In this blog, we will learn about hardware security, its importance and will briefly discuss about the available hardware-based security solutions from Infineon.
Need for Hardware Security:
In recent years, the exponential growth of technology has opened doors for a wide range of public and private applications by sharing and analyzing generated data. This includes smart home, e-Health Care, transport ticketing, trusted computing, autonomous vehicles, smart grid, and smart manufacturing. With the plethora of opportunities that this exchange of data brings, it also opens the gates for a multitude of security risks and challenges.
For example, if an attacker takes control of an embedded device used in the car for auto-pilot, the hacker can then control the car potentially causing fatal damage. Another example that we regularly come across is when devices over the internet are affected with malware attacks such as Denial-of-Service (DoS) attacks, Botnet, Man-in-the-Middle, and Ransomware attacks to gain access leading to data leaks. Let us analyze one such attack here.
Power Analysis attacks use the power consumption of devices, leaking data to exploit a particular device. For example, consider a microcontroller in which the AES algorithm is implemented in software. Each instruction in the algorithm involves different components of the microcontroller such as the Arithmetic Logic Unit or some peripheral. Consider the move instruction that operates on the data in the internal memory taking a few cycles when compared to the data on the external memory. Because different operations will exhibit different power profiles, one can determine what type of function is being performed at a given time.
Comparison of different security environments:
Figure 1 Comparison of different security environments
Software security:
In software security, protection against vulnerability comes in the form of software that is installed in the hardware of a system. On the downside, it is prone to side-channel attacks because code and data are exposed to the outside world.
Trusted Execution Environment (TEE):
TEE runs code on a shared hardware to protect the executing code and data in terms of confidentiality (only authorized users can access the data) and integrity (no one can change the code and its behaviour); leakage which may lead to microarchitectural attacks like Fault Injection attacks and Row Hammer attacks.
Hardware security:
To protect sensitive data in hardware, the protection comes in the form of a specifically designed integrated circuit which has its own memory and hardware implementation of crypto algorithms and secure key storage. OPTIGA™ Trust family provides a number of key and data objects which hold the user- or customer-related keys and data securely.
Our hardware-based approach has two advantages:
- It can be integrated into any system or platform. For example, TPM can be used for both x86 as well as Arm® Cortex® M chipsets.
- It provides the best available protection against physical attacks making it tamper-resistant.
OPTIGATM Trust products:
The OPTIGA™ Trust product family offers a full range of security chips to address individual needs in the field of embedded authentication, brand protection, and other security applications. Features of different products in OPTIGATM Trust are given in Table 1. It supports a wide range of cryptographic algorithms such as RSA, ECC, AES, and SHA.
Some of the benefits of using OPTIGATM Trust products are:
- Protect the most common attacks such as Cold boot attacks and Brute force attacks.
- Secure keys and critical security parameters within the crypto hardware.
- Increase the performance by offloading encryption from the host system enabled by hardware acceleration.
- Secure authentication by building the root of trust in hardware devices.
- Scalable across various platforms for different types of applications.
- CC EAL 6+ certification for OPTIGATM Trust M and OPTIGATM Trust X.
Table 1 Overview of OPTIGATM Trust family
|
|
OPTIGATMTrust B |
OPTIGATMTrust E |
OPTIGATM Trust X |
OPTIGATMTrust M |
|
Interfaces |
SWI |
I2C |
I2C |
I2C (Shielded Connection) |
|
NVM |
-- |
3 kByte |
10 kByte |
10 kByte |
|
Asymmetrical cryptography |
ECC 131-bit |
ECC 256-bit |
ECC 256-bit |
ECC 256-bit, ECC 384-bit, RSA 1024-bit, RSA 2048-bit |
|
Typical applications |
Authentication of consumer electronics, accessories, original replacement parts |
PKI networks, consumer electronics, smart home, industrial automation, Internet of Things (IoT), authentication of system services and accessories, original replacement parts, smart metering, system configuration management, IP/software protection |
Internet of Things (IoT), smart home, industrial automation, consumer electronics, smart metering, authentication of system services and accessories, original replacement parts, secure communication, IP/software protection |
Mutual authentication, secured communication, secured updates, key provisioning, life-cycle management, data store protection, power management, platform integrity protection |
|
Certifications |
-- |
-- |
CC EAL 6+ (high) for the HW |
CC EAL 6+ (high) for the HW |
- OPTIGA™ Trust B is a low-cost authentication device with a basic security level.
- OPTIGA™ Trust E is suitable for enhanced authentication needs which is an easy and cost-effective security solution.
- OPTIGATM Trust X enhances security for connected devices protecting IP, data, and the business case.
- OPTIGA™ Trust M enhances security for connected devices based on an advanced security controller with built-in tamper-proof non-volatile memory (NVM) for secure storage.