Espressif ESP32 Wi-Fi module with Microchip ATECC608A Secure Element

An EBV Elektronik out-of-box secured IoT solution for volume applications: Enabling Espressif ESP32 Wi-Fi module with Microchip ATECC608A Secure Element

Ever since the early 2000s, when this term was first introduced, the Internet of Things (IoT) is in steady growth, with no signs of declining anytime soon. The concept itself is actually old, dating back to the ’70s. However, it has matured only recently: with the emerge of cheap but powerful microprocessors and microcontrollers, along with the entire supporting communication infrastructure, IoT hit the mass market and became one of the most lucrative businesses of today, with tens of billions devices connected online. However, with many connected devices participating in so many different aspects of our daily lives, IoT devices have become very appealing to hackers, presenting an easy entry point for their cyber-attacks. This is especially true in the industrial IoT (IIoT) environment, where cyber-attacks can have devastating consequences.

The most common challenges of modern IoT design

Modern IoT design presents many challenges to a system developer. The most common challenge is how to implement a robust yet reliable security solution while keeping both development time and costs to a minimum. Preventing intrusions and system-wide breaches is the top priority for any network: the security level of the network is as high as it is at its weakest node. By implementing reliable hardware-based security solutions, developers can achieve maximum system protection level, reducing the overall costs and time to market at the same time.

As mentioned before, any IoT node can represent an easy entry point into the entire IoT system. The potential attacker can gain easy access to the hardware, due to the very nature of the IoT network: either he can purchase the IoT device online, or he may attempt to access the IoT node remotely. With access to the physical hardware, breaking the security is mostly a matter of time and motivation. Therefore, the main goal of an advanced security solution is to make sure that the effort is simply not worth the gain.

A potential attacker can create a fake ID (ID spoofing) or change the firmware to work in his favor by tampering with the device itself. It can also eavesdrop on communication with cloud services if the security implementation is weak enough. A robust IoT secured implementation implies that all the devices are mutually authenticated with the cloud server, preserving data integrity, and encrypting traffic using strong cryptographic ciphers. A secure element can protect the identity of the device, store sensitive data, and run crypto-operations in a secure environment, providing a solid basis for a reliable and robust secured solution.

Microchip ATEC608A Secure Element

A Secure Element (SE) is designed to be used as a ‘root of trust’ or ‘trust anchor’ in a secure system. One such SE is the ATECC608A from Microchip, which offers a world-class hardware-based secure storage in the form of an EEPROM array, combined with an advanced cryptographic coprocessor. It provides an ultimate level of protection against invasive and non-invasive side-channel attacks, including chip decapping (delidding) and laser micro-probing, glitch injection, differential power analysis, execution time analysis, and similar methods based on different technologies.

The ATECC608A is a member of the Microchip CryptoAuthentication™ family of high-security cryptographic devices, supported by a dedicated software library in C language, which is easily portable to any MCU/MPU architecture. The ATECC608A is also a very resource-friendly device with very low power consumption between 14 mA (max) during the full load, and 30 nA (max) while in Sleep mode. Among other options, it features built-in ECDH and ECDSA capabilities, and it is compliant with the TLS 1.2/1.3 security protocols, making it a perfect choice for a reliable end-to-end IoT secured solution.

Why is the Microchip ATECC608A SE the right choice for a reliable IoT security?

Unlike software protection algorithms, hardware-based security is very tough to break. This is mostly due to the fact that once provisioned, the private keys never leave the protected environment of the SE: during the provisioning process, the private key is generated internally, using an integrated high-entropy True Random Number Generator (TRNG). It is then stored to a specific memory slot, configured as the Elliptic Curve Cryptography (ECC) private key storage. Private keys are unique to each device and can never be read; they can only be used internally, for authentication and verification purposes. The ATECC608A has a total of sixteen memory slots that can be fully configured and programmed by Microchip personalization service, thus making the part completely unique per customer.

As mentioned before, the Secure Element itself incorporates cutting-edge security countermeasures on a hardware level, preventing any physical attempts to obtain the private key from its secure location. On the other hand, one of the main disadvantages when using MCU/MPU-based security implementation is that due to their increased complexity, MCUs and MPUs do not have the luxury of incorporating such an extensive set of physical security countermeasures; that would significantly increase the manufacturing costs. As a result, these devices are especially prone to physical attacks, such as delidding and micro-probing. There are numerous other advantages and benefits when using Microchip ATECC608A SE:

• Microchip Trust Platform is a cost-effective, flexible on-boarding and personalization service, open to low volume.  
• This personalization service offers a unique part number per customer product, allowing for better control of the supply chain, and prevents overbuilding.
• The entire cloud back-end management can be simplified: for instance, when using the AWS cloud, there is no need to register an entire fleet of different IoT devices to a single account. A single shared intermediate certificate can be used to register multiple devices. The device registration process is then automated using AWS Just In Time (JIT) registration.
• The firmware can remain generic as credentials are loaded directly onto the personalized SE, simplifying firmware design, and firmware upgrade procedure.

For a more in-depth explanation and the complete list of features, be sure to visit Microchip official ATECC608A landing page at this LINK.

Espressif ESP32 module

The Espressif ESP32 series module is based on a powerful Tensilica Xtensa LX6 dual-core MCU and represents one of the best-recognized solutions for IoT development on the market. The ESP32 module includes a rich set of peripherals, featuring some of the most commonly used communication interfaces such as high-speed SPI, UART, I2S and I2C, Ethernet and SD card interfaces. It also includes a Hall sensor, low noise sensor amplifiers, and capacitive touch sensors, offering a wide range of options to work with.

The ESP32 module also includes some advanced cryptographic capabilities, including secure boot, flash encryption, and cryptographic hardware acceleration, allowing for improved security. However, the most distinctive feature of the ESP32 module is its wireless connectivity. The ESP32 module integrates Wi-Fi and BT/BLE connectivity, covering a wide range of use cases. Offering very low power consumption of less than 5 µA while in Sleep mode, Wi-Fi and BT/BLE wireless connectivity, a rich set of peripherals, and support from an IoT-friendly ecosystem, the ESP32 series module is the perfect choice for the development of a secure and cost-effective wireless solution.

The EBV ESP32Secure training kit

The ESP32Secure training kit is a solution developed by EBV Elektronik, offering a solid foundation for a secure and reliable IoT development. The ESP32Secure kit is designed as a carrier board for the ESP32-DevKitC V4, a popular ESP32 series development board from Espressif. Its software is based on the Espressif IoT Development Framework (ESP-IDF). It features out-of-the-box connectivity with AWS IoT and other AWS services, making it the perfect choice for rapid IoT prototyping and development.

In addition to the previously mentioned ATECC608A SE, the ESP32Secure carrier board is also equipped with a set of sensors from several different manufacturers. The sensors are mounted on a breakaway format PCB, which allows for greater design reuse and flexibility:

Sensor PCB 1 (NXP Semiconductors):

• FXOS8700CQ, a 6-axis sensor with an integrated linear accelerometer and magnetometer.
• PCT2075DP, a high accuracy digital temperature sensor, and thermal watchdog.

Sensor PCB 2 (Infineon):

• DPS422, a digital XENSIV™ barometric pressure and temperature sensor for portable and IoT devices.
• TLV493D, a 3D magnetic sensor with low power consumption.

Sensor PCB 3 (STMicroelectronics):

• LPS22HB, an absolute digital output barometer with a pressure range from 260 to 1260 hPa.
• HTS221, a capacitive digital sensor for relative humidity and temperature.
• LSM303AGR, a high-performance eCompass module: an ultra-low-power 3D accelerometer and a 3D magnetometer.

Sensor PCB 4 (Renesas):

• HS3001, a high-performance relative humidity, and temperature sensor.

Sensor PCB 5 (ams):

• CCS811, an ultra-low-power digital gas sensor for indoor air quality monitoring.
• ENS210, a highly accurate relative humidity and temperature sensor.
• TSL2572, a light-to-digital converter.

The ESP32Secure training kit is an integral part of a cutting-edge and cost-effective secured wireless connectivity solution offered exclusively by EBV Elektronik. The package includes the complete software solution, the whole training kit, and one full day training. It covers the entire life cycle of the solution: connecting to Amazon Web Services (AWS) cloud, automatic device registration, secure Over-The-Air (OTA) update, and ‘Works with Alexa’ functionality.

The training course also explains several important topics, including Espressif ESP32 security features (secure boot with memory encryption), Microchip ATECC608A device personalization with custom secrets, and integration into the Espressif TLS stack.

Please check at this LINK to register for upcoming dates for this course in your area.

Article by:

Darko Ilijevski & Thibault Richard