Yes, the IoT will spark billions of new connections. Yes, there will be tons of unattended and autonomous devices connected to the internet that need to be secured. And yes everybody knows it. So why do we still see headlines about hacks popping up on a daily basis? Because implementing security isn’t easy nor is it cheap.
Semiconductor manufacturers have understood this problem and are developing solutions in order to supply components that enable cost efficient and effortless implementation of protective features into applications.
The latest “weapon” for the fight against counterfeiting, cloning and hacking is the tiny but powerful STSAFE-A100 from STMicroelectronics.
The smart solution acts as a secure element and provides authentication and data management services to a local or remote host. More specifically if used in an IoT device the STSAFE-A connects to the local host via I2C-bus slave interface (with up to 400 Kbps transmission speed, true open-drain pads and 7-bit addressing). In this set-up the ST security chip authenticates to a remote host using the local host as a pass-through to the remote server.
Mounted onto an accessory or consumable the STSAFE-A authenticates to a local host. This would for example be the case when the secure element is used in games, mobile accessories or printer cartridges.
In both set-ups the STSAFE-A proofs to a remote or local host that a certain peripheral or IoT device is legitimate. Manufacturers can therefore control which peripherals can be used in conjunction with the original equipment. In addition the secure element can be used by service providers in order to ensure that a specific service is only provided to the appropriate IoT devices.
The authentication is secured using advanced asymmetric cryptography in form of the elliptic curve cryptography (ECC) scheme with NIST or Brainpool 256-bit and 384-bit curves. Furthermore digital signatures are generated utilising the elliptic curve digital signature algorithm (ECDSA) schemes with SHA-256 and SHA-384. In addition, it is compatible with the USB Type-C authentication scheme.
The communication with a remote host is secured via Transport Layer Security (TLS) handshaking. The key establishment relies on the ECC and computes the shared secret with the widely recognised Diffie-Hellman schemes ECDH and ECDHE.
Firmware updates of the local host profit from the signature verification capabilities of the STSAFE-A. The device is able to verify an ECDSA signature by using a public key provided by the local host which also offloads the task from local application processors with limited computing power and no ECC accelerator.
In addition the new secure element is able to secure one-way counters (e.g. for peripheral usage monitoring) and offers 6 Kbytes of non-volatile memory split into areas, whose read and write access rights can be configured to free access, local host access or remote host access.
In order to secure the exchange of sensitive information with the local host over the I2C line a secure channel can be set up based on AES-128-bit keys.
Adding to the benefits the STSAFE-A100 can also be used to encrypt or decrypt data between the remote host and the local host.
Apart from those valuable functions the new ST device further features an embedded secure operating system and is certified to Common Criteria EAL5+, banking-level security-industry standards.
Due to the beneficial combination of system on chip (SoC) including hardware, embedded software and pre-configuration features along with comprehensive host software libraries (portable to a wide range of general-purpose microcontrollers or microprocessors) and demonstration and prototyping tools (including ST’s Nucleo boards) the STSAFE-A represents a true turnkey solution. The complete security solution with small footprint helps designers to implement the security chip at low cost and without extensive security engineering knowledge into their applications.
Get more information and support with the new STSAFE-A100 by contacting EBV here.