Atmel Trusted Platform Module June, 2014 1 2014 Atmel Corporation
What is a TPM? The TPM is a hardware-based secret key generation and storage device providing a secure vault for any embedded system Four Primary Capabilities Platform Integrity Authentication Secure Communication IP Protection Asymmetric Algorithm (RSA) Supports 512, 1024, & 2048 keys SHA-1 Hashing HMAC 2 2014 Atmel Corporation
Atmel TPM Basic Architecture I/O Non-Volatile Storage uc 8-AVR Program Code Volatile Storage Opt-In SHA-1 Platform Configuration Registers (PCR) RSA Engine Key Generation Trusted Platform Module (TPM) Packaging RNG AIK 3 2014 Atmel Corporation
Hardware Security Features Strong Multi-Level HW Security: Active shield over entire chip All memories internally encrypted Data independent crypto execution Randomized math operations Internal state consistency checking Voltage tampers, isolated power rail Internal clock generation Secure test methods, no JTAG No debug probe points, no test pads No package or die identification Designed to Defend Against: Microprobe attacks Timing attacks Emissions attacks Faults, invalid command attacks Power cycling, clock glitches Partial personalization attacks ATMEL Crypto Devices Standard Devices 4 2014 Atmel Corporation
Symmetric Key Encryption Symmetric Key Algorithms use the same key to encrypt AND decrypt data AES & DES are examples of widely used symmetric algorithms Alice s Kingdom Bob s Kingdom Distributing the SHARED KEY is a major security risk 5 2014 Atmel Corporation
Asymmetric Key Encryption Asymmetric algorithms use two related keys (Public & Private) for data encryption and decryption Public keys freely distributed with NO security risk Private keys are NEVER exposed RSA and ECC are examples of asymmetric algorithms Only Bob can decrypt using Bob s Private Key Do you want 1101010111000100010101000111110101011101010010010101 Alice encrypts message with Bob s Public Key to meet for dinner? Data is protected no matter who is watching or listening 6 2014 Atmel Corporation
Platform Integrity Secure Boot Platforms configured with many different SW modules Problem: Modules may be maliciously corrupted Platform may not be trusted Files could be intercepted How the TPM can help TPM stores hash value of each boot module in protected HW Verifies no unauthorized changes made to any module Firmware, Software or Hardware Can verify that at a particular time, that a particular system was in a TRUSTED state Real time audits can verify platform state at any time 7 2014 Atmel Corporation 7
Authentication In order for devices to gain access to a network or service they should be authentic Typical applications are Servers, Routers, AP s, Switches, MFP s and Femtocells/Microcells Store keys in protected hardware Need ability to deny access to unauthorized user Clone, generic, or non-subscription devices should not be able to access services not paid for Problem: Before allowing full access and functionality, how do I ensure it is authentic? Ways TPM can help Keys are generated and protected by TPM Certificates can be created and protected by TPM Authorization check can be done inside the TPM Sign & Verify commands utilize 2048-RSA PKI White list of good public keys provides for access only by authentic and trusted devices anywhere around the world 8 2014 Atmel Corporation
Secure Communication and Updates May be desire to send FW updates securely Add new functionality only to authentic systems Smart Home Networking Applications Problem: This equipment needs to be connected over a network Vulnerable to a remote attack with unauthorized FW updates How can the TPM help? Create session keys for encrypting data transmitted across a network (Only after authenticating) Sign FW updates and TPM can verify signature before allowing Keys are stored inside the TPM Hardware vault Encrypt data to be transmitted using recipient s public key 9 2014 Atmel Corporation
TPM Market Trends Where? Anything on a network! Tablets & PC s Access Points MFP s LTE base stations Servers/uServers Gambling gaming machines Smart Home Networking Fiscal Cash Registers Why? Standards based PKI > 200 TCG Member Companies FIPS 140-2 in end product RFQ s 10 2014 Atmel Corporation
Anything networked is a good application for TPM! 11 2014 Atmel Corporation
TPM Offering Today and Tomorrow 12 2014 Atmel Corporation
AT97SC3204 Today & Tomorrow First TPM vendor supporting Industrial Grade (-40C to +85C) Key gen > 4x faster than previous generation Internal MCU running at 66MHz Atmel signed Endorsement Key Full X.509 Certs available Small certs also available Optional Field Upgrade supported Configurable Failed-Authorization Attempts Counters (0-1024) Supported in both a 4.4mm and 6.1mm 28-TSSOP + 6mm x 6mm 40-QFN/MLF (4x4mm 32-QFN 1Q14) Interfaces: LPC, I2C Introducing FIPS-Flex Mode - AT97SC3204-X4 Series Ability to permanently set FIPS or Standard mode at CM or after 13 2014 Atmel Corporation
AT97SC3204 & 3205 FIPS Certified http://csrc.nist.gov/groups/stm/cmvp/documents/140-1/1401val2013.htm 14 2014 Atmel Corporation
Introducing FIPS/Flexible Mode 15 2014 Atmel Corporation
Atmel Advantages Atmel continues to release new generation TPM s supporting Industry needs World s first FIPS certified vendor High speed crypto calculations SelfTestFull well below the industry target Low power auto-hibernation feature Supporting 4x4mm QFN Widest temp range supported -40C to +85C Optional Small & Full-cert & field upgrade support 21 2014 Atmel Corporation