Issue link: https://resources.mouser.com/i/1442760
The major ingredients of a security coprocessor that protect and authenticate an embedded device's unique and trusted identity are as follows: Crypto Engines Security coprocessors are in fact hardware engines that explore a range of cryptographic tools. This includes symmetric key authentication based on SHA-256 and now SHA3-256 algorithms that are compliant with the Federal Information Processing Standard (FIPS) 180 and 202, respectively. Security coprocessors are also highly suitable for low-cost IP protection, clone prevention, and peripheral authentication. Likewise, there is asymmetric key authentication that is based on the FIPS 186-compliant signature generation and verification—for instance, public key-based ECDSA signature authenticators. Random Number Generator A random number generator (RNG) creates on-chip keys that comply with the latest requirements from the National Institute of Standards and Technology (NIST). The FIPS-compliant key generators facilitate pre-boot authentication via signature validation and digest computation of firmware on the host processor. This allows them to facilitate a hardware root of trust for safeguarding the embedded code and data and, thus, prevent theft and other malicious activities. Furthermore, these random number generators verify that the firmware updates haven't been corrupted and that they are from a trusted source. User Programmable Memory Security coprocessors store certificates, public and private keys, monotonic counters, and arbitrary data; memory components like electrically-erasable programmable read-only memory (EEPROM) perform these tasks by offering multiple layers of advanced physical security to ensure a secure-key storage. The memory component in security coprocessors is managed through a flexible file system that supervises access rights for the objects through policy enforcement. Therefore, the user- programmable memory in the authenticator chips comes alongside secure key-loading protocols and lifecycle management features. Peripheral Authentication Security coprocessors provide sophisticated countermeasures for protection against both invasive and non-invasive attacks. For a start, they monitor and limit the peripheral usage through authenticated memory settings and decrement-only counters. There is a unique read-only memory (ROM) identification (ID) number, or "ROM ID," that serves as a fundamental building block for cryptographic operations. The ROM ID acts as an electronic serial number that provides a node address in a network with multiple devices. Moreover, these authenticator chips ensure data integrity through the secure-boot process and general-purpose input/output (GPIO) pins that prevent malicious attacks. The authenticated GPIO pins facilitate secure state control and level sensing, thus enhancing secure boot and firmware download features. What's New in Authenticators To create another line of defense against invasive physical attacks, some security coprocessors now employ the physically unclonable function (PUF) that eliminates the need to store cryptographic keys within memory or any other static state. Addressing the need to evolve with industry cryptographic advancements, the latest secure authenticators integrate the SHA3-256 algorithm which is optimized for HW-based implementations. The on-chip PUF circuit uses naturally occurring random analog characteristics during the semiconductor manufacturing process, and this makes it immune to invasive attacks such as reverse engineering attempts or efforts to extract sensitive data like cryptographic keys. Take, for instance, the ChipDNA™ technology from Maxim Integrated (Maxim) as shown in (Figure 4), which employs the PUF circuitry to provide another layer of protection against more exhaustive reverse-engineering attempts. The ChipDNA keys don't reside statically in registers or memory, and they don't leave the electrical boundary of the authenticator chip. 13 | 13 | ChipDNA–Defend Your IoT Designs from Hackers. s V I D E O 1-WIRE® INFC & CMD 64-BIT ROM ID BUFFER TRNG 2kb E2 ARRAY ECC-P256 PRIVATE KEY IO ChipDNA™ C X CEXT PARASITE POWER USER MEMORY KEYS & CERTIFICATE DECREMENT COUNTER DS28E38 Figure 4: This is a view of how ChipDNA technology employing PUF circuitry complements a security coprocessor. (Source: Maxim Integrated)