We detect you are using an unsupported browser. For the best experience, please visit the site using Chrome, Firefox, Safari, or Edge. X
Maximize Your Experience: Reap the Personalized Advantages by Completing Your Profile to Its Fullest! Update Here
Stay in the loop with the latest from Microchip! Update your profile while you are at it. Update Here
Complete your profile to access more resources.Update Here!
0
$0.00
Item Qty
Your cart is empty.

AWS IoT Greengrass Hardware Security Interface (HSI)

Implemented With the ATECC608B Secure Element

When it comes to IoT security, private keys are the most sensitive material. If a private key is accessed by an unintended party, that person can impersonate the IoT hardware and undertake undesired or malicious operations. Because of this, the most basic security practice to follow is to implement a secured hardware root of trust to remove exposure of private keys to software, firmware, manufacturing sites, end users or other third parties. Our ATECC608B secure element provides a JIL “high” rated secure key storage area to isolate keys. This is especially valuable in Linux® environments where software is a living entity and software backdoors to keys are likely to show up.

To help with adding hardware secure key storage, Amazon Web Service (AWS) offers IoT Greengrass Hardware Security Integration as part of its IoT Greengrass Core software. It is an interface between the IoT Greengrass Core and a hardware secure module based on PKCS#11. The ATECC608B is used in this implementation as the hardware secure key storage to isolate private keys needed for the authentication between AWS IoT and AWS IoT Greengrass from the Linux-based system enabled with IoT Greengrass. This microprocessor-agnostic solution adds true hardware secure key storage to any Linux-based IoT products. The ATECC608B is now part of the AWS Device Qualification Program supporting AWS IoT Greengrass.

Open User Manual
Read AWS Partner Network (APN) Blog Tutorial

What Are the Benefits of Using the AWS IoT Greengrass Hardware Security Integration?

  • Leverage secure elements for AWS IoT Greengrass ecosystems
  • Provide a unique, trusted and protected identity
  • Optimum hardware security with secure key storage
  • Use standard PKCS#11 interface   
  • Anti-tampering protection
  • Side-channel attack protections
  • JIL rated “high” secure key storage

What Is a PKCS#11 Interface?

PKCS#11 is part of the Public Key Cryptography Standard (PKCS). To put it simply, it’s an interface or API that defines the communication between a controller (microcontroller or microprocessor) and a Hardware Secure Module (HSM). The ATECC608B is the HSM in the IoT Greengrass Hardware Security Integration. 

Why Is Secure Hardware Key Storage Important?

Security is often mistaken with encryption. Encryption alone doesn’t solve security. It’s not because a key is encrypted and stored that the system can be secure as firmware and software bugs will always exists. Bugs are a natural part of coding. In addition, there is another considerable attack surface to consider during the manufacturing process where keys and other cryptographic assets can be severely exposed to employees and equipment. All these backdoors are attack surfaces to spoof a private key. The usage an ATECC608B secure element combined with Microchip’s provisioning service will help to reduce significantly the exposure of your keys from software, firmware, manufacturing, third-party companies and users. The ATECC608B has been rated JIL “High” demonstrating its high robustness on protecting keys.

How Does IoT Greengrass Hardware Security Integration Work?

There are two authenticated links that IoT Greengrass Hardware Security Integration will look in for a signature:

  • The authentication between the IoT Greengrass Core to AWS IoT
  • The authentication from the IoT Greengrass Core to the IoT edge node connected to the gateway.

Both authentication paths rely on a mutual TLS1.2 protocol. Consequently, the system could require two private keys to address the two authentication links, one for each. Alternatively, a single private key can be used to authenticate both links. The choice will depend on the application and the security model decided on by the designer. The IoT edge node will still require having its own private key to be stored in a secure element like the ATECC608B within the end-node itself.

Learn About Secure Authentication for AWS IoT Edge Nodes
Read This Tutorial on the AWS Partner Network (APN) Blog

The scalable IoT Greengrass Hardware Security Integration relies on a PKCS#11 interface. This architecture makes the usage of a secure element very portable from one Linux-based design to another, saving significant development time and accelerating time to market.

Start Developing Your IoT Greengrass Hardware Security Integration Solution

  • Step one: Buy the Secure 4 click and the adapter that already includes the ATECC608B and the Raspberry Pi® to mikroBUS™ adapter from MikroElektronika.
  • Step two: Procure a Linux system such as a Raspberry Pi (example documented) or a Microchip SAMA5Dx MPU.
  • Step three: Go to the user manual hosted on GitHub and start implementing the ATECC608B secure element within your IoT Greengrass-enabled system.
  • Step four: Use AWS IoT Greengrass documentation to get started with IoT Greengrass and deploy IoT Greengrass Core software to your device. Follow directions for making changes to your config.json file to use the ATECC608B private key.
  • Benefit from strong authentication between AWS IoT Core and AWS IoT Greengrass with secure key storage.