SRAM PUF-based Authentication Software Module for IoT Devices
In the vastly growing Internet of Things it is increasingly important that devices and data can be trusted. Spartan is a family of software modules for authenticating chips to each other and to networked services. The Spartan products extract device- unique unclonable keys from the uniqueness that is inherent to every piece of silicon. These keys give microcontrollers and other semiconductors device-unique unclonable identities which serve as root-of-trust in the ecosystem.
Intrinsic ID’s Spartan-Cloud is the world’s first security software for IoT devices that combines SRAM Physical Unclonable Function (PUF) technology with elliptic curve key agreement. It allows IoT designers to provision their products with secure keys and platform-compliant certificates in a scalable and cost-efficient way. These assets are needed to set up a mutual authentication session upon connection with the cloud platforms like AWS IoT. Authentication requires generation of a device-unique private key that must remain private and secured for the entire life of the device, from manufacturing to end-of-life. By using Spartan-Cloud, the unclonable private key is generated on the device and reconstructed when needed. It is never stored nor exposed and not visible when the device is powered off.
The Spartan-Cloud AWS-IoT embedded software module can be added to IoT devices at any stage in the production process and is portable to any CPU or operating system. No hardware an – C lo u d – A c S – I o T us tom izat ion is ne eded an W d retr ofit tin g ex isting devices is possible.
- Seamless integration of security into any IoT product
- No need for a separate crypto chip on the device
- Internally generates private keys – solves the sensitive key handling problem
- Tamper-resistant, device-unique unclonable keys that are not stored and never exposed
- Hardware-based security – In line with the strategic principles of the U.S. Department of Homeland Security for securing the IoT
- No human intervention required; automatic onboarding to the web service upon initial connection
- Portable to virtually all CPUs, operating systems, and platforms
Spartan-Cloud Authentication Module
The Spartan-Cloud embedded authentication module enables mutual authentication upon connection with AWS IoT. It contains a crypto library and an SRAM PUF key generation module that generates a device-unique private key (ECC NIST P256 curve) from the SRAM in the chip. The Spartan-Cloud library provides an API to applications in conjunction with the cloud service connection library. Running Spartan-Cloud on the CPU of a device sets up an authenticated TLS connection with the cloud platform based on its device- unique key. The private key never leaves the security perimeter and is not visible when the device is powered off.
- Seamless integration with Amazon Web Services IoT SDK*
- Keeps private key secure
- Strong authentication based on an unclonable device-unique key established from SRAM PUF
- Well-defined security boundary within the chip
- Connects to third-party TLS library (e.g. mbed TLS)
- Strong IoT Node Security and ID – Device-unique authentication of IoT end-node to the web service
- Anti-Counterfeiting – Ensures only OEM/licensed nodes (and accessories) work
- Anti-Cloning – Prevents building with identical BOM or stolen code
- Message Security – Authentication, message integrity and confidentiality of network nodes
- Spartan-Cloud authentication library (embedded SW): compiled for a specific target CPU and specific connected TLS library
- SRAM PUF key generation module
- Modified version of the available TLS library, such that it connects to Spartan-Cloud embedded library
- Certificate generation tool that can be run on Windows/Linux server for setting up device identity certificates. Optionally it connects to an external Certificate Authority such as GlobalSign.
- Cloud Authentication Control Tool (Operator/Service Provider) – Optional
- 1KB of uninitialized SRAM memory available on the chip
- The ability to run cloud connection software (e.g. MQTT) with supporting TLS security library