Reference design combines FPGAs & SoCs for high-security IoT applications

The Microsemi and Escrypt solution enables a service that allows customers to cost-effectively integrate Public Key Infrastructure (PKI) functionality into systems without the costs, complexity, risks and distraction associated with building and hosting their own infrastructure.

All security solutions and cryptographic mechanisms require cryptographic keys or certificates. CycurKEYS is a security server that offers the management of cryptographic keys and certificates, especially designed and implemented for automotive, industrial, embedded and cyber physical system applications.

CycurKEYS addresses all the weaknesses associated with using traditional PKI solutions for M2M applications by targeting devices (not users), and addressing long lifecycles as well as the devices’ lack of full-time connectivity to a server. CycurKEYS offers all commonly used cryptographic schemes and offers all standardised cryptographic algorithms including RSA, Elliptic Curve Cryptography (ECC), AES and SHA. It supports the full PKI life-cycle from generating digital certificates in a choice of formats, to maintaining updated keys, and finally to certificate revocation. 

As shown in the reference design, a user key pair is generated by the Microsemi SmartFusion2 SoC FPGA using its built-in TRNG and ECC engine with the secret key, which never leaves the chip, protected by the FPGA’s state-of-the-art physically uncloneable function technology. The public key is securely exported, validated using credentials proving the FPGA’s and the key’s authenticity, and then digitally signed by the user’s root or intermediate certificate authority hosted in the secure Escrypt cloud server, thus enrolling users’ systems into their own private PKI. The user PKI certificates enable positive identification of all authorised machines in the user’s VPN, and secure authenticated communications while rejecting imposter machines and forged messages.

This reference design, suitable for system architects, programme managers and security professionals, shows how to securely sign public keys and is supported by Escrypt’s secure cloud-based CA necessary in any PKI scheme.

According to a report by the Ponemon Institute, the cost of a data breach can be up to approximately $246 per compromised record, which can have a significant effect on the long-term viability of a business. This, along with the wide variety of mainstream applications now being developed with FPGAs that have limited security features, illustrates that addressing a multi-layered approach to security such as PKI is more important than ever. Additionally, the use of hardware-based security creates a more secure system than software-only solutions, and forms the root-of-trust for secure software systems.

Microsemi's SmartFusion2 SoC FPGA and IGLOO2 FPGA programmable devices are the industry’s most secure, boasting the three key elements needed for secure programmable devices: secure hardware, design security and data security. Built through a secure supply chain management system, Microsemi data-security enabled devices feature the only FPGAs with licensed patent-protected DPA countermeasures, integrated true random number generator, physically uncloneable function technology, DPA-protected ECC accelerator and integrated X.509 device certificates.]

Also available are the only security-enabled FPGAs with an end-user DPA license, built-in tamper detectors and active tamper responses (including NSA-approved zeroization), and NIST-certified hardware-based implementations of AES-256, SHA-256, HMAC-SHA-256, ECCDH-P384 and a AES-CTR-based 256‑bit security strength DRBG.

“We are excited to work with Escrypt to enhance our strategy of providing the most secure FPGA solutions on the market,” said Tim Morin, Director of Product Marketing, Microsemi. “The solution helps lower the cost of implementing a PKI, which is a requirement for securing the IoT.”

Microsemi’s SmartFusion2 SoC FPGA and IGLOO2 FPGA product families with PUF, ECC core, TRNG, DPA license and Escrypt's hosted CA service technology are available now.