Security ICs
World-class embedded security solutions ensure trust for every system design
Trust is what security is really all about today. Microchip security products make "trust" easy to embed in any system. Flexibility, advanced features, innovative cost-effective architectures and ultra-secure hardware defense mechanisms make Microchip hardware-based security devices an ideal way to add trust by design at scale. The most common use cases are:- IoT cloud authentication
- Automotive security
- Accessory authentication
- Counterfeit protection
- IP protection
- Firmware validation
Secure Element Portfolio
CryptoAuthentication™ products — Offers product designers an extremely cost-effective, easy to design, tiny and ultra-secure hardware authentication capability.
Trusted Platform Module — The Microchip Trusted Platform Module (TPM) provides strong hardware-based public key (RSA) security on a single device for personal and tablet computers as well as embedded processor-based systems.
CryptoMemory® products — The Microchip CryptoMemory family offers a range of cost-efficient, high-security electrically erasable programmable read-only memory chips (EEPROMs) and host-side security for applications requiring comprehensive data protection.
CryptoRF® products — Microchip CryptoRF is a 13.56 MHz RFID device family employing a 64-bit embedded hardware encryption engine, mutual authentication and up to 64 Kbits of user memory.
CryptoAuthentication™ Devices
TLS
- Generic TLS implementation
- Public Key Infrastructure (PKI)
- ECC hardware accelerator
- Anti Tampering
- TLS stack partners
Public Cloud
- Private key isolation from software backdoors
- In-manufacturing key Provisioning service
- Mutual Authentication
- Cloud Partner Use Cases
Counterfeit Protection
- ECC/SHA/AES hardware accelerators
- Anti Tampering
- Secure boot
- Anti-Cloning
- Security design partner network
Cloud Authentication
AWS IoT Greengrass Hardware Security Interface (HSI)
For the ATECC608A Secure Element
When it comes to IoT security, private keys are the most sensitive material. If a private key is accessed by an unintended party, that person can now impersonate the IoT hardware and undertake undesired or malicious operations. Because of this, the most basic security practice to follow is to implement a secured hardware root of trust to remove exposure of private keys to software, firmware, manufacturing sites, end users or other third parties. Microchip’s ATECC608A secure element provides a JIL “high” rated secure key storage area to isolate keys. This is especially valuable in Linux® environments where software is a living entity and software backdoors to keys are likely to show up.
To further help adding hardware secure key storage, Amazon Web Service (AWS) offers IoT Greengrass Hardware Security Integration as part of its IoT Greengrass Core software. It is an interface between the IoT Greengrass Core and a hardware secure module based on PKCS#11. The ATECC608A is used in this implementation as the hardware secure key storage to isolate private keys needed for the authentication between AWS IoT and AWS IoT Greengrass from the Linux-based system enabled with IoT Greengrass. This microprocessor-agnostic solution adds true hardware secure key storage to any Linux-based IoT products. The ATEC608a is now part of the AWS Device Qualification Program supporting AWS IoT Greengrass.
Benefits of using the AWS IoT Greengrass Hardware Security Integration:
- Leverage secure elements for AWS IoT Greengrass ecosystems
- Provide a unique, trusted and protected identity
- Optimum hardware security with secure key storage
- Use standard PKCS#11 interface
- Anti-tampering protection
- Side-channel attack protections
- JIL rated “high” secure key storage
Trusted and Secure Authentication with ATECC508A for AWS IoT
Why would you harden your IoT Security with the ATECC508A for AWS IoT?
An easy way to hack an IoT device today is to physically attack the embedded system and spoof the private key which is likely located in the clear of a microcontroller memory. But hacking a single device or transaction is typically not of value to an attacker. Hackers are looking for weaknesses that will enable them to exploit a large number of connected devices. Once the keys are spoofed, the devices are accessed, a scalable remote attack can be launched leveraging the corrupted IoT devices as entry points
Trusted and Secure Authentication with ATECC608A for AWS IoT
Why would you harden your IoT Security with the ATECC608A for AWS IoT?
Securing communication with a Cloud service and manipulating keys comes with many challenges: storing and using keys in the microcontroller exposes them, operating systems and software have bugs, the Heartbleed bug for OpenSSL was notable by easily exposing keys. Consequently, governments and corporations across the globe are working to protect individual identities and privacy. Strong authentication is the start of robust security. This leads cloud providers to push towards hardware-based security to obtain strong device identity protection, prevent identity spoofing, but also to protect against unauthorized firmware updates and prevent proliferation.
An easy way to hack an IoT device today is to physically attack the embedded system and spoof the private key which is likely located in the clear of a microcontroller memory. But hacking a single device or transaction is typically not of value to an attacker. Hackers are looking for weaknesses that will enable them to exploit a large number of connected devices. Once the keys are spoofed, the devices are accessed, a scalable remote attack can be launched leveraging the corrupted IoT devices as entry points
Trusted and Secure Authentication with ATECC608A for Google Cloud IoT Core
Why would you harden your IoT Security with the ATECC608A for Google Cloud IoT Core?
Securing communication with a Cloud service and manipulating keys comes with many challenges: storing and using keys in the microcontroller exposes them, operating systems and software have bugs, the Heartbleed bug for OpenSSL was notable by easily exposing keys. Consequently, governments and corporations across the globe are working to protect individual identities and privacy. Strong authentication is the start of robust security. This leads cloud providers to push towards hardware-based security to obtain strong device identity protection, prevent identity spoofing, but also to protect against unauthorized firmware updates and prevent proliferation.
An easy way to hack an IoT device today is to physically attack the embedded system and spoof the private key which is likely located in the clear of a microcontroller memory. But hacking a single device or transaction is typically not of value to an attacker. Hackers are looking for weaknesses that will enable them to exploit a large number of connected devices. Once the keys are spoofed, the devices are accessed, a scalable remote attack can be launched leveraging the corrupted IoT devices as entry points
LoRa Secure Authentication with the ATECC608A Secure Element
Security With The Things Industries Join Servers
When it comes to LoRa security, provisioning and storing network server and application server keys is as important as it is complex. Because of this, it is also a known security weakness that attackers may try to use to exploit your system by accessing these keys. This can be avoided by implementing a secure hardened key storage both at the node and in the LoRaWAN™ backend which will strengthen the authentication process by removing exposure of authentication keys to software, firmware, manufacturing sites, end users and other third parties. Microchip’s ATECC608A-MAHTN secure element provides a JIL “high” rated secure key storage to isolate keys in the nodes. This is especially valuable in LoRa systems which are based on a shared key security model and leverage a wide variety of traditional low-power microcontrollers.
To make adding hardware secure key storage easier, the secure element is paired with The Things Industries' (TTI) join server service for turnkey secure authentication. The corresponding AES128 authentication keys are also hosted and protected in TTI’s managed join servers. Through a claim procedure via the TTI portal, the protected keys in the secure element are “claimed” and then owned by the company. This process simplifies the cumbersome unsecure provisioning practice used without secure key storage. This join server is completely agnostic to the network server and/or application server providers to preserve business scalability by leaving freedom of choice to the architects. Flexibility doesn’t stop here, the ATECC608A-MAHTN secure element is a microcontroller-agnostic solution that adds true hardware secure key storage to any LoRa-connected products.
Benefits of using The Things Industries join server for LoRa-based designs
- Add secure elements to LoRaWAN 1.0.x and 1.1
- One year of TTI join server access included
- Microcontroller-agnostic secure element
- Network and application server agnostic TTI join server
- Leverage Microchip’s secure provisioning service
- Ability to provide a unique, trusted, protected and managed identity
- Supported by Microchip and Arm® LoRaWan stacks
- Pre-configured authentication, secure boot
- Re-keying capability between TTI join servers and the secure element
- JIL rated “high” secure key storage
- Protection against anti-tampering, side-channel attacks
Counterfeit Protection Benefits
Not only do discounted and counterfeit copies corrupt a corporation’s brand image, but they can also negatively impact its revenue streams. Counterfeit protection is critical in preventing such losses. Preserving brand image is not just about attracting new customers; it’s imperative for customer satisfaction and retention, as well. Key to this is the code’s authenticity. The IP protection attached to a brand must be part of product development from inception through all phases of a product’s life cycle. When proper technical protection of the IP is established, revenue protection and optimal user experience is more easily maintained and controlled once the product hits the market. Microchip’s CryptoAuthentication devices offer the protection necessary to empower companies to keep control of their future within their hardware designs.
Physically isolate keys and secret from the application
 |
Trusted Storage In order to establish a robust counterfeit protection strategy, trust in the design, the device provider, the manufacturer must be optimum to decrease potential back-door and threats. The main philosophy is to completely isolate keys and secrets from any software exposure at any point of time of the product development as well as when the product is in the user’s hands.nds. |
 |
Physical Protection Microchip CryptoAuthentication devices integrates various vital features to strengthen your security at the root of the hardware design. The secure element portfolio is architected with various anti-tampering techniques and locking mechanisms such as active shield and side attack counter measures. |
 |
Cryptography The capability of generating randomness is arguably the most critical block within a security device after secure storage. The CryptoAuthentication devices embeds a unique serial number per device, and most importantly provide high entropy FIPS certified random number generators (RNG). |
 |
Trusted Provisioning Trust cannot rely only on the device but also on the manufacturing process. Exploiting human users and 3rd party weaknesses is one of the preferred target of hackers. Customers can now leave this burden to Microchip secured factories and leverage our trusted provisioning service already used by thousands of companies. |
ECC based
- Public Key Infrastructure (PKI)
- High quality Random Number generator
- ECC hardware accelerator
- ECDSA-ECDHE key agreement
- NIST ECC-P256 curve
- Integrated SHA256 hash with HMAC option
SHA based
- Cost effective symmetric authentication
- SHA256 hardware hash algorithm with MAC
- HMAC option
- 4.5kb EEPROM for key and data
- Guaranteed unique serial number
AES based
- AES-CCM authentication
- AES128 hardware accelerator
- 32kb EEPROM split in 16 slots
- 16 secured slots of 128 bit for key storage
- 16 high endurance monotonic EEPROM counters
- Serial EEPROM compatible pinout
CryptoAutomotive™ Security ICs
Quickly Integrate Security into Existing Automotive Networks with Minimal Design Impact
The Need for Automotive Security is Real
More and more consumer conveniences like Bluetooth®, 3G, 4G, LTE, etc. are being added to vehicles each year much to the delight of consumers… as well as the hackers. There is no shortage of real-world vehicle hacking stories and videos available on the web and virtually all OEMs in all regions have been negatively impacted by these attacks. The attack surface will certainly continue to grow so the pressure is mounting for OEMs and Tier 1 suppliers to quickly secure in-vehicle networks with long-term solutions.
A New Day in Automotive Cybersecurity
New OEM cybersecurity specs have begun to roll out requiring improved security including hardware-based secure boot and CAN message authentication. Implementing these new specs can be burdensome for Tier 1 suppliers to implement with the first investigation typically involving switching out their existing host microcontroller (MCU) to a higher horsepower dual-core 32-bit MCU with crypto. This can introduce significant additional silicon cost, software development expense and introduces risk associated with getting the new security software in the MCU implemented correctly. Microchip has introduced a solution that enables OEMs and Tier 1 suppliers to add security to existing systems without costly redesigns.
Industry’s First Automotive Security Development Kit
This CryptoAutomotive™ Security ICs In-Vehicle Network (IVN) TrustAnchor/Border Security Device (TA/BSD) development kit provides a way for developers to begin architecting their security into existing systems. The emulated secure companion solution initially targets secure boot and CAN message authentication use cases, and upcoming kit software releases for key agreement, TLS, content protection schemes and more will be available in the future. The kit can be conveniently paired with Microchip automotive host microcontroller development kits which include example projects for secure boot.
CryptoAutomotive Secure Element Advantages:
- Significant cost and time-saving advantages compared to redesigning with a new MCU
- Minimal MCU code updates resulting in little to no impact to existing host MCU functional safety ratings
- Preprogrammed with built-in security measures removing the requirement for in-house security expertise
- Eliminates risk associated with significant MCU code updates
- More whole-chip tampers with a higher level of certifiability
- True hardware key isolation
CryptoMemory
Making EEPROMs a Safe Place for Sensitive Data
The Microchip CryptoMemory® family offers a range of cost-efficient, high-security electrically erasable programmable read-only memory chips (EEPROMs) and host-side security for applications requiring comprehensive data protection, including mutual authentication between devices and host. CryptoMemory chips are the world's largest family of EEPROMs with a 64-bit embedded hardware encryption engine, four sets of nonreadable, 64-bit authentication keys, and four sets of nonreadable, 64-bit session encryption keys. The result: a truly secure means of preventing product counterfeiting and piracy. The chip family features a choice of memory densities and is easy to implement in a variety of applications.
Key Features
Designer's choice — The chips are available in memory densities ranging from 1 Kbit to 256 Kbits to accommodate diverse storage and cost requirements.
Multiple access levels — User memory can be divided into as many as 16 separate sections, allowing several different levels of read and write access.
No special expertise — A CryptoMemory design kit offers a library of simple API calls that execute the most complex host operations.
Standard interfaces — The chips provide standard 2-wire communication interfaces to Microchip and other microcontrollers, as well as a standard smart card interface to off-the-shelf readers.
Package options — Options include 8-lead SOIC, TSSOP, uDFN, and PDIP plastic packages, modules for smartcard applications, and wafers thinned down to 6 mils.
Host-side simplicity — The Microchip CryptoCompanion™ chip provides simple, plug-and-play authentication on a host device.
Devices
| Device Family | Summary Benefit | Applications | Technologies | Key Parameters |
|---|---|---|---|---|
| CryptoCompanion | Security companion chip to CryptoMemory Securely implements host algorithms and stores host secrets Verifies host firmware digests |
Plug-and-play host-side cryptographic security for embedded systems |
64-bit Cryptographic Algorithm |
Host-side security Hardware security |
| CryptoMemory (2.7V - 3.6V) | Family of secure EEPROMs 64-bit embedded hardware encryption engine EEPROM densities from 1 to 8 kbit available Flexible security feature set to meet a wide variety of applications Supports both 2-wire and ISO7816 interface protocols Mutual authentication capability |
Applications requiring authentication, data protection or secure storage |
64-bit Cryptographic Algorithm |
Hardware security Secure EEPROM Authentication |
| CryptoMemory (2.7V - 5.5V) | Family of secure EEPROMs 64-bit embedded hardware encryption engine EEPROM densities up to 256 kbits available Flexible security feature set to meet a wide variety of applications Supports both 2-wire and ISO7816 interface protocols Mutual authentication capability |
Applications requiring authentication, data protection or secure storage |
64-bit Cryptographic Algorithm |
Hardware security Secure EEPROM Authentication |
CryptoRF
The Largest Selection of Memory Solutions for RFID
Microchip CryptoRF® is a 13.56MHz RFID (radio-frequency identification) device family equipped with a 64-bit embedded hardware encryption engine, mutual authentication capability, and up to 64Kbits of user memory. These low-cost chips are virtually impossible to copy and offer hardware security that is superior to software security solutions. CryptoRF ICs are ideal for applications that are prone to counterfeiting, require a permanent chain of ownership, or use contactless smart cards for cash transactions. They are also suitable for use in adverse environmental conditions where dust, dampness, or temperature extremes can cause problems for digital devices.
Key Features
- Safer than passwords — Mutual authentication between host and client is accomplished with a unique cryptogram that is randomly generated for each transaction.
- Attack isolation — The key diversification scheme limits any attack to only one unit.
- Multiple access levels — User memory can be divided into as many as 16 separate sections, allowing several different levels of read and write access.
- Diverse packages — The chips are available in many different shapes and sizes; tags in a variety of shapes can be developed for high-volume applications
- Host-side simplicity — The Microchip CryptoCompanion™ chip provides simple, plug-and-play authentication on a host (interrogator) device.
- Development tools — Comprehensive reference designs, demonstration kits, and application software facilitate implementation into existing products.
Devices
| Device Family | Summary Benefit | Applications | Technologies | Key Parameters |
|---|---|---|---|---|
| CryptoCompanion | Security companion chip to CryptoRF Securely implements host algorithms and stores host secrets Verifies host firmware digests |
Plug-and-play host-side cryptographic security for embedded systems |
64-bit Cryptographic Algorithm |
Host-side security Hardware security |
| CryptoRF | Secure RFID solution High frequency 13.56MHz ISO 14443 Type B protocol EEPROM densities up to 64 kbits 64-bit embedded hardware encryption engine Flexible security feature set to meet a wide variety of applications Mutual authentication capability |
Product authentication Contactless payment Patient safety Anti-cloning of consumables Loyalty and patron management |
64-bit Cryptographic Algorithm |
ISO 14443 Type B 13.56MHz RFID Hardware Security Authentication Secure EEPROM |
| CryptoRF Reader | ISO 14443 Type B reader Supports both 2-wire and SPI serial interfaces Compatible with both 3.3V and 5V host microcontrollers Performs all RF communication, packet formatting, decoding, and communication error checking, reducing burden on host microcontroller |
Product authentication Contactless payment Patient safety Anti-cloning of consumables Loyalty and patron management |
RFID |
RFID reader 13.56MHz ISO 14443 Type B |
Hardened TLS Benefits
Mitigate remote attacks, use a unique trusted identity
Transport Layer Security 1.2 (TLS 1.2) has become the de facto standard for connecting embedded systems to a network. While TLS 1.2 is undeniably robust, an embedded system still requires a unique, secure and trusted identity to prevent large-scale remote attacks. For example, a malicious attack can cause a hospital power grid to go down and potentially risk human lives, interrupt online services and advertising activities resulting in a loss of revenue, or suspend the production capabilities of industrial plants and their supply chains to almost instantaneously affect their profitability. When combined with the TLS 1.2 protocol, Microchip’s ATECC508A CryptoAuthentication™ device offers a unique, trusted, and verifiable identity that can help protect billions of connected devices.
How do Microchip's CryptoAuthentication devices help enhance TLS?
By physically isolating keys and secrets from the application
|
|
Secure Key StorageIn order to harden the TLS protocol, trust in the system, the device provider, the manufacturer must be optimum to decrease potential backdoors and threats. The main philosophy is to completely isolate keys and secrets from any software exposure at any point of time of the product development as well as when the product is in the user’s hands. The ATECC508A is your solution. |
|
|
Physical ProtectionMicrochip ECC based devices integrate various vital physical protection schemes to strengthen your TLS security at the root of the hardware design. The ECC based secure element family is architected with anti-tampering features such as active shield and side attack counter measures as well as robust secure key storage with locking mechanisms. |
|
|
Hardware CryptographyIn terms of cryptography, the most important function is to provide a high entropy FIPS compliant random number generators (RNG). The ATECC family integrates best in class RNG enabling high entropy capabilities. In addition, the device is capable of providing both an ECC hardware accelerator and SHA256 hashing as well as a unique serial number per device. |
|
|
Trusted ProvisioningTrust cannot rely only on the hardware device but also on the manufacturing process. Exploiting 3rd party weaknesses is one of the top target of hackers. Isolating keys and secrets from manufacturing is equally vital. Customers can now leave this burden to Microchip secure factories and leverage our trusted provisioning service already used by thousands of companies. |
ECC Based
- Hardware based root of trust based on X509 certificate
- Public Key Infrastructure (PKI)
- ECC hardware accelerator
- ECDHE-ECDSA sign
- Tamper resistant
- Keys are never sent, exposed, nor disclosed
Integrated TLS
- Free integrated TLS stack from WiFi module ATWINC1500
- Free integrated TLS stack from Bluetooth/Wifi combo ATWINC3400
- Cost efficient solution
- Enable connectivity to small microcontrollers
