32Secure Training Kit
Authors:
Darko Ilijevski, Technical Writer and Editor, EBV Elektronik
Thibault Richard, Connectivity FAE, EBV Elektronik
An EBV Elektronik out-of-box secured IoT solution for volume applications: Enabling Espressif ESP32 Wi-Fi module with Microchip ATECC608A Secure Element
Ever since the early 2000s, when this term was first introduced, the Internet of Things (IoT) is in steady growth, with no signs of declining anytime soon. The concept itself is actually old, dating back to the ’70s. However, it has matured only recently: with the emerge of cheap but powerful microprocessors and microcontrollers, along with the entire supporting communication infrastructure, IoT hit the mass market and became one of the most lucrative businesses of today, with tens of billions devices connected online. However, with many connected devices participating in so many different aspects of our daily lives, IoT devices have become very appealing to hackers, presenting an easy entry point for their cyber-attacks. This is especially true in the industrial IoT (IIoT) environment, where cyber-attacks can have devastating consequences.
The most common challenges of modern IoT design
Modern IoT design presents many challenges to a system developer. The most common challenge is how to implement a robust yet reliable security solution while keeping both development time and costs to a minimum. Preventing intrusions and system-wide breaches is the top priority for any network: the security level of the network is as high as it is at its weakest node. By implementing reliable hardware-based security solutions, developers can achieve maximum system protection level, reducing the overall costs and time to market at the same time.
As mentioned before, any IoT node can represent an easy entry point into the entire IoT system. The potential attacker can gain easy access to the hardware, due to the very nature of the IoT network: either he can purchase the IoT device online, or he may attempt to access the IoT node remotely. With access to the physical hardware, breaking the security is mostly a matter of time and motivation. Therefore, the main goal of an advanced security solution is to make sure that the effort is simply not worth the gain.
A potential attacker can create a fake ID (ID spoofing) or change the firmware to work in his favor by tampering with the device itself. It can also eavesdrop on communication with cloud services if the security implementation is weak enough. A robust IoT secured implementation implies that all the devices are mutually authenticated with the cloud server, preserving data integrity, and encrypting traffic using strong cryptographic ciphers. A secure element can protect the identity of the device, store sensitive data, and run crypto-operations in a secure environment, providing a solid basis for a reliable and robust secured solution.
Microchip ATEC608A Secure Element
A Secure Element (SE) is designed to be used as a ‘root of trust’ or ‘trust anchor’ in a secure system. One such SE is the ATECC608A from Microchip, which offers a world-class hardware-based secure storage in the form of an EEPROM array, combined with an advanced cryptographic coprocessor. It provides an ultimate level of protection against invasive and non-invasive side-channel attacks, including chip decapping (delidding) and laser micro-probing, glitch injection, differential power analysis, execution time analysis, and similar methods based on different technologies.
The ATECC608A is a member of the Microchip CryptoAuthentication™ family of high-security cryptographic devices, supported by a dedicated software library in C language, which is easily portable to any MCU/MPU architecture. The ATECC608A is also a very resource-friendly device with very low power consumption between 14 mA (max) during the full load, and 30 nA (max) while in Sleep mode. Among other options, it features built-in ECDH and ECDSA capabilities, and it is compliant with the TLS 1.2/1.3 security protocols, making it a perfect choice for a reliable end-to-end IoT secured solution.
Why is the Microchip ATECC608A SE the right choice for a reliable IoT security?
Unlike software protection algorithms, hardware-based security is very tough to break. This is mostly due to the fact that once provisioned, the private keys never leave the protected environment of the SE: during the provisioning process, the private key is generated internally, using an integrated high-entropy True Random Number Generator (TRNG). It is then stored to a specific memory slot, configured as the Elliptic Curve Cryptography (ECC) private key storage. Private keys are unique to each device and can never be read; they can only be used internally, for authentication and verification purposes. The ATECC608A has a total of sixteen memory slots that can be fully configured and programmed by Microchip personalization service, thus making the part completely unique per customer.
As mentioned before, the Secure Element itself incorporates cutting-edge security countermeasures on a hardware level, preventing any physical attempts to obtain the private key from its secure location. On the other hand, one of the main disadvantages when using MCU/MPU-based security implementation is that due to their increased complexity, MCUs and MPUs do not have the luxury of incorporating such an extensive set of physical security countermeasures; that would significantly increase the manufacturing costs. As a result, these devices are especially prone to physical attacks, such as delidding and micro-probing. There are numerous other advantages and benefits when using Microchip ATECC608A SE:
For a more in-depth explanation and the complete list of features, be sure to visit Microchip official ATECC608A landing page at this LINK.
Espressif ESP32 module
The Espressif ESP32 series module is based on a powerful Tensilica Xtensa LX6 dual-core MCU and represents one of the best-recognized solutions for IoT development on the market. The ESP32 module includes a rich set of peripherals, featuring some of the most commonly used communication interfaces such as high-speed SPI, UART, I2S and I2C, Ethernet and SD card interfaces. It also includes a Hall sensor, low noise sensor amplifiers, and capacitive touch sensors, offering a wide range of options to work with.
The ESP32 module also includes some advanced cryptographic capabilities, including secure boot, flash encryption, and cryptographic hardware acceleration, allowing for improved security. However, the most distinctive feature of the ESP32 module is its wireless connectivity. The ESP32 module integrates Wi-Fi and BT/BLE connectivity, covering a wide range of use cases. Offering very low power consumption of less than 5 µA while in Sleep mode, Wi-Fi and BT/BLE wireless connectivity, a rich set of peripherals, and support from an IoT-friendly ecosystem, the ESP32 series module is the perfect choice for the development of a secure and cost-effective wireless solution.
The EBV ESP32Secure training kit
The ESP32Secure training kit is a solution developed by EBV Elektronik, offering a solid foundation for a secure and reliable IoT development. The ESP32Secure kit is designed as a carrier board for the ESP32-DevKitC V4, a popular ESP32 series development board from Espressif. Its software is based on the Espressif IoT Development Framework (ESP-IDF). It features out-of-the-box connectivity with AWS IoT and other AWS services, making it the perfect choice for rapid IoT prototyping and development.
In addition to the previously mentioned ATECC608A SE, the ESP32Secure carrier board is also equipped with a set of sensors from several different manufacturers. The sensors are mounted on a breakaway format PCB, which allows for greater design reuse and flexibility:
Sensor PCB 1 (NXP Semiconductors):
Sensor PCB 2 (Infineon):
Sensor PCB 3 (STMicroelectronics):
Sensor PCB 4 (Renesas):
Sensor PCB 5 (ams):
The ESP32Secure training kit is an integral part of a cutting-edge and cost-effective secured wireless connectivity solution offered exclusively by EBV Elektronik. The package includes the complete software solution, the whole training kit, and one full day training. It covers the entire life cycle of the solution: connecting to Amazon Web Services (AWS) cloud, automatic device registration, secure Over-The-Air (OTA) update, and ‘Works with Alexa’ functionality.
The training course also explains several important topics, including Espressif ESP32 security features (secure boot with memory encryption), Microchip ATECC608A device personalization with custom secrets, and integration into the Espressif TLS stack.
Please check at this LINK to register for upcoming dates for this course in your area.
Authors:
Darko Ilijevski, Technical Writer and Editor, EBV Elektronik
Thibault Richard, Connectivity FAE, EBV Elektronik
Related Posts