Digital Authentication for Internet of Things and Embedded Applications
SPARTAN is a family of digital authentication software modules for authenticating IoT endpoints, enabling anti-counterfeiting and anti-cloning. The SPARTAN products utilize Intrinsic ID’s patented SRAM PUF technology to give microcontrollers and other semiconductors unique identities, which serve as the foundation for a security subsystem. SPARTAN is built on top of Intrinsic ID’s flagship BROADKEY software and enables a software approach for providing hardware-based security that can be implemented on virtually any CPU.
Intrinsic ID’s SPARTAN CLOUD is the world’s first security software for IoT devices that combines SRAM Physical Unclonable Function (PUF) technology with elliptic-curve key agreement. It allows IoT designers to provision their products with secure keys and platform-compliant certificates in a scalable and cost-efficient way. These assets are needed to set up a mutual authentication session upon connection with the cloud platforms like AWS IoT. Authentication requires generation of a device-unique private key that must remain private and secured for the entire life of the device, from manufacturing to end-of-life. By using SPARTAN CLOUD, the unclonable private key is generated on the device and reconstructed when needed. It is never stored nor exposed and not visible when the device is powered off.
The SPARTAN CLOUD AWS-IoT embedded software module can be added to IoT devices at any stage in the production process and is portable to any CPU or operating system. No hardware customization is needed and retrofitting existing devices is possible.
- No need for a separate crypto chip on the device
- Internally generates private keys – solves the sensitive key handling problem
- Tamper-resistant, device-unique unclonable keys that are not stored and never exposed
- Hardware-based security – In line with the strategic principles of the U.S. Department of Homeland Security for securing the IoT
- No human intervention required; automatic onboarding to the web service upon initial connection
- Portable to virtually all CPUs, operating systems, and platforms
- Strong IoT Node Security and ID – Device-unique authentication of IoT end-node to the web service
- Anti-Counterfeiting – Ensures only OEM/licensed nodes (and accessories) work
- Anti-Cloning – Prevents building with identical BOM or stolen code
- Message Security – Authentication, message integrity and confidentiality of network nodes
- Seamless integration with Amazon Web Services IoT SDK*
- Supports Bring-Your-Own-Certificate (BYOC) and Just-In-Time-Registration (JITR)
- Keeps private key secure
- Strong authentication based on an unclonable device-unique key established from SRAM PUF
- Well-defined security boundary within the chip
- Connects to third-party TLS library (e.g. mbed TLS)
- SPARTAN CLOUD authentication library (embedded SW): compiled for a specific target CPU and specific connected TLS library.
- Modified version of the available TLS library, such that it connects to SPARTAN embedded library
- Certificate generation tool that can be run on Windows/Linux server for setting up device identity certificates. Optionally it connects to an external Certificate Authority such as GlobalSign.
- 1KB of uninitialized SRAM memory available on the chip
- The ability to run cloud connection software (e.g. MQTT) with supporting TLS security library
SRAM PUF Benefits
- Device-unique, unclonable fingerprint
- Leverages entropy of manufacturing process
- No key material programmed
- Secure Key Storage
- Flexible Key Provisioning
- HW-SW Binding
- Supply Chain Protection
- 256- or 128-bit key entropy
- Highly reliable across large range of operating environments and on every technology node
- Lifetime > 25 years
- Requires uninitialized SRAM