Atmel Trusted Platform Module June, 2014

Transcription

1 Atmel Trusted Platform Module June, Atmel Corporation

2 What is a TPM? The TPM is a hardware-based secret key generation and storage device providing a secure vault for any embedded system Four Primary Capabilities Platform Integrity Authentication Secure Communication IP Protection Asymmetric Algorithm (RSA) Supports 512, 1024, & 2048 keys SHA-1 Hashing HMAC Atmel Corporation

3 Atmel TPM Basic Architecture I/O Non-Volatile Storage uc 8-AVR Program Code Volatile Storage Opt-In SHA-1 Platform Configuration Registers (PCR) RSA Engine Key Generation Trusted Platform Module (TPM) Packaging RNG AIK Atmel Corporation

4 Hardware Security Features Strong Multi-Level HW Security: Active shield over entire chip All memories internally encrypted Data independent crypto execution Randomized math operations Internal state consistency checking Voltage tampers, isolated power rail Internal clock generation Secure test methods, no JTAG No debug probe points, no test pads No package or die identification Designed to Defend Against: Microprobe attacks Timing attacks Emissions attacks Faults, invalid command attacks Power cycling, clock glitches Partial personalization attacks ATMEL Crypto Devices Standard Devices Atmel Corporation

5 Symmetric Key Encryption Symmetric Key Algorithms use the same key to encrypt AND decrypt data AES & DES are examples of widely used symmetric algorithms Alice s Kingdom Bob s Kingdom Distributing the SHARED KEY is a major security risk Atmel Corporation

6 Asymmetric Key Encryption Asymmetric algorithms use two related keys (Public & Private) for data encryption and decryption Public keys freely distributed with NO security risk Private keys are NEVER exposed RSA and ECC are examples of asymmetric algorithms Only Bob can decrypt using Bob s Private Key Do you want Alice encrypts message with Bob s Public Key to meet for dinner? Data is protected no matter who is watching or listening Atmel Corporation

7 Platform Integrity Secure Boot Platforms configured with many different SW modules Problem: Modules may be maliciously corrupted Platform may not be trusted Files could be intercepted How the TPM can help TPM stores hash value of each boot module in protected HW Verifies no unauthorized changes made to any module Firmware, Software or Hardware Can verify that at a particular time, that a particular system was in a TRUSTED state Real time audits can verify platform state at any time Atmel Corporation 7

8 Authentication In order for devices to gain access to a network or service they should be authentic Typical applications are Servers, Routers, AP s, Switches, MFP s and Femtocells/Microcells Store keys in protected hardware Need ability to deny access to unauthorized user Clone, generic, or non-subscription devices should not be able to access services not paid for Problem: Before allowing full access and functionality, how do I ensure it is authentic? Ways TPM can help Keys are generated and protected by TPM Certificates can be created and protected by TPM Authorization check can be done inside the TPM Sign & Verify commands utilize 2048-RSA PKI White list of good public keys provides for access only by authentic and trusted devices anywhere around the world Atmel Corporation

9 Secure Communication and Updates May be desire to send FW updates securely Add new functionality only to authentic systems Smart Home Networking Applications Problem: This equipment needs to be connected over a network Vulnerable to a remote attack with unauthorized FW updates How can the TPM help? Create session keys for encrypting data transmitted across a network (Only after authenticating) Sign FW updates and TPM can verify signature before allowing Keys are stored inside the TPM Hardware vault Encrypt data to be transmitted using recipient s public key Atmel Corporation

10 TPM Market Trends Where? Anything on a network! Tablets & PC s Access Points MFP s LTE base stations Servers/uServers Gambling gaming machines Smart Home Networking Fiscal Cash Registers Why? Standards based PKI > 200 TCG Member Companies FIPS in end product RFQ s Atmel Corporation

11 Anything networked is a good application for TPM! Atmel Corporation

12 TPM Offering Today and Tomorrow Atmel Corporation

13 AT97SC3204 Today & Tomorrow First TPM vendor supporting Industrial Grade (-40C to +85C) Key gen > 4x faster than previous generation Internal MCU running at 66MHz Atmel signed Endorsement Key Full X.509 Certs available Small certs also available Optional Field Upgrade supported Configurable Failed-Authorization Attempts Counters (0-1024) Supported in both a 4.4mm and 6.1mm 28-TSSOP + 6mm x 6mm 40-QFN/MLF (4x4mm 32-QFN 1Q14) Interfaces: LPC, I2C Introducing FIPS-Flex Mode - AT97SC3204-X4 Series Ability to permanently set FIPS or Standard mode at CM or after Atmel Corporation

14 AT97SC3204 & 3205 FIPS Certified Atmel Corporation

15 Introducing FIPS/Flexible Mode Atmel Corporation

16 Atmel Advantages Atmel continues to release new generation TPM s supporting Industry needs World s first FIPS certified vendor High speed crypto calculations SelfTestFull well below the industry target Low power auto-hibernation feature Supporting 4x4mm QFN Widest temp range supported -40C to +85C Optional Small & Full-cert & field upgrade support Atmel Corporation