FAQ: Developing secure IoT edge-to-cloud applications on Linux using PKCS #11 and secure devices

EEWORLD社区

FAQ: Developing secure IoT edge-to-cloud applications on Linux using PKCS #11 and secure devices [Copy link]

Live Topic : Developing secure IoT edge devices to cloud applications for Linux systems using PKCS #11 and security devices | Microchip Security Solutions Series Seminar 18

Content Introduction: In this seminar, you will learn how to achieve code reusability, simplify integration and reduce maintenance costs in networked embedded Linux applications for secure authentication. Our security experts will discuss how our solutions support the standard PKCS #11 interface through the CryptoAuthLib library and security-hardened devices such as Trust Platform's ATECC608 and TrustAnchor TA100.

Live lecturer: Barry Xu | Senior Application Engineer at Microchip

FAQ details:

1. How fast is the wake-up in sleep mode
? A: 60us is enough.
2. How much resources does the security library need? 8-bit machines may not have enough resources.
A: It depends on which APIs are used for 8-bit. It is best to have more than 10K.
3. How to merge CryptoAuthLib in Linux projects that use USB HID devices?
A: Cryptoauthlib can support the communication method of USB HID protocol, and can directly call external security chips through USB ports. The premise is that the security chip needs a USB HID to I2C conversion chip. There are also ready-made solutions for this, all of which are open source.
4. What encryption algorithms does the security chip have
? A: ECCP256, SHA256, AES, RSA, etc.
5. What level of genkey is used by the device public key?
A: genkey is a command that can be used to generate a new key pair or generate a corresponding public key with an existing private key.
6. Which cloud is used in the cloud?
A: google, amazon, azure
7. What communication methods does the security chip support?
A: I2C, SWI, SPI
8. Is the code open source?
A: Microchip CryptoAuthlib is open source
. 9. Is PKCS#11 directly fixed to the terminal device?
A: PCKS#11 is an API
. 10. What is the biggest advantage of the PKCS11 standard?
A: PKCS11 provides a software adaptation layer for upper-layer applications and security hardware. Its biggest advantage is compatibility with various security hardware.
11. How is the power consumption ?
A: The sleep current is about 30nA, and the maximum current is 14mA when working.
12. WINC1500 has a built-in TLS protocol stack. Do we need to use ATECC608 to connect edge devices to the cloud? If so, which one is more suitable?
A: TLS only means that a secure connection can be achieved, but it does not explain how to store the required security and confidential information. If higher security is required, it can also be achieved by plugging in 608.
13. In terms of function, what are the main differences between trust&go, flex, and custom?
A: Trust&go is pre-configured and cannot be modified. Trust flex is pre-configured, but additional functions can be added to customers, such as secure boot. Trustcustom is a blank ECC608
14. May I ask, how to implement security measures for this open source system?
A: The security platform is mainly to protect the key, ECC608 is used to protect the key, and the open source code has no impact on security
15. If I store the P256 signature certificate in the ATECC device, are there any potential security risks?
A: The security chip can safely keep these confidential information, and a variety of security protections have been implemented in the security chip
16. What are the application areas of PKCS#11?
A: Different security application areas, including IOT networks, security verification, etc.
17. Does Bluetooth communication encryption have to use 5.0 or above?
A: Not necessarily, it depends on your application. We have a reference case for secure encryption connection based on 4.0
18. Where can I see the modification parameters of pre-configured security components?
A: The parameters are generally fixed, but the contents of some slots can be modified according to the configuration
19. What are the software development environments?
A: All commonly used Linux development environments are supported, including C/C++ and Python.
20. Can the key be modified later after pre-configuration?
A: The private key representing the identity is not allowed to be modified.
21. Which RTOS are supported?
A: We have not specified any specific RTOS. At present, we have corresponding routines for FreeRTOS and Linux.
22. Is IIc communication protected?
A: For some key information, we provide IO Protection to protect I2C communication data.
23. Can you send me the introduction information about IO Protection?
A: Contact our engineers
. 24. How much time will be increased by using PKCS#11?
A: The key is compared with what? If compared with no secure connection, the time will increase a lot, but if compared with the secure connection implemented by software before, the time will be reduced a lot. After all, the security chip provides hardware security cryptographic algorithm support, which can speed up a lot.
25. What does pre-burning mean? What are the benefits?
A: The benefit is that the key will not be obtained by others.
26. Does it meet domestic encryption standards?
A: The subsequent series is to be considered
. 27. What does a trusted unique identifier mean?
A: It is the only private key that represents the identity.
28. Can the key be set privately by the user?
A: Yes .
29. Can you provide technical support for the underlying library ?
A: Yes
. 30. What are the conditions for porting the CRYPTOAUTHLIB library?
A: It can be used on any platform. It only needs an I2C interface, whether it is hardware I2C or IO port simulation. It is necessary to reserve enough flash and RAM. When porting, you only need to pay attention to the HAL layer. In fact, it is just a package for I2C reading and writing as required, which is still very simple.
31. What if there is no network if cloud recognition is required?
A: It cannot be achieved without a network
. 32. What encryption algorithms does the chip use? Is there a unique ID inside?
A: Each chip has a unique 72-bit serial number; ECC608 supports SHA256, ECDSA256, ECDH/ECDHE256 and AES128, TA100 also supports RSA algorithm, etc.
33. Can other encryption methods be expanded?
A: Currently, only the security cryptographic algorithms supported by our security chip are supported. We have a variety of security chips and support many security key algorithms.
34. What communication protocols are supported?
A: Currently, it is mainly the communication interface of the security chip, including I2C, SWI, and SPI.
35. According to the encryption mechanism, how many categories can PKCS#11 be divided into?
A: Do you mean the cryptographic algorithm? If so, it is actually mainly the algorithms supported by the security chip, which are the current mainstream algorithms.
36. How fast does the edge device process data ?
A: It depends on the processing power of the edge device.
37. What are the simplified application modes of PKCS#11?
A: It depends on the application. It depends on which methods of secure password implementation you need. But if you want to simplify, why use PKCS11?
38. Is there a complete set of design reference cases?
A: If it is a reference code, we are on Github: https://github.com/MicrochipTech/cryptoauthlib/wiki/PKCS11
39. If the default credentials are used, how should the public key and certificate of the device be obtained?
A: The public key of the device itself is not private. It can be generated by reading the security chip or using genkey. For certificates, we generally put some key information in the certificate into the security chip, and then rebuild the certificate through the certificate reconstruction function. In addition, how to associate the default credentials with the device's certificate and key to form a complete trust chain is what the system needs to consider. We can communicate later.
40. Are applications built in C and python compatible?
A: In terms of implementation, our Cryptoauthlib will be compiled into a dynamic link library, so that both C and Python can directly call this dynamic link library, so they are compatible with each other.
41. Is PKCS#11 used in large quantities?
A: Yes
. 42. Integration in software also requires hardware environment support.
A: Yes, it is necessary to communicate with the security chip through I2C, SWI or SPI, and USB on the main control external, so that the software can run.
43. How many levels of encryption are there?
A: Does it mean which level of encryption security level belongs to? Microchip's security components meet the highest level of Jil.
44. What communication protocols are supported and how to ensure security during the communication process?
A: We support I2C, SPI and SWI as communication interfaces. We provide IO Protection to ensure security during the communication process.
45. Can it only be used on the Linux platform?
A: Our Cryptoauthlib can be used on any platform, including MCU and MPU, but using PKCS11 in Linux has many advantages, such as compatibility and unified interface.
46. Does ATECC608 provide drivers for the Linux platform?
A: Our Cryptoauthlib runs in the user layer and directly calls the i2c device in the Kernel to read and write; the Linux underlying driver is implemented by the Kernel itself.
47. Is there a solution for the RSA encryption algorithm?
A: Our security chip TA series supports the RSA algorithm.
48. On which platforms can CryptoAuthLib run?
A: We have no platform restrictions
. 49. Are there any automotive-grade chip applications?
A: We have automotive-grade security chips and some corresponding applications.
50. How to ensure that the pre-configured service is safe? Is there a check mechanism?
A: We have a pre-configured service environment that has been certified and monitored 24/7. When customers submit their security information, they will not pass through any third party, but directly pass their security information point-to-point to our HSM machine.
51. Does it support encryption of Bluetooth communication?
A: The new Bluetooth already provides some encrypted communication mechanisms, but we can cooperate with security chips to provide higher security. We have some related reference routines. You can consult our engineers for details. If it refers to data encryption, ECC608 supports a small amount of data encryption.
52. If Trust&Go or FLEX security devices are used, do you need to contact Microchip's official channels directly to obtain them? Or can you purchase them from distributors or agents? If you purchase from distributors or agents, will they also customize the security parameters? Thank you.
A: You can also go through agents, but for the required manifest, agents need to transfer it to customers after Microchip obtains it.
53. There are no specific application scenarios and specific application cases?
A: Generally, we call IoT applications, such as AWSl, GCP or Azure, and even some private clouds. We can do it
. 54. What security solutions are used for medical data?
A: Medical data security design authenticity verification and data privacy and integrity protection. If Linux is involved, PKCS#11+CRYPTOLIB can be considered to achieve three different aspects.
55. Is there a complete solution?
A: Yes, you can go to the Microchip website to see it
. 56. Is there a development kit?
A: Yes, you can consult our local technical support according to your requirements.
57. Is there a unique ID inside the chip?
A: Yes, each chip has its own unique serial number
. 58. How many packages are there?
A: There are many packages, such as SOIC, UDFN, 3-lead Contact. If you need a smaller package, you can consult microchip sales in various places.
59. Does your company use this kind of product in cloud applications on IPC?
A: Some customers are using it
. 60. What is the communication method of cloud connection?
A: Cloud connection is through Ethernet or WIFI
. 61. How to ensure security in the cloud?
A: This depends on the security architecture of the cloud. TLS is a good example.
62. How to ensure information security in the cloud?
A: This depends on the security mechanism of the cloud. ECC608 ensures the key security of the node.
63. How to issue the key of the security chip?
A: This is generally in a secure environment, such as our HSM environment. It is generated by the security chip itself. You can also write your own private key, but we don’t recommend this method.
64. Can you provide examples for all the interface methods mentioned?
A: This is supported in CAL. Customers only need to specify the interface type and configure the interface for their own platform.
65. If your system already has a network security system, can it also manage your open source embedded system?
A: As long as it is compatible with the security cryptographic algorithm currently supported by our security chip, it will be fine
. 66. What types of interfaces are supported?
A: Supports I2C and SPI interfaces, as well as USB HID.
67. How to use the cryptoauthlib python module?
A: You only need to run pip install cryptoauthlib in Python to automatically download and install the library. You can use Python to access the security chip through the cryptoauth_tools example on github: https://github.com/MicrochipTech/cryptoauthtools

电子微创意

3. How to merge CryptoAuthLib into Linux projects that use USB HID devices?
A: Cryptoauthlib can support the communication method of USB HID protocol and can directly call the external security chip through the USB port. The premise is that the security chip needs a USB HID to I2C conversion chip. There are also ready-made solutions for this, all of which are open source.

Where can I find this open source solution for USB HID to I2C?