The document discusses hardware-based security solutions from multiple companies. It describes Infineon's OPTIGATM family of security chips which provide authentication, confidentiality, and integrity for IoT applications. It also discusses Maxim's DeepCover secure authenticators and microcontrollers which incorporate techniques like secure authentication, boot, and encryption to ensure device trustworthiness and protect against threats like counterfeiting or firmware attacks. Finally, it outlines NXP's security offerings including secure elements, microcontrollers, and processors that provide solutions from the network edge to the cloud.
1 of 14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
More Related Content
Hardwar based Security of Systems
1. Assignment#3: Hardwar based Security
S-Name: NIK JAMAL CMS: 25994
OPTIGA™
EASY TO USE, RELIABLE EMBEDDED SECURITY SOLUTIONS FOR IoT APPLICATIONS
Infineon`s OPTIGA™ family of security solutions is designed for easy integration into embedded systems to
protect the confidentiality, integrity and authenticity of information and devices. These hardware-based
security solutions scale from basic authentication chips to sophisticated implementations and are used in a
wide range of embedded applications ranging from consumer to industrial applications. Designed by the
leading provider of embedded security solutions, Infineon`s OPTIGA™ combines sophisticated and strong
security with ease of use and wide range implementation support for the customer. With OPTIGA™ customers
get the full package consisting of the security chips with an operating system as well as libraries for the host
controller which makes it easy to get started with IoT security right away. Additionally, customized
implementation consulting and dedicated security concepts for specific applications are available through the
Infineon Security Partner Network (ISPN).
1. OPTIGATM TPM FAMILY – SLB 96XX
Key Features
Standardized security controller
TCG certified products
Products with TPM 1.2 and 2.0
Standard & extended temperature range (-40...85°C)
Firmware upgrades capability
SPI, I2C & LPC interface
VQFN-32 & TSSOP-28 package
CC and FIPS certification
Customer Values
Innovative security solutions provided by the market leader
High confidence level based on Common Criteria certification
Easy integration based on standardization
Applications
• Notebooks/PCs/tablets/severs
• Network systems and boards
• Industrial automation
• Home automation
• Automotive
2. 1.1.OPTIGATM TRUST B SLE95250
Key features
Strong cost efficient asymmetric cryptography with ECC 131-bit key length
Turnkey solution including host-side software for easy integration
512 bit user NVM
Easy-to-implement single-wire host interface
Life span counter for original parts
OPTIGA™ Digital Certificate (ODC) with device personalization (unique key pair per chip)
Size-optimized TSNP-6-9 package (1.1 x 1.5 mm)
Customer value
Lower system costs due to single-chip solution
Increased security with asymmetric cryptography and chip-individual keys
Easy integration thanks to full turnkey design
Applications
Battery authentication
IoT edge devices
IP & PCB design protection
Consumer accessories
Original replacement parts
Medical & diagnostic equipment
3. 1.2 OPTIGATM TRUST E SLS 32AIA
Key features
Advanced security controller
Turnkey solution
Full system integration support
PC interface
Up to 3 K byte user memory
ECC 256 bit, SHA-256
Compliant with new USB Type-C standard
Standard & extended temperature range (-40...85 °C)
USON-10 package (3 x 3 mm)
Customer values
Protection of IP and data
Protection of business cases
Protection of company image
Safeguarding of quality and safety
Applications
Internet of things (IoT)
Industrial control and automation
Medical devices
Consumer electronics
4. Smart home
PKI networks
1.3. OPTIGATM TRUST P SLJ 52ACA
Key features
High-end security controller with advanced cryptographic algorithms implemented in
hardware (ECC521, RSA2048, TDES, AES)
Common Criteria EAL 5+ (high) certification
Programmable Java Card operating system with reference applets for a variety of use cases
and host-side support
150 KB user memory
Small footprint VQFN-32 SMD package (5 x 5 mm)
ISO 7816 UART interface
Customer value
Confidence in a secured and certified solution
Increased flexibility based on programmable solution with reference applets to simplify
customization and integration
Protection of system integrity, communication and data
Applications
Industrial control system
5. Energy generation & distribution systems
Healthcare equipment & networks
Consumer electronics
Home security & automation
Network applications
6. DEEPCOVER SOLUTIONS FOR EMBEDDED SECURITY
Counterfeiting
Hardware or software IP reverse engineering
Malware injection or firmware substitution
Eavesdropping
Identity theft
Unauthorized network connection
Unauthorized re-use
Secure device authentication, secure boot, and encryption are the answers to these attacks. DeepCover®
Secure Authenticators and DeepCover Secure Microcontrollers incorporate these techniques to ensure your
platforms are trustworthy. Trusted platforms, IP protection, secure download, and secure communication
are the most frequent requirements for IoT node security. Table 1 maps our DeepCover solutions to
common IoT needs.
7. DEEPCOVER SECURE AUTHENTICATORS
Secure Authenticators provide a core set of fixed-function crypto operations, secure key storage, and
numerous supplemental feature options including: secure download/ boot processing, protected nonvolatile
memory for end application use, secure GPIO, decrement-only counters, session key generation, true
random number source, and encrypted R/W of stored data. In addition to cryptographic strength, all devices
provide advanced physical protection to address malicious die-level security attacks. As the inventor of the
revolutionary 1-Wire® interface, Maxim is a leader in the development of devices that connect to
nontraditional form-factors such as printer cartridges, medical disposables and battery packs.
Secure Authenticator Applications
Maxim’s secure authentication solutions solve a wide range of security issues including:
Common Application Requirements
Product Quality/Safety
Counterfeit Prevention
Secure Download/Boot
Use/Feature Control
IoT Device Integrity/Authenticity
Solved with Targeted Product Features
Bidirectional Authentication
Secure System Data Storage
Secure Use Counting
System Session Key Generation
Secure Memory Settings
Secure GPIO
Random Number Source
IoT Device Integrity/Authenticity
8. NXP –
SECURE CONNECTIONS FOR A SMARTER WORLD.
Security is a race in the internet of things (IoT) and staying ahead is a major challenge. We know security is an
increasingly critical part of the connected solutions you use and design. Identity theft is at an all-time high.
Data privacy concerns are arising on pace with the growth of connected devices. And newly-connected
command and control systems present attractive targets for hackers.
We’re here to help you. NXP is the global leader in security solutions for personal identification, contactless
payment, authentication, data transport and application processing.
Our secure element – a specific integrated circuit for handling and storing secured data – features non-volatile
memory, a security CPU and crypto coprocessor, and additional security measures, to offer you the ultimate
protection against tampering and attack.
Secure designs – from the end node to the network to the cloud
We secure more types of end equipment than any other company in the world. From the edge of the network to
the gateway to the cloud, our broad portfolio of secure microcontrollers, high performance multicore
communications processors, applications processors, middleware and software ensures the devices you design
and use are protected. Our decades-long investment and expertise in security make us the partner of choice for
determining the security requirements of your next project.
How NXP helps you with your security and privacy needs
You don’t have to sacrifice performance to add security, either. Our QorIQ processors integrate crypto
acceleration that allows you to develop secure connections without a performance penalty for the world’s new
virtualized networks – ranging from the wireless infrastructure to the smart grid to the home.
And as the leader in security ICs, we allow you to choose from a complete range of ICs for smart cards, tags,
labels and readers featuring many coprocessor, security, and memory and interface options. We address all
your needs, from low-cost smart label ICs for high-volume supply chain management applications through to
our next generation 32-bit-smartcomputing platform for powerful multi-application smart cards.
NXP’S PILLARS OF SECURITY
Trust - The assurance that only access from a reliable source will occur
Code I/P Protection
Internal Memory Protection
External Memory Protection
Debug Port Protection
Authentication
Software Updates
Device Verification
Secure Boot
Cryptography - The science of protecting data through encoding and decoding
Symmetric Encryption
DES/DES3, AES
Asymmetric Encryption
RSA, ECC
Hashing
CRC, MD5, SHA
True Random Number Generation
Security Protocols
SSL, HomeKit, Thread
Tamper Resistance - Proactive monitoring of physical and environmental systemattacks
9. Tamper Detection
Physical
Enclosure Intrusion
Drilling and Probing
Environmental
Voltage
Temperature
Frequency
Secure Storage
Introduction C29x family
The Freescale C29x crypto coprocessorfamily consists of 3 high performance crypto co-
processors optimized for public key operations. Public key algorithms such as RSA, Diffie
Hellman, and Elliptic Curve Cryptography (ECC) are the basis of digital signature and key
exchange protocols that make secure transactions possible. By providing public key
acceleration, C29x enables network and data center infrastructure to handle the increasing rates
of public key operations driven by IKE, SSL, DNSSEC, and secure BGP while simultaneously
supporting the longer key lengths mandated for modern encryption. Longer key lengths are a
10. significant performance issue. The United States (NIST) recommends replacing RSA 1024b
keys with 2048b keys all together by 2013. Doubling the length of a RSA key increases the
computational complexity by 5x or more. If a system needs thousands of transactions per
second or more, using C29x for public key offload is the most costeffective means of meeting
requirements. Many modern multi-core SoCs, including those offered by Freescale, offer
cryptographic acceleration, however the crypto hardware is oriented toward bulk encryption
performance. The performance level of the integrated public key acceleration is generally
sufficient for applications with modest session establishment requirements, but Web 2.0
systems such as application delivery controllers, network admission controlappliances and
remote access gateways must deal with far more connections per second, and integrated public
key acceleration becomes a performance bottleneck. C29x complements integrated bulk
encryption acceleration, while allowing these different cryptographic functions to scale
independently. While primarily targeted toward public key operations, C29x does offer bulk
encryption and hashing, including security header and trailer processingfor IPsec and SSL.
This productbrief provides an overview of the Freescale C29x family of crypto coprocessor
features, and examples of C29x usage.
The C29x family devices are designed for the following two primary use cases:
• Public key calculator
• Secure key management module
1.
Public key calculator
The most obvious use of a cryptographic coprocessoroptimized for public key operations is to
off-load public key operations from a host CPU. When operating in this mode, C29x connects
to the hostvia PCIe, with C29x requiring no external memory; neither NVRAM nor DDR, and
generally no peripheral ICs. The host handles packet Rx and Tx functions, classification,
protocoltermination, and so on, and defines the operations it wants C29x to perform via
11. descriptors. In addition to public key operations, C29x can also supportbulk encryption and
hashing, including security header and trailer processingfor IPsec and SSL.
2. Secure key management module
In addition to performing cryptographic acceleration using keys managed by the external host,
the C29x can also use keys that are protected even from the host.
This use case leverages the Trust Architecture, first introduced in the Freescale QorIQ
communication processorfamily. The Trust Architecture gives the C29x secure bootand
secure storage capability, insuring that factory loaded keys can only be decrypted and used by
the C29x when the C29x is executing trusted software. Tamper detection and secure debug
round out the Trust Architecture feature set. A more complete description of the Trust
Architecture can be found in Freescale's white paper: An Introduction to the QorIQ Platform's
Trust Architecture. As shown in the following figure, when operating as a secure key
management module, the C29x is a processing subsystem, complete with its own non-volatile
memory, DDR, and optionally Ethernet interfaces to either the external world or as a
connection to the host. C29x can also be connected to the hostvia PCIe.
3. C29x family and Features
C29xfamily consists of 3 family members; the C291, C292, and C293. All devices are pin
compatible. A logical block diagram of the highest performing family member, C293, is shown
below.
13. 4. Features
Common features of C29x products include:
CPU and cache complex
32b e500v2 Power Architecture® core
32KB I and D caches • 512 KB L2 cache
Hardware cache coherency
512KB platform SRAM
Up to three SEC (Security Engine) accelerator block(s)
One PCIe Gen 2.0 controller
x1, x2, x4
Main memory interface (optionally disabled in PK calculator use case)
16/32-bit DDR3/3L controller with ECC
Supports up to 4GBytes main memory in single bank
Dual-stacked and quad-stacked DDR devices also supported
Additional memory interfaces (optionally disabled in PK calculator use case)
Integrated flash controller
Supporting NOR and NAND (SLC and MLC) flash interfaces
Maximum of 8 banks, with a maximum of 256 MB of system memory mapped
on each bank
Enhanced secure digital host controller (SD/MMC) which can be used for booting device
using on chip ROM
Network interfaces (disabled in PK Calculator use case)
Two enhanced three speed Ethernet controller (eTSEC) supporting 10/100/1000Mbps
Supports RGMII/RMII interfaces
Trust architecture, supporting;
Secure boot
Secure debug
Tamper detection
Provisioning with one time programmable fuses
Hardware secret key protection
Option for battery backed secret key
Memory and register Access Control
Only supported in secure key management module use case NVRAM
Slow speed interfaces (optionally disabled in PK calculator use case)
Dual I2C controllers
14. SPI controller used for booting with internal ROM, supporting Atmel Rapid-S and
Winbond dual read interface
Two UARTs
64-bit GPIO
Additional logic
Programmable Interrupt Controller
One four channel DMA
Power Management supporting following modes
e500v2 modes
Sleep: core clock off, snooping off, cache flushed, clock to selected blocks switched
off
Nap: core logic idle, no snoops
Doze: Core logic idle
Software transparent clock gating of SoC logic
Static disable of logic blocks, including SEC 1 and SEC 2
Package
783 pin FC-PBGA
29x29mm, 1.0mm pitch
Reference
[1] https://www.maximintegrated.com/deepcover
[2] www.ebv.com /Security Selection Guide /