The Transport Layer Security (TLS) can help prevent eavesdropping and tampering of data in transit, playing a critical role in securing the communication of smart, connected devices over the internet. For the TLS protocol to be effective, of course, keys and certificates must remain undisclosed, unmodified, and stored in the devices so that they can be used to execute the protocol. It’s not easy to protect a TLS implementation, though, especially when it comes to the internet of things (IoT) devices deployed in the wild.
At the Embedded Systems Conference late last year in San Jose, California, Stephane di Vito, a Maxim security expert, made the case for companion security ICs. Such ICs offer a relatively easy and affordable way to secure a TLS implementation in a connected embedded system. During his ESC talk, di Vito shared an overview of TLS and explained how a security IC can be integrated into an embedded design.
Two Main Phases of TLS Protocol
The TLS protocol consists of two main phases: handshake and secure application data exchange. The handshake phase kicks off the process. Here, there is a negotiation of protocol properties, during which the client proposes to the server a list of algorithms that it can support. The server, meanwhile, also has a list of supported algorithms. The server will then select the most secure matching algorithm that is supported. The next step is to prove identities. In this step, the server must always prove its identity using a public key infrastructure (PKI), which uses public key cryptography. As di Vito explained, public key cryptography works like this:
- Alice owns a pair of keys (PubKa, PrivKa)
- Alice signs messages using PrivKa (no one else can do this)
- Alice sends messages and PubKa to Bob
- Bob verifies Alice’s message using PubKa
Public key ownership must be certified by a certification authority; otherwise, this process won’t work. A public key along with the identify of that key’s owner can be sealed in a certificate which is then used for authentication. In the same manner that it authenticates servers, PKI also authenticates clients. After the identities of both parties are proven, keys can be created for the TLS session. di Vito pointed out that there are different ways to create keys on both ends:
- The simplest method is to use a pre-shared key. This involves a preliminary exchange of secret keys in the device and the server. This method is considered a very lightweight version of TLS because it requires no certificates.
- Another tried-and-true method is RSA encryption with a client public key; however, this method isn’t ideal for small embedded devices because it does require a lot of resources
- A more state-of-the-art method is ECDH(E) + ECDSA, which is lighter in key size and much faster than RSA. With an elliptic curve key of 256 bits, this method is just as secure as an RSA 3072 key.
Once the keys are in place, said di Vito, you can proceed to the application layer and exchange data securely. In the secure exchange phase, the negotiated algorithms and keys are enforced. Exchanged data is authenticated and encrypted.
Advantages of Companion Security ICs
Even with cryptography, there are some key security concerns to address. A vulnerable cryptography library, for example, could be exposed to timing, simple power analysis (SPA), and differential power analysis (DPA) attacks. Low-quality random numbers could generate weak keys. But, as di Vito pointed out during his ESC talk, addressing these issues via a pure software implementation doesn’t fully solve the problems. He highlighted that a software approach could still be vulnerable to remote timing attacks or regression, for example. Using a companion security IC, on the other hand, provides a stronger level of protection, he said.
A companion security IC offers a variety of advantages for cryptography, including:
- High-quality true, hardware-based random number generation
- Power analysis resistance
- Protection from timing attacks
- No risk of regression when rebuilding application software
Secure storage of keys and certifications is crucial, and a software-only approach here is also weak. Client private keys can be extracted from storage and cloned, for example. Then, additional devices can be created using the same identity. If session keys become exposed, a cybercriminal can spy on the TLS communication and/or forge messages. Compromised certification could authorize certificates.
Using a companion security IC for secure storage offers various benefits:
Tamper-proof, encrypted certificate and key storage. “A very determined hacker…would have to attack the chip physically, remove the hardware security, download the memory. It’s very complicated. Besides, memory is often encrypted. It’s very hard to tamper with this kind of IC,” di Vito said.
Secret and private keys that can’t be extracted, which makes the end device unclonable
No misuse of keys with strict access control
When implementing TLS, problems could occur if the wrong server/client configuration is used, or if server certificate verification is skipped. A companion security IC mitigates these issues by:
- Offloading the application microprocessor from complexity and a heavy CPU load
- Providing a highly robust command set
- Reducing the TLS configuration
A companion security reduces overall complexity and isolates critical functions. If something were to break in the firmware, di Vito explained, the other portions would remain safe. Some of these ICs can even evaluate the integrity of firmware on the main application processor; the IC won’t use the client private key to authenticate to the server if it detects that the firmware isn’t genuine. “Security is like an onion, the smell aside. It’s a set of layers, and the more layers the better. If it takes too long to peel the onion, the attacker will either abandon or it will be very costly to them. There is no bullet-proof solution….by adding layers and layers, you increase the security level,” said di Vito.
Maxim’s DeepCover® embedded security portfolio includes the MAXQ1061, which can be used as a cost-effective companion security IC to protect a TLS implementation. Read the MAXQ1061 data sheet. di Vito has also written an informative application note, Using Secure Companion ICs to Protect a TLS Implementation, with more detail on the topic.