Device Defense In-Depth
There are many factors to consider in the world of security for microcontroller-based designs. These include encryption, anti-cloning, tamper detection and more. MCU vendors are embedding these and more onto their latest chips.
There’s no doubt that embedded security is a multifaceted challenge. It’s no surprise, therefore, that technology solutions in this arena take many forms and address many different layers. On one hand, microcontroller (MCU) vendors continue to add more security features and certifications to their MCU devices themselves. This includes everything from cryptography certifications to secure payment standards to anti-cloning technologies and more.
Meanwhile, MCU vendors are also taking a direct role in ensuring cloud-based security and authentication so that their MCU devices can function securely in large, scalable Internet-of-Things (IoT) implementations. Over the past 12 months, MCU vendors have announced more security certifications and security features for their products while also offering rich solutions for ensuring security for cloud-to-device connections.
CMVP L3 SECURITY
There are multiple layers to consider when it comes to ensuring security in an embedded system. Fortunately, several MCU vendors are providing certified security technology right on their MCU devices. Along just those lines, in April Renesas Electronics announced that its 32-bit RX65N MCU (Figure 1) has achieved Cryptographic Module Validation Program (CMVP) Level 3 certification under the FIPS 140-2 security standard by the National Institute of Standards and Technology (NIST). Renesas claims that the RX65N was the world’s first general-purpose MCU to obtain level 3 certification.
The FIPS 140 standard is an essential security requirement for applications used by government agencies, financial institutions, public facilities and infrastructure, says Renesas. And it is becoming a de facto standard for security worldwide. Level 3 is a high security level with tamper detection/response and identity-based authentication mechanisms for devices used to handle financial information such as hardware security modules (HSMs) and smart cards. Using the certified RX65N MCU will make it easier for engineers to develop devices with robust and trustworthy security functions, which will contribute to a reduction in the development workload and reduced overall security risks.
The 32-bit RX65N from Renesas is a general-purpose MCU with security, connectivity and human-machine interface (HMI) functions suited for use in applications such as industrial and IoT devices. The RX65N incorporates the Trusted Secure IP (TSIP) module, which was already CAVP certified. The TSIP, which comprises an encryption engine with AES, SHA, RSA and ECC support, a true random number generator (TRNG) and an encrypted key management mechanism, implements robust security functions. The RX65N features dual-bank flash memory that supports background operation and SWAP function to enable secure and highly reliable firmware updates in system control or network devices and to prevent program tampering.
Since the RX65N is CMVP Level 3 certified, the other RX Family MCUs with the same TSIP, the RX651, RX66N, RX72N and RX72M can implement the security functionality equivalent. Renesas also offers a “Secure Cloud & Sensor Solution”  that combines the RX65N with Renesas sensors to allow users to upload sensor data to cloud services securely and easily.
SESIP3 AND PSA L3
In another example of security certifications at the MCU level, in August STMicroelectronics (ST) announced PSA Certified Level-3 and SESIP 3 certifications for its general-purpose secure STM32U585 MCU, passing tests for logical, board and basic physical resistance that confirm a substantial level of cyber protection (Figure 2).
With enhanced tamper resistance and software protection, the STM32U585 is also suitable for controlling PIN Transaction Security (PTS) equipment that must satisfy Payment Card Industry Security Standards Council (PCI SSC) requirements. As a secure, general-purpose MCU, the STM32U585 offers an all-in-one solution that simplifies the design and production of Point-Of-Sale (POS) and self-service payment terminals, says ST.
Typically, achieving recognition as an official PTS Approved Device requires a dedicated security chip to resist online and side-channel attacks, with a separate MCU to manage features such as the keyboard, display and USB connection. The STM32U585 can now consolidate all these capabilities, enabling a simplified design and streamlining production logistics from purchasing and inventory management to final assembly. Terminal makers can also test and certify their products to applicable standards such as PCI PTS v6 more quickly and easily.
The STM32U585 is compliant with Arm Trusted Base System Architecture (TBSA) requirements and features Arm TrustZone architecture. Numerous typical security features for connected devices are included, including cryptographic accelerators, secure data storage, secure firmware installation, secure boot and secure firmware update.
Additional security features further elevate cyber protection over and above that of typical general-purpose MCUs. These include internal monitoring that erases secret data in the event of a perturbation attack, which contributes toward meeting PCI SSC requirements for POS applications. Even further protection includes hardening of encryption of symmetric and asymmetric public-key accelerators (AES, PKA) against attacks with side-channel analysis (SCA), a hardware unique key for secure data storage, and built-in active tamper detection.
Ensuring superior cyber protection for cost- and power-conscious connected devices, the STM32U585 also provides high-end core performance and peripheral integration. The advanced Arm Cortex-M33 embedded core combines with rich peripherals including two analog-to-digital converters (ADCs), two digital-to-analog converter (DAC) channels, two op amps, two comparators, and multiple timer channels including general-purpose, low-power, and PWM motor-control timers. Advanced 40nm process technology and proprietary features developed by ST save power and boost performance. These include autonomous peripherals that can operate while the main circuitry sleeps to save energy, and selectable voltage regulators that cut dynamic consumption to under 19µA/MHz. The STM32U585 is in production now in a 7mm × 7mm UFBGA169 package.
PHYSICALLY UNCLONABLE FUNCTIONALITY
With billions of deployed devices and ongoing exponential growth, it’s no surprise that IoT devices are a favorite hacking target. In order to address such threats, in September Analog Devices (ADI) (formerly Maxim Integrated) unveiled its ultra-low power MAXQ1065 cryptographic controller featuring its proprietary ChipDNA physically unclonable functionality (PUF) technology. The technology offers the strongest protection for edge-to-cloud IoT nodes, including medical and wearable devices, against invasive security attacks, says ADI. The security co-processor provides 30x lower power when compared to similar products and its extended lifetime and operating range make it well-suited for long-term deployments in harsh environments (Figure 3).
The MAXQ1065 security co-processor provides turnkey cryptographic functions for root-of-trust, mutual authentication, data confidentiality and integrity, secure boot, secure firmware update and secure communications. It includes standard algorithms for key exchange and bulk encryption, or complete transport layer security (TLS) support. The device integrates 8KB of secure storage for user data, keys, certificates and counters with user-defined access control and life cycle management functionality for IoT equipment.
The MAXQ1065’s low power consumption and wide operating range makes it suitable for battery-powered applications, and the very small footprint and low pin count enable easy integration into medical and wearable devices. The MAXQ1065 life cycle management allows flexible access control rules during the major life cycle stages of the device and end equipment, ensuring long-term operation in harsh environments.
The device integrates ADI’s proprietary ChipDNA PUF technology, which protects against invasive attacks since any attempt to probe the PUF cryptographic destroys its value. The MAXQ1065 is also supported by ADI’s secure key preprogramming service for customers who want keys, data and life cycle state initialized prior to shipment to a contract manufacturer.
The MAXQ1065 includes a TLS/DTLS 1.2 command set built upon hardware-based ECDSA, ECDHE and AES for authentication, key exchange and secure communication. Additional countermeasures against security attacks include the irreversible ChipDNA PUF technology, which is used to cryptographically protect all stored data from discovery. The MAXQ1065 operates at 100nA during power down mode, which is 30x lower than comparable products, according to ADI.
CAR SECURITY CONTROLLER
Automotive security continues to get more complex as vehicles become more connected. With increasing electrification and connectivity, vehicles are at greater risk of cyberattacks, which can have serious consequences. For this reason, it is crucial that automotive manufacturers provide adequate protection of telematics data. Serving such needs, in October Infineon Technologies introduced its SLI37 automotive security controller (Figure 4). The company touts it as an easy to design in and reliable trust anchor to secure safety-critical automotive applications like 5G-ready eUICC (eCall), V2X communication, car access or SOTA updates.
The SLI37 offers an extended temperature range as well as a lifetime of 17 years. While it comes with benchmark quality resulting in very low failure rates, its biggest advantage is the ability to be used for multiple applications. For this reason, OEMs can focus on a single qualification and design-in process.
With more than 100 million eSIMs in the field, Infineon says that its SLI series has already proven its reliability. Now it additionally offers all automotive qualifications and certifications required by the industry including Common Criteria (CC) EAL 6+ and AEC-Q100. The SLI37 automotive security controller can be ordered now.
SECURE EDGE DEVICE MANAGEMENT
Managing IoT edge devices is hard enough. Doing it securely adds a whole layer of complication. Making things easier, in February NXP Semiconductors introduced the EdgeLock 2GO IoT service platform for easy, secure deployment and management of IoT devices and services. The IoT security platform is integrated with NXP’s CC EAL 6+ certified EdgeLock SE050 secure element to protect IoT devices at the edge and securely connect them to one or multiple clouds and service providers.
The EdgeLock 2GO platform, combined with NXP’s embedded EdgeLock SE050 secure element for advanced key protection and management, delivers end-to-end security–from chip to cloud–based on a certified Trust Anchor (Figure 5). The EdgeLock SE050 makes it easy to implement advanced security, and EdgeLock 2GO streamlines secure cloud onboarding and access to IoT devices from different service providers. NXP says that it also simplifies application credential management with zero-touch connectivity to public and private clouds, edge-computing platforms and infrastructure. NXP’s combination of secure element hardware and EdgeLock 2GO services makes it possible to manage security independently from device manufacturers and the supply chain.
EdgeLock 2GO is designed to allow device makers and service providers to easily onboard or transfer their devices into cloud platforms. It provides tailored options for customers to register their devices on Amazon Web Services (AWS) using Multi-Account Registration, Just-in-time Provisioning and Just-in-time Registration. NXP’s on demand webinar, hosted in collaboration with AWS, provides in-depth information on how the combination of EdgeLock SE050 and EdgeLock 2GO simplifies device onboarding to AWS IoT Core .
EdgeLock 2GO supports multiple types of credentials and any IoT device, from sensors to edge-computing platforms, with the ability to tailor the options for device roll-outs. This level of flexibility accelerates time to market with late-stage device configuration in the field. It also enables device makers and service providers to dynamically connect their IoT devices to multiple clouds and service providers.
Many IoT devices are designed to be in the field for several years, says NXP. Yet device manufacturers and service providers need to keep the security of their devices up to date throughout their lifecycle. Eliminating the need for device manufacturers to handle keys or certificates, EdgeLock 2GO makes it easy to maintain the security of the IoT devices in the field, and update, revoke or add new device credentials. This simplifies managing large fleets of IoT devices connecting to multiple cloud services.
EdgeLock 2GO consists of three tailored options that let engineers manage credentials the way that works best for them: EdgeLock 2GO Ready for simple use cases, such as device onboarding to public clouds with pre-previsioned EdgeLock SE050 ICs; EdgeLock 2GO Custom for creating custom EdgeLock SE050 ICs to support complex configurations; and EdgeLock 2GO Managed for managing credentials and multiple services throughout the device lifecycle. EdgeLock 2GO is part of the EdgeLock Assurance program. The EdgeLock Assurance program follows proven security development processes and verification assessments—from product concept through release—to help ensure customers receive trusted solutions for their security challenges.
Providing security for cloud-connect devices is a challenge. To make things easier, in October Infineon Technologies launched CIRRENT Cloud ID, a service that automates cloud certificate provisioning and IoT device-to-cloud authentication (Figure 6). The easy-to-use service extends the chain of trust and makes tasks easier and more secure from chip-to-cloud, while lowering companies’ total cost of ownership, says the company. Cloud ID is well suited for cloud-connected product companies in the industrial, consumer, healthcare, medical and manufacturing industries.
In the past, companies making IoT devices made trade-offs between IT complexity and security, says Infineon. They could choose complex and expensive solutions involving the installation of hardware security modules (HSM) in their manufacturing lines and requiring secure IT processes, or they could choose simpler solutions that were easier and less expensive to implement but had substantial security flaws. Infineon’s Cloud ID breaks that paradigm by providing cryptographic security with a cloud-based certificate delivery mechanism and simplifying manufacturing processes.
Cloud ID has multiple advantages over traditional approaches. It simplifies the manufacturing processes, while maintaining the capability to have individual certificates without complex IT systems and processes. It also provides asymmetric key security that leverage Infineon’s trusted security and the strength of the X.509 certificates without the complex infrastructure. CIRRENT Cloud ID comes with automatic provisioning to the cloud. Users can configure a cloud-to-cloud connection and provisioning with a private cloud, public cloud or AWS IoT Core. The service provides users the ability to monitor, track, and audit registration and provisioning. All of this lowers total cost of ownership by replacing NRE and operational costs of an HSM.
According to Infineon, Cloud ID is quick and easy to set up. A user sets up a free CIRRENT account and configures cloud-to-cloud connection between the CIRRENT Cloud ID Service and their Product Cloud. A Cloud ID compatible batch of chips, containing X.509 certificates, are delivered to the manufacturing location, where a technician registers them using a smartphone. The X.509 certificates are automatically provisioned to the product cloud. Users can log into the CIRRENT console to download their certificates, audit and track registrations and provisioning. Infineon CIRRENT Cloud ID is available now. You can get a free virtual kit at .
Ensuring a trusted secure embedded security implementation requires a huge engineering time commitment. Helping to address that problem, in 2019, Microchip Technology released its Trust Platform for its CryptoAuthentication family, calling them the industry’s first pre-provisioned solutions for hardware-based secure elements to companies of all sizes that want an easy way to implement secure authentication. In October, the company enhanced this service with the latest updates to its Trust Platform Design Suite (TPDS), its dedicated software platform for device configuration and onboarding to Microchip secure provisioning services for embedded security (Figure 7).
TPDS version 2 (v2) software now enables Microchip partners to add use cases to its security solutions onboarding ecosystem. This is expected to further expand developers’ already broad options for implementing best-in-class security. It also now includes support for additional security solutions such as the TA100, the first cryptographic companion device for the automotive market.
According to Microchip, it can take an experienced firmware engineer months to specify an application’s threat model and develop a security use case that encompasses all necessary measures related to secure authentication, secure boot, IP protection and more. The two main challenges are configuring the device’s security boundaries and provisioning secrets including private keys as well as symmetric secrets and other forms of secret data.
The TPDS software simplifies this process by providing pre-defined use cases addressing the most common market requirements. It is available with two of the three Trust Platform flows: Trust&GO and TrustFLEX. These programs enable new secure projects to be prototyped in a matter of minutes with TPDS v2, while giving customers options based on the size of their deployment, use case requirements and how much customization they need.
With Trust&GO, devices are pre-defined and pre-provisioned, off-the-shelf, for secure cloud authentication in both TLS-based and LoRaWAN-based networks, with a Minimum Orderable Quantity (MOQ) of just 10 units. Meanwhile, embedded system developers can use TrustFLEX’s pre-configured devices either with default generic certificates or their own credentials (Custom PKI), while benefitting from an even broader range of predefined uses cases than are available with the Trust&GO program.
To address the most demanding use cases, Microchip’s TrustCUSTOM family gives customers the freedom to fully define the secure authentication configuration and fully customize secure key storage. With its fully integrated onboarding flow, the TPDS v2 software allows a customer to select a security solution, validate its use case, prototype it and then start the process of secure provisioning, all in a few simple steps.
One of the biggest advantages of TPDS v2 is that it enables third-party partners to add their own use cases to improve customer options for secure element onboarding and security features, says the company. Among Microchip’s partners is EBV Elektronik (Avnet Group). EBV Elektronik enables TPDS v2 users to connect to the Avnet IoTConnect Cloud quickly and securely through the ATECC608B TrustFlex configuration using the EBV-IoT “Secure Shield” evaluation kit.
The TPDS v2 allows users to onboard with security through training videos and interactive application notes spanning a variety of use cases. Users can develop their applications based on the selected use cases, finalize the security solution configuration and perform the secret key exchange. They can also procure verification samples and start production. The TPDS is supported on Windows and macOS environments. The TA100 configurator is only available for the Windows platform.
TLS STACK AND CRYPTO LIBRARY
Not all security expertise can be provided in house. That’s why MCU vendors have partnered with key software providers to offer enhanced embedded security solutions. In an example along those lines, in October Renesas Electronics and WolfSSL announced a multi-year licensing agreement whereby customers of Renesas’ 32-bit MCUs can obtain a free commercial license for the WolfSSL TLS (Transport Layer Security) stack with integrated Renesas hardware security engine support plus the FIPS-certified wolfCrypt crypto library (Figure 8). All customers of Renesas RA Family, RX Family, and Synergy Platform MCUs are eligible for the commercial license, which includes technical support from WolfSSL.
TLS is the world-wide standard for securing internet communications. A TLS solution built on certified, integrated hardware security engines such as the Renesas TSIP (Trusted Secure IP) and SCE (Secure Crypto Engine) provides the ultimate mechanism to create secure IoT products. The WolfSSL embedded TLS stack is a lightweight TLS solution written in ANSI C and targeted for embedded, RTOS and resource-constrained environments—primarily because of its small size, speed and feature set.
WolfSSL supports industry standards up to the current TLS 1.3 and DTLS 1.2 levels, and is up to 20 times smaller than OpenSSL. In addition to full integration with the Renesas MCU’s hardware security engines, WolfSSL includes the wolfCrypt lightweight crypto library, which has been certified to FIPS 140-2 Level 1. wolfCrypt supports the most popular algorithms and ciphers as well as progressive ones such as post-quantum key exchange available through available through the Open Quantum Safe project’s liboqs.
 Secure Cloud & Sensor Solution https://www.renesas.com/us/en/application/home-building/secure-cloud-sensor-solution
 Infineon CIRRENT Cloud ID. To learn more about it or to try it out for yourself with the free virtual kit, visit www.cypress.com/CIRRENTCLOUD_ID
Analog Devices | www.analog.com
Infineon Technologies | www.infineon.com
Maxim Integrated | www.maximintegrated.com
NXP Semiconductors | www.nxp.com
Microchip Technology | www.microchip.com
Renesas Electronics | www.renesas.com
STMicroelectronics | www.st.com
WolfSSL | www.wolfSSL.com
PUBLISHED IN CIRCUIT CELLAR MAGAZINE • DECEMBER 2021 #377 – Get a PDF of the issueSponsor this Article