Connected devices have become a vital part of our lives, impacting everything from our homes to our offices and factories, even improving our health and fitness. However, these IoT devices have also become an increasingly attractive target for cyber criminals. More connected devices mean more attack vectors and more possibilities for hackers to target us. Last week at Arm TechCon, we announced Arm CryptoCell-312, the latest product in the CryptoCell line-up (which includes the CryptoCell-700 family and the CryptoCell-300 family).
The CryptoCell-700 family is geared towards high performance, typically aimed at devices and use cases, which involve an Arm Cortex-A processor under-the-hood. The CryptoCell-300 family is created with high efficiency in mind, typically aimed at devices and use cases involving an Arm Cortex-M or an Arm Cortex-R processor. These are typically designs optimized for low power and low area.
We all know that the IoT will encompass a whole range of intelligent devices. Many of these new devices will require sophisticated security systems, meaning we need to bring security to even the smallest of embedded devices. The brand new Arm CryptoCell-312, has been optimized to complement the small, ultra-low power characteristics of the Cortex-M family (including the new Cortex-M23 and Cortex-M33), allowing you to simplify the design of secure systems.
Well, CryptoCell complements Arm TrustZone and fortifies device security. TrustZone provides isolation and gives Arm partners the capability to partition the system, creating a secure execution environment. Using TrustZone prevents software vulnerabilities in one execution environment being exploited to gain access into another. However, isolation is just one part of security – for a comprehensive security platform you need additional roots of trust and security mechanisms. This is where you add CryptoCell into your designs.
CryptoCell-312 is partitioned into 5 domains:
This partitioning helps us maintain a modular approach, which enables all kind of PPA trade-offs. CryptoCell addresses the control and scheduling aspects, data interfaces, cryptography (symmetric and asymmetric) and the various security resources, which turns a cryptographic accelerator into a security solution.
The security resources domain is where platform security elements are enabled, typically using cryptography and off-device tools. These include: lifecycle, ROT management, RNG, key slot policies, provisioning, software image validation (boot time, update time), IP protection (code confidentiality), persistent and volatile data protection, secure debug / DFT and feature enablement.
There are three main reasons why you’d want to use CryptoCell-312 in your new IoT device:
CryptoCell-312 enables you to have a full set of security services, over a range of deeply embedded form factors. It provides you with a security platform providing cryptographic and security services, tailored to deal with different needs and threat models.
CryptoCell-312 offers enhanced performance – offering a 10x faster cryptography performance when compared with software only operations on cryptography tasks. This drives improved energy efficiency, security and enables better user experiences, for example in the case of a smart door lock (see below).
IoT devices are often created in fragmented ecosystems, CryptoCell-312 allows trust between stakeholders. This in turn allows multiple entities to monetize their investments without having to trust other parties.
There are many applications where security is needed. One such area is smart locks, which have grown in popularity but several do not have adequate security. Some examples of inadequate security include Bluetooth locks that store passwords in plain text and anyone with a Bluetooth sniffer can readily gain access. Other smart locks are vulnerable to replay attacks, which means a hacker can grab data over the air when a legitimate user unlocks the door and they then just replay that data to gain access.
A secure Smart lock should be capable of authenticating a home owner’s device (for example, a mobile phone) attempting to open the door. One way to achieve this is with a back-end cloud service that could be used for lock initialization and authorization.
A homeowner buys a smart lock and the package includes a QR code. The QR code includes an App reference and a unique identifier. Once scanned, a mobile lock application is installed on their phone.
The secure application then goes through a registration phase with the lock cloud server. When complete, the mobile device is provisioned with an admin key pair and a certificate (signed by the lock manufacturer) unique for that lock.
The lock can then securely authenticate requests (for example “open door”) from that mobile phone and open the door upon successful verification.
To enable these services, there are several security mechanisms that the lock needs to have. These mechanisms include:
CryptoCell-312 is one of the key technologies needed to enable these security mechanisms and provide a security platform for the smart lock system.
Together with TrustZone, CryptoCell-312 can form a security solution providing cryptographic services and platform security services, tailored to deal with different needs and threat models.
Find out more about CryptoCell-312
is Cryptocell-312 needed for Kigen?