Simplifying the Secure Product Release Journey from Concept to Deployment with Microchip’s Trust Platform and AWS’ Multi-Account Registration
Today, many companies, small and large, are realizing the critical importance of adding security from the start of product development, rather than as an afterthought.
IoT is being deployed across various market segments, helping make systems more efficient and capturing more insights than ever before. But ensuring the security of such IoT solutions against various attack vectors has always been a challenge. Today, many companies, small and large, are realizing the critical importance of adding security from the start of product development, rather than as an afterthought.
For over five years, Microchip Technology and AWS IoT have partnered to address such IoT and security challenges. The strong collaboration in the past has resulted in the release of the Just In Time Registration (JITR) service to help accelerate the adoption of IoT across the embedded market. JITR has helped deploy IoT devices with secure authentication for mass production and Microchip continues to promote this solution to customers through its Trust Platform for the CryptoAuthentication™ family. Identifying and addressing three major barriers in secure IoT product development (as detailed in the section to follow), the Trust Platform offers both a Trust&GO and TrustFLEX option, enabling original equipment manufacturers (OEMs) who lack the necessary skill and infrastructure to easily implement critical security practices — like the integration of Certificate Authorities and Public Key Infrastructure (PKI) — through a plug and play design.
Now with the release of AWS’ Multi Account Registration (MAR) feature along with Microchip’s Trust Platform, and building upon beta version release in September 2019, secure IoT solutions are faster to protype and easier to deploy regardless of project size. Continue reading to learn more about the challenges that product companies and OEMs face when ramping up from concept to production and how Microchip’s secure element along with AWS’ Multi-Account Registration (MAR) remove these barriers for a simplified journey to a secure product release.
Barriers in Secure IoT Product Deployment
As OEMs transition from prototype to pilot builds and finally to mass production, they must mitigate any vulnerability in the supply chain. Until now, there were a few major barriers that OEMs faced in the product release journey:
1. Knowledge of a Certificate Authority: Typically for prototype and proof of concept development, product engineers integrate software to get the final product functionality and implement any connectivity to a cloud platform, all while using some development keys that are not intended for production purposes. This step requires developers to have an understanding of a Certificate Authority and how to generate unique certificates. Although, companies, such as Microchip, provide tools and scripts to easily generate required keys, product engineers are still required to have knowledge of what these certificates mean and how they are being used in the device secure authentication.
2. Creating and Storing Root Certificate Authority: Developers often struggle to know if they can safely store the root certificate authority key or if they need to work with a third-party Certificate Authority provider. While storing a self-signed root is a cheaper option, it creates challenges for the company to create and store this root key in a secure location. Often organizations lack the expertise in creating and storing keys in air-gapped systems with proper monitoring. For those companies that work with a third-party Certificate Authority, it provides a robust framework to protect the root certificate credentials, however it does add setup costs to procure such services from trusted Certificate Authorities.
3. Enabling Device Provisioning with an OEM’s Certificate Authority During Mass Production: As the product build starts in manufacturing, either in the same facility where the Certificate Authority is stored or more often done by a third party contract manufacturer, the right infrastructure needs to be setup to provision each device with a unique key pair and associated device certificate signed by the root Certificate Authority. In this step, the OEM typically works with the companies that help provision devices with device certificates signed by the chain of trust associated with the OEM’s certificate authority chain. This step requires special handling by the OEM and the organization offering provisioning services.
The above steps may be suitable for those OEMs that already have the know-how when it comes to setting up the PKI, the infrastructure and the bandwidth to work with provisioning services and ensure that the supply chain is robust. However, many OEMs lack the required skill to accomplish the above tasks and tend to implement solutions with poor security practices that leave their solutions vulnerable.
Microchip launched the Trust Platform for the CryptoAuthentication family on Sep 30, 2019. At the same time, it collaborated closely with AWS to develop and release the beta version of the AWS IoT Multi Account Registration (MAR) feature. Today, AWS has now released the MAR feature for general availability.
See Figure 1: The Microchip Trust Platform
The MAR feature allows devices to register individual device certificates across multiple AWS accounts and regions and no longer require a unique Certificate Authority to be registered in the AWS account.
Securing the Product Release Journey with AWS’ MAR and Microchip’s Trust Platform
OEMs can purchase a pre-provisioned ATECC608A Trust&GO TLS secure element from Microchip that comes with a generic unique certificate and corresponding public/private key pair.
See Figure 2: Pre-provisioned Secure Element with Turn-key Support for AWS MAR
With each secure element order, Microchip generates a manifest file that OEMs can use to register the device certificate into the target AWS account.
See Figure 4: Trust Platform Design Suite — To Register Devices from Manifest into AWS Account
AWS MAR and Microchip’s Trust&GO enable customers to start the prototyping phase on a final device hardware with a prototype AWS account and easily migrate to the production AWS account. Customers need only to register the same device certificates in the production account and change the TLS end point information in the device settings to point to the production environment. For more detailed information check out this video.
As the product ramps into mass production, no further changes to the supply chain are needed. This solution significantly reduces the complexity and cost of designing a secure IoT solution and is available for device makers of all sizes. Microchip’s Trust&GO minimum order quantity for secure elements is only 10 units, the lowest in the industry.
For products that require support for additional use-cases such as over the air (OTA) firmware update validation, secure boot, intellectual property protection and/or accessory authentication along with secure cloud authentication, Microchip provides TrustFLEX, where customers acquire all the same benefits of the Trust&GO solution plus pre-provisioned devices with the OEM’s application specific keys for as low as 2,000 units.
To learn more, please visit TrustPlatform.