Loading
Log in to myMicrochip to access tools and benefits. Sign up in just one minute.
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here
Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here
Complete your profile to access more resources.Update Here!
Start with the Most Popular Pre-Configured Use Cases and Use Your Own Credentials
When it comes to IoT security, authentication is one of the foundational concepts that should be implemented first in your design. The trust between the device identity and the cloud platform relies on a chain of trust. AWS IoT supports certificate-based authentication, but the trust in the device identity will depend entirely on how well the device’s private key is protected. If the private key is spoofed, the device can be impersonated by an unauthorized user who can then control the device’s transactions. However, adding authentication presents you with several challenges: securely storing the private key in the device, shipping the private key across the globe for any project and system size and ensuring a secure manufacturing flow. These challenges can be addressed by using the TrustFLEX ATECC608B-TFLXTLS secure element from our Trust Platform family of solutions.
Defining the secure element’s configuration is generally a time-consuming task. The TrustFLEX ATECC608B-TFLXTLS comes pre-configured with the most commonly used use cases to speed up your development and reduce the complexity of the onboarding process. To further simplify onboarding, the device also comes with default generic certificates for thumbprint authentication and overwritable keys. This allows you to either choose the default certificates and keys and lock them afterwards or overwrite the default credentials with your own. When combined with AWS IoT Core Application Program Interfaces (APIs), such as Just-In-Time-Registration and Use Your Own Certificate, you can use a Certificate Authority provider of your choice to create an end-to-end secure authentication. The device’s private keys will have to be provisioned in the secure element using our provisioning infrastructure and the Hardware Secure Modules (HSMs) that are installed in our factories. The key will then be isolated from exposure to software, firmware, manufacturing sites, end users and other third parties. Our ATECC608B-TFLXTLS provides a common criteria JIL “high” rated secure key storage to isolate keys in the nodes. This is especially valuable in TLS networks that are based on a Public Key Infrastructure (PKI) security model and leverage a wide variety of traditional low-power microcontrollers (MCUs).
Step 1: Download the Trust Platform Design Suite, available for Windows® and macOS®, to prototype with your secure element.
Step 2: Buy the development kit of your choice, then prototype and integrate your application code in the microcontroller.
Step 3: Once the C code is working in your embedded application, you are ready to create the configuration file using the TrustFLEX configurator that is available in the Design Suite. After the configuration file is finalized, submit a support ticket to obtain your encryption key. Encrypt the configuration file using the provided utility, load it in the support ticket and you will receive provisioned validation devices by our Hardware Secure Module (HSM) equipped factories.
Benefits of Using the TrustFLEX ATECC608B with AWS IoT Core
- Create secure authentication to IoT devices powered by AWS IoT Core
- Benefit from the scalability of AWS IoT Core (including China)
- Leverage AWS Just-In-Time-Registration and Use Your Own Certificate
- Provide a unique, trusted, protected and managed device identity
- Pre-configured with most popular use cases
- Turn-key code examples available for each use case
- Leverage Microchip’s secure provisioning service
- Simplify logistics of shipping private keys and reduce manufacturing costs
- Microcontroller-agnostic implementation
- JIL rated “high” secure key storage
- Protection against known tamper, side-channel attacks
TrustFLEX ATECC608B-TFLXTLS Use Cases
Each of the device slots are pre-configured to offer the following use cases:
- Custom Certificate Authentication
- Token Authentication
- Secure Boot (with key attestation)
- Over-the-Air (OTA) Verification
- Firmware Intellectual Property (IP) Protection
- Message Encryption
- Key Rotation
- I/O Protection Key
- Host Accessory Authentication
Visit the ATECC608B-TFLXTLS product page to learn more about the device’s features.
Are You Interested in AWS IoT Greengrass Hardware Security Integration?
Trust Platform Design Suite
Install the Trust Platform Design Suite software package to get started with any of the Trust&GO or TrustFLEX secure elements available with our Trust Platform. Our tutorial will guide you through the installation of the tools that will simplify your development from prototyping to production and accelerate your time to market.
CryptoAuth Trust Platform Development Kit
Part Number: DM320118
This USB-based development kit includes a SAM D21 MCU, debugger, mikroBUS™ socket and on-board ATECC608B secure element with Trust&GO, TrustFLEX and TrustCUSTOM options.
ATECC608B Trust Platform Kit
Part Number: DT100104
For use as an add-on board to the CryptoAuth Trust Platform Development Kit (DM320118), this kit provides a mikroBUS footprint for adding soldered-down versions of Trust&GO, TrustFLEX or TrustCUSTOM secure elements.
CryptoAuthentication™ SOIC Socket Kit
Part Number: AT88CKSCKTSOIC-XPRO
This board provides an SOIC8 socket to accommodate an ATECC608B or ATSHA204A secure element and an Xplained Pro (XPro) interface to develop solutions using the microcontrollers featured on our Xplained Pro boards.
CryptoAuthentication UDFN Socket Kit
Part Number: AT88CKSCKTUDFN-XPRO
This board provides a uDFN8 socket to accommodate an ATECC608B or ATSHA204A secure element and an Xplained Pro (XPro) interface to develop solutions using the microcontrollers featured on our Xplained Pro boards.
Secure UDFN click
This Click board™ from MikroElektronika provides a uDFN8 socket to accommodate an ATECC608B or ATSHA204A secure element and operate it on the CryptoAuth Trust Platform Development Kit (DM320118).
WiFi 7 click
This Click board™ from MikroElektronika includes an ATWINC1500 Wi-Fi® module which can be used to add TCP/IP and TLS links to the CryptoAuth Trust Platform Development Kit (DM320118).
Shuttle click
This Click board™ from MikroElektronika provides an easy and elegant solution for stacking up to four Click boards on a single mikroBUS™ socket.
mikroBUS Shuttle
This small add-on board is intended to be used with Shuttle click to expand the mikroBUS™ socket with additional stacking options. One Shuttle click can support up to four mikroBUS Shuttles, allowing a simple and elegant stacking solution for the Click board™ line of products.
- Documents
- Videos
- FAQ
- Definitions
- Archives
- Microchip University
AWS IoT Security: The New Frontiers
In this session from AWS re:Invent 2016, AWS explains the value of Just in Time Registration (JITR) and Bring you Own Certificate (BYOC) using an ATECC508A secure element.
AWS re:Invent 2016: Introduction to AWS IoT in the Cloud
In this session from AWS re:Invent 2016, an AWS IoT product manager discusses why protecting a devices identity is important and how it can be implemented using the ATECC508A secure element with the AWS IoT service.
Hardware Root of Trust with Google Cloud IoT Core and Microchip
Check out how to improve IoT security by securing the authentication between Google Cloud IoT Core and IoT devices using an ATECC608B secure element.
Internet of Things (IoT) Security Best Practices With Google Cloud (Cloud Next '19)
Security is a critical concern when deploying and managing IoT devices. Learn how Cloud IoT provisioning service simplifies the device provisioning and on-boarding experience for Cloud IoT customers and OEMs. We will demonstrate how to efficiently do bulk provisioning of 8-, 16- and 32-bit microcontrollers. You will also learn about best practices and practical examples of how to provision devices in the wild and keep them secure for their lifetime.
IoT Security: Solving the Primary Hurdle to IoT Deployments (Cloud Next '18)
Security is a huge hurdle to IoT deployment. No company wants to be in the news for having its product as part of a large, IoT-driven DDoS attack. In this session you will learn how Google and Microchip have partnered to offer a seamless and highly secure solution for IoT devices connecting to Google Cloud IoT.
Secure Authentication for LoRa® with the ATECC608B and The Things Industries (TTI) Join Server
In this archived Livestream event, our security experts discuss how to easily develop a LoRa-connected device with secure authentication using our robust, yet simple-to-use, hardware-based security solution using our ATECC608B secure element, SAM R34 radio and The Things Industries (TTI) join server.
Secure Provisioning Service with the Trust Platform for the CryptoAuthentication™ Device Family
In this episode of the Microchip SHIELDS UP! series of security webinars, we provide an overview of the Trust Platform service for the CryptoAuthentication™ family of devices. You will learn about the pre-provisioned Trust&GO, pre-configured TrustFLEX and fully customizable TrustCUSTOM options for the ATECC608B. You will also be given a high-level description of the on-boarding process and the basic information you need to get started with using the provisioning services available from our factories.
Secure Download Firmware Update (DFU)
Learn how to implement a secure, Over-the-Air (OTA) firmware update with a traditional microcontroller using a Microchip secure element such as the ATECC608B. This simple-to-use, cost-efficient and robust security implementation protects the key by verifying the signed code comes from a legitimate source. The key remains protected by leveraging the ATECC608B secure element. Both asymmetric and symmetric architectures are covered in the video.
AWS IoT Authentication Use Case
Microchip explains how hardware root of trust works using the ATECC608B secure element and AWS IoT. The Just In Time Registration and Use Your Own certificates functions from AWS IoT allow large-scale authentication of automated systems, while maintaining security by protecting private keys from users, software and manufacturing backdoors.
Cryptography Primer (Part 1): Why Security Today?
During this tutorial about embedded security, Microchip discusses why security is an important consideration.
Cryptography Primer (Part 2): Authenticity, Integrity and Confidentiality
During this tutorial about embedded security, Microchip discusses the three key pillars of security: authentication, integrity and confidentiality.
Cryptography Primer (Part 3): Hashing, Secret Key and Symmetric Cryptography
In this video, learn about the basics of embedded security and how and when to use hashing.
Cryptography Primer (Part 4): Public Key and Asymmetric Authentication
During this tutorial about embedded security, Microchip discusses the concepts of asymmetric cryptography, illustrates how authentication can be implemented and highlights the importance of protecting private keys in hardware secure key storage.
Cryptography Primer (Part 5): Chain of Trust
In this cryptography primer tutorial, Microchip discusses how to implement robust authentication between a host and a client using Public Key Infrastructure (PKI).
Google Cloud IoT Core Authentication Use Case
Check out how Google Cloud IoT combined with the ATECC608B secure element strengthens device-to-cloud authentication. This flexible and TLS-agnostic implementation leverages the JWT token and optimizes code size to enable connectivity and security for very small microcontrollers.
Hardware Root of Trust for AWS IoT with ATECC608B
The threat model for IoT devices is very different from the threat model for cloud applications. During this session at AWS re:Invent, we discussed how all IoT solutions must incorporate end-to-end security from the start, how to mitigate threats and how to avoid common pitfalls. You will also learn about the steps to take in the manufacturing process, how to provision and authenticate devices in the field and how to comply with IT requirements during the maintenance phase of the product lifecycle.
How to Build a Secure Provision Workflow - The Things Conference 2019
Manipulating application and network server keys is not only a daunting process but also opens backdoors in LoRaWAN™ connected products. In this workshop recorded at The Things Conference 2019, you’ll find out how to use Microchip’s secure element to build a secure provision workflow and strengthen authentication to The Things Industry’s (TTI’s) join server.
Secure Boot for Small Microcontrollers
Learn how to implement a secure boot architecture on very small microcontrollers using the ATECC608B secure element. Keys are protected from users, factory operators and equipment as well as software.
Secure Boot with ATECC608B
Learn how to architect a secure boot with Microchip's ATECC608B secure element. This solution implements strong security by verifying the signed boot image of a small microcontroller with an immutable public key kept in the secure element.
General Questions:
Q: How can I get started with the Trust Platform?
A: Use the “Let Us Guide You to the Right Option” on the Trust Platform page, which will help you take the first step. You will find additional information about getting started with Trust&GO, TrustFLEX and TrustCUSTOM on their pages.
Q: I am a distribution partner. How do I enroll in the Trust Platform program?
A: Contact your local Microchip sales office to request assistance with joining the program.
Trust&GO Questions:
Q: Do I need to contact Microchip to provision my Trust&GO secure element?
A: No. When you buy the device, it is already provisioned with keys and certificates specific to the use case you have selected that are locked inside the device. Trust&GO cannot be altered and is intended to be used as is.
Q: Where can I obtain the public keys and certificates for my Trust&GO device?
A: Log into your customer account at the ecommerce website where you purchased the device after device shipment, and you should be able to download a manifest file containing all the necessary public keys and certificates. Contact the vendor if you have any trouble finding this file.
TrustFLEX Questions:
Q: Do I need to contact Microchip to provision my TrustFLEX secure elements?
A: Yes. When you buy the device, it comes pre-configured with your selected use case(s). By default, the TrustFLEX device also come with keys and generic certificates for thumbprint authentication that are overwritable internally if you have not already locked them using the lock bit. While the configuration cannot be altered, the default credentials can be changed if you have not already locked them. If you decide to use the default credentials, you will have to lock them after receiving the device. If you don’t want to use the default credentials, you can replace them with yours and then lock them. After you have made your decision, create the secret packet exchange, encrypt it and upload it into a support ticket on Microchip’s technical support portal. We will provision your devices and ship them according to your instructions.
Q: Where can I obtain the public keys and certificates for my TrustFLEX device when I use the default credentials?
A: Log into your customer account at the ecommerce website where you purchased the device after device shipment, and you should be able to download a manifest file containing all the necessary public keys and certificates. Contact the vendor if you have any trouble finding this file. WARNING: If you have overwritten the default credentials in your device, the manifest file will no longer be compatible with the device’s new credentials.
TrustCUSTOM Questions:
Q: Do I need to contact Microchip to provision my TrustCUSTOM secure element?
A: Yes. When you buy the device, it will be blank. You will need to use the TrustCUSTOM configurator, which is available under Non-Disclosure Agreement (NDA) to define the configuration, create the secret packet exchange, encrypt it and upload it into a support ticket on Microchip’s technical support portal. We will provision your devices and ship them according to your instructions.
Q: Where can I obtain the secret packet exchange for my TrustCUSTOM device?
A: This utility is only available through a Non-Disclosure Agreement (NDA). Contact your local Microchip sales office or distributor to request it.
Q: Where can I get the full data sheet for my TrustCUSTOM device?
A: This document is only available through a Non-Discloser Agreement (NDA). Contact your local Microchip sales office or distributor to request it.
Credentials: Identity verification tools or methods that include X.509 certificates, generic certificates for thumbprint authentication, keys and data packets
Customization: The action of creating a unique device/system through its configuration and set of secrets
Firmware Verification: When a key and cryptographic operation are used to verify a signed image on a device at boot up or during run time
IP Protection: When a key and a cryptographic operation are used to verify signed (or hashed) firmware that is considered Intellectual Property (IP) of a product
Key(s): A set of binary numbers that is used to trigger a cryptographic algorithm that implements asymmetric or symmetric encryption
Over-the-Air (OTA) Verification: When a key and a cryptographic operation are used to verify a signed image that has been loaded into a connected device by a push notification from a cloud service
PKI: Public Key Infrastructure
Provisioning: The action of generating a credential into an embedded storage area
Birth Certificate: An X.509 certificate not issued by a certificate authority company that is used for authentication to the cloud
Use cases:
Custom Certificate Authentication: Use the default generic certificates for thumbprint authentication already inside the TrustFLEX device or overwrite them with your own certificates.
Token Authentication: Leverage a private key to perform an Elliptic Curve Digital Signature Algorithm (ECDSA) sign operation on a token that will be verified by its corresponding public key somewhere else in the network.
Secure Boot (with key attestation): Perform an ECDSA verification at boot using a public key corresponding to a private key used to sign the code which the system will boot from. The public key becomes highly sensitive as it will allow a system to boot.
Over-the-Air (OTA) Verification: Perform an ECDSA verification after an update using a public key corresponding to a private key used to sign the code the system will be updated with. The public key becomes highly sensitive as it will allow a system to be updated with a new code that needs to be trusted.
Firmware Intellectual Property (IP) Protection: Perform a verification during the system runtime using a key corresponding the one used to sign the code the system will run on. The verification key becomes highly sensitive as it will allow a system to run on a genuine code image.
Message Encryption: Provides the capability to encrypt a very small packet of data using the integrated hardware Advanced Encryption Standard (AES) engine.
Key Rotation: Provides the capability to rotate private keys within the secure boundaries of the secure element.
I/O Protection Key: Provides the capability to uniquely pair the MCU and the secure element.
Host Accessory Authentication: Provides the capability to create an ecosystem control strategy by having a main host authenticate its peripherals using a basic PKI architecture.
AWS IoT Core Certificate-Based Secure Authentication with 32-bit Microcontroller and ATECC508A
AWS IoT Core Certificate-Based Secure Authentication with 32-bit Microcontroller and ATECC608A
Google IoT Core Token-Based Secure Authentication
LoRa®-Based Secure Authentication for The Things Industries
Secure Boot Verification Assistance Using Small Microcontrollers and ATECC608A
