AWS Partner Network (APN) Blog
Implementing Secure Authentication with AWS IoT and Microchip’s Trust Platform
By Xavier Bignalet, Security Product Manager at Microchip Technology
The ultimate potential of the Internet of Things (IoT), as seen in the success of billions of intelligent devices working in concert with artificial intelligence (AI) applications in the cloud, will only be achieved if the security of such a vastly powerful and complex system can be maintained.
Doing so requires security implementations to be simple and mainstream. Designing and manufacturing secure IoT requires OEMs to cover a large technical, operational, and knowledge/skill gap where very few can afford the investment.
A key security pillar, foundational to IoT products, is a strong authentication or authorization mechanism. In this post, I will discuss how organizations can build secure key authentication with AWS IoT services and Microchip Technology’s secure element solutions for any given hardware platform—from Linux-capable microprocessors to the smallest microcontrollers.
Microchip Technology is an AWS Partner Network (APN) Advanced Technology Partner with the AWS IoT Competency.
Microchip is a leading provider of microcontroller and analog semiconductors, providing low-risk product development, lower total system cost, and faster time to market for thousands of diverse customer applications worldwide.
Security for Every Stage of the Product Lifecycle
There are a few major challenges when implementing authentication to an IoT device:
- Having the technical expertise and experience in security.
- Deciding which technology to use and how to effectively deploy it.
- How to transition from prototyping to production to the release of your product—all while enabling security at each step.
Let’s assume a manufacturer called “IamAtarget” is developing an IoT product; in this case, a security camera. Right out of the box, buyers have a connected security camera that uses Amazon Web Services (AWS) for device management and a connected user experience.
For privacy and security reasons, best practices suggest users should not be involved in setting up credentials or secrets in order to authenticate and communicate with AWS.
Additionally, these credentials—usually private keys and digital certificates—should not be exposed to the contract manufacturer that is manufacturing the devices, “IamAtarget” employees, distribution channels, or other third parties involved in the product lifecycle.
The entire product could be compromised if the key material is leaked. Hackers can clone devices, impersonate or access them remotely, and access or modify user data in-transit or at-rest.
With various government privacy laws from California to the United Kingdom, “IamAtarget” needs to plan for compliance ahead of time.
Securing the Key at the Device Level
Now that we understand the importance of protecting an IoT product’s private key at every stage in the product lifecycle, let’s explore the best option for securing the key at the device level.
You may be wondering, if no one has access to the sensitive key material, then:
- How can a private key be provisioned in the security camera?
- How can a certificate chain be created securely?
- How can the camera connect securely to AWS IoT Core?
- How can the device securely validate the authenticity of the AWS end point it connects to?
- Where does “IamAtarget” start without any security experts?
Here we’ll take a look at how “IamAtarget” can approach these challenges. The company should start by defining its authentication requirements in the targeted trust model.
Generally, the certificate-based authentication is the most popular, as it’s widely used in the IT enterprise market. Using digital certificates for authentication requires first obtaining and then maintaining securely a root certificate authority (CA). The choice made will impact the end product’s cost.
There are three options for a root CA:
- Leverage AWS CloudHSM and subscribe to AWS Certificate Manager to issue and manage the lifecycle of a root CA.
- Purchase a root CA from a public certificate authority.
- Generate your own CA that has is not chained to a public root CA validation for the device to cloud authentication.
The most critical credential is the device’s private key that’s going to be used to sign messages for integrity and authenticity verification when attempting to connect to AWS IoT.
While security precautions can be taken in the cloud infrastructure, if the device’s private key is not protected in a tamper-proof and trusted enclave then the device is vulnerable to spoofing. Similarly, to a cloud hosted HSM it’s important that all the cryptographic keys and execution of cryptographic operations are isolated in hardware from the customer applications in the device.
Microchip Technology provides the secure element ATECC608a for establishing trust at the device level. The secure element integrates hardware cryptographic accelerators, a true random number generator, and secure key storage in a tamper resistant package with side channel attack protection features.
During manufacturing in Microchip’s secured facilities, the secure element generates the private key used as the seed for the device certificate. This is the unique identifier for the device when it authenticates with AWS IoT.
When using a secure element, the seed private key never leaves the secure enclave provided by the secure element. Device certificates are signed by the customer root CA of choice.
Microchip’s Trust Platform Powered by AWS IoT
Microchip provides the device certificate signing operation as part of its provisioning service to customers through the Trust Platform products. The Trust Platform is available in three versions: Trust&GO, TrustFLEX, and TrustCUSTOM.
The secure element combined with Trust Platform options can support any CA management option chosen by customers.
Learn how TrustPlatform can accelerate your time to market.
The ATECC608a Trust&GO provides Microchip-issued certificates and the associated private key pre-provisioned. In this case, keys, device certificates, and the entire public key infrastructure (PKI) solution are completely abstracted for the manufacturer. This means manufacturers do not focus on the deployment and management of keys and digital certificates nor have to pay tens of thousands of dollars for a PKI.
ATECC608a TrustFLEX is flexible to support AWS native, third-party, or customer-owned root CAs.
The ATECC608A TrustCUSTOM allows the designer to fully customize its secure authentication model, decide the ownership and management of the root CAs, or go beyond PKI concepts.
AWS worked closely with Microchip to provide the device onboarding features to support all three product flavors offered by the Trust Platform.
Managing the Logistical Challenges of Manufacturing
In addition to addressing the edge-to-cloud secure key storage and secure communication, the combination of AWS IoT Core device provisioning features and Microchip’s Trust Platform solves another significant logistic challenge for customers.
Without a secure element, a manufacturer would need to personalize the firmware for each device going through a factory plant because each device needs a unique identity. This could add significant manufacturing complexity and cost, as devices need to be diversified on the manufacturing line.
To automate device onboarding to AWS IoT, the Trust&GO platform provides the device manufacturer a direct download option on the Microchip e-commerce site for the “digital manifest” containing the list of all device certificates preloaded in the secure element chips of the sales order placed by the manufacturer.
AWS IoT Core provides an easy-to-use import capability for the manifest, facilitating easy device onboarding in volume.
Activating Your Pre-Provisioned Secure Elements
Using the Trust&GO ATECC608a, our fictitious company “IamAtarget” has all the thumbprint certificates loaded in AWS IoT and the corresponding private keys in the secure element chips inside the surveillance cameras. Devices can now connect securely in all regions where AWS provides IoT services.
This secure, simplified process is made possible by purchasing pre-provisioned Trust&GO secure elements and activating them in bulk using AWS IoT Core device provisioning features. This doesn’t require any intervention from a security expert, nor any third-party certificate authority.
If “IamAtarget” wants to own the root CA instead, it can purchase the TrustFLEX secure element and perform a key ceremony with Microchip before receiving securely provisioned elements. With TrustFLEX, they can also benefit from pre-configured and common authentication use cases, such as firmware verification and over-the-air update verification, already available inside the secure element.
With this authentication architecture, the manufacturer would use a different AWS onboarding procedure leveraging AWS Just-In-Time-Registration (JITR) to pull device certificates from the IoT surveillance camera at the first TLS connection attempt.
The device certificates are authenticated in the AWS IoT account using a sub-root CA (used in advance to sign the device certificate) that the manufacturer needs to pre-load and certify ownership for in advance. The product performs in the same fashion, but the personalization and setup is more involved and thus not the easiest option without security expertise.
Assume now that “IamAtarget” wants to create an authentication model beyond what TrustFLEX offers; they would move to the TrustCUSTOM platform for a fully customized and personalized device identity and ownership.
Securely Update Devices in the Field
Microchip’s TrustFLEX product enables manufacturers to pre-load other custom key material.
Going back to our example, the “IamAtarget” manufacturer needs the ability to securely update the firmware of devices in the field. To do so, the camera must have the ability to verify the authenticity of a firmware update image, and possibly decrypt it.
Pre-loading a public key in the TrustFLEX secure element gives the manufacturer the ability to perform cryptographic verification and decryption of a new firmware image in the device. In this case, the key is public but must be stored securely because a hacker could bypass the security check for a new firmware image if it has the ability to replace the public key.
AWS IoT, through the AWS Certificate Manager code signing service, makes it easy for customers to securely sign new firmware images for its products.
Addressing the Fragmented IoT Market
A differentiating value that Microchip delivers, besides automation and flexibility, is the minimum orderable quantities (MOQ) for the secure elements.
In a fragmented market like IoT, made of small projects in a large corporation testing a new concept or a startup disrupting the market, low MOQ is critical for security components. Generally, secure element providers cap their MOQ at approximately 100,000 units. Microchip’s MOQ is 10 units for Trust&GO, 2,000 units for TrustFLEX, and 4,000 units for TrustCUSTOM.
Using AWS IoT services and Microchip’s security and automation, “IamAtarget” can deploy a secure connected camera leveraging the security and cloud expertise of others—with minimum time invested.
There is no need for the manufacturer to write custom code to integrate the security assets provided by Microchip with the AWS services.
“IamAtarget” can find easy-to-use support, code examples, and scripts directly on Microchip’s TrustFLEX or Trust&GO websites. Both Trust&GO and TrustFLEX products work with any embedded design from Arm Cortex-A microprocessors-based systems to Arm Cortex-M all the way down to 8-bit microcontrollers.
Amazon FreeRTOS is compatible with all Trust Platform variants for microcontroller grade products and AWS IoT Greengrass for microprocessor-based designs.
With the use of Microchip’s Trust Platform options and relevant AWS IoT services, your company—just like “IamAtarget”—can successfully implement a secure authentication architecture and maintain a lifetime of security for every device.
Such a platform will help you drive both a cost optimized and secure business model that’s able to scale any project size.
If you want to define the trust model that works best for your company, visit Microchip’s website or contact a Microchip authorized distributor to get started today.
The content and opinions in this blog are those of the third party author and AWS is not responsible for the content or accuracy of this post.
Microchip Technology – APN Partner Spotlight
Microchip is an AWS IoT Competency Partner and leading provider of microcontroller and analog semiconductors. They provide low-risk product development, lower total system cost, and faster time to market for thousands of diverse customer applications worldwide.
Contact Microchip | Solution Overview
*Already worked with Microchip? Rate this Partner
*To review an APN Partner, you must be an AWS customer that has worked with them directly on a project.