The Transport Layer Security (TLS) protocol plays an essential role in securing the communication of smart, connected devices over the internet. It can help prevent eavesdropping and tampering of data in transit. For the TLS protocol to be effective, of course, keys and certificates must remain undisclosed, unmodified, and stored in the devices so that they can be used to execute the protocol. Protecting the TLS implementation, however, can be challenging, particularly for internet of things (IoT) devices that are deployed out in the wild.
A companion security IC, argues Stephane di Vito, a Maxim security expert, provides a relatively easy and affordable way to secure a TLS implementation in a connected embedded system. As a bonus, a security IC also offloads the main application processor. di Vito made his case earlier this month at the Embedded Systems Conference in San Jose, where he provided an overview of TLS and explained how a security IC can be integrated into an embedded design.
Understanding the TLS Protocol
The TLS protocol consists of two main phases: handshake and secure application data exchange. It all starts with the handshake phase. Here, there is a negotiation of protocol properties, during which the client proposes to the server a list of algorithms that it can support. The server, meanwhile, also has a list of supported algorithms. The server will then select the most secure matching algorithm that is supported. Next, it's time to prove identities. In this step, the server must always prove its identity using a public key infrastructure (PKI), which uses public key cryptography. As di Vito explained, public key cryptography works like this:
- Alice owns a pair of keys (PubKa, PrivKa)
- Alice signs messages using PrivKa (no one else can do this)
- Alice sends messages and PubKa to Bob
- Bob verifies Alice’s message using PubKa
For this process to work, public key ownership must be certified by a certification authority. A public key along with the identify of that key’s owner can be sealed in a certificate which is then used for authentication. In the same manner that it authenticates servers, PKI also authenticates clients. Once identities of both parties are proven, it’s time to create keys for the TLS session. As di Vito noted, there are different ways to create keys on both ends:
- Using pre-shared keys is the simplest method, involving a preliminary exchange of secret keys in the device and the server. Since this method uses no certificates, it’s considered a very lightweight version of TLS.
- An old standby is RSA encryption with a client public key, although this method isn’t ideal for small embedded devices because it does require a lot of resources
- A more state-of-the-art method is ECDH(E) + ECDSA, which is lighter in key size and much faster than RSA. With an elliptic curve key of 256 bits, this method is just as secure as an RSA 3072 key.
Once the keys are in place, said di Vito, you can proceed to the application layer and exchange data securely. In the secure exchange phase, the negotiated algorithms and keys are enforced. Exchanged data is authenticated and encrypted.
Connected devices such as smart home control systems can become avenues into the larger network if left unprotected.
How a Companion Security IC Helps: Cryptography, Storage, and Implementation
Cryptography is not without some key security concerns. A vulnerable cryptography library, for example, could be exposed to timing, simple power analysis (SPA), and differential power analysis (DPA) attacks. Low-quality random numbers could generate weak keys. But addressing these issues via a pure software implementation isn’t the answer, di Vito argued. He highlighted that a software approach could still fall victim to remote timing attacks or regression, for example. By contrast, using a companion security IC offers a greater level of protection, he said.
A companion security IC offers a variety of advantages for cryptography:
- High-quality true, hardware-based random number generation
- Power analysis resistance
- Protection from timing attacks
- No risk of regression when rebuilding application software
Secure storage of keys and certifications is crucial, but a software-only approach here also has weaknesses. It’s possible for client private keys to be extracted from storage and cloned. Then, additional devices can be created using the same identity. If session keys become exposed, a cybercriminal can spy on the TLS communication and/or forge messages. There’s also the danger that compromised certification could authorize certificates.
A companion security IC offers various benefits while providing secure storage:
- Tamper-proof, encrypted certificate and key storage. “A very determined hacker…would have to attack the chip physically, remove the hardware security, download the memory. It’s very complicated. Besides, memory is often encrypted. It’s very hard to tamper with this kind of IC,” di Vito said.
- Secret and private keys that can’t be extracted, which makes the end device unclonable
- No misuse of keys with strict access control
When implementing TLS, problems could arise if the wrong server/client configuration is used, or if server certificate verification is skipped. A companion security IC mitigates these issues by:
- Offloading the application microprocessor from complexity and a heavy CPU load
- Providing a highly robust command set
- Reducing the TLS configuration
A companion security reduces overall complexity and isolates critical functions. If something were to break in the firmware, di Vito explained, the other portions would remain safe. Some of these ICs can even assess the integrity of firmware on the main application processor; if the firmware is not genuine, then the IC won’t use the client private key to authenticate to the server. “Security is like an onion, the smell aside. It’s a set of layers, and the more layers the better. If it takes too long to peel the onion, the attacker will either abandon or it will be very costly to them. There is no bullet-proof solution….by adding layers and layers, you increase the security level,” said di Vito.
Maxim's DeepCover embedded security portfolio includes the MAXQ1061, which can be used as a cost-effective companion security IC for secure storage, digital signature, encryption, secure boot, and protecting a TLS implementation. Check out the MAXQ1061 data sheet. di Vito has also written an informative application note, Using Secure Companion ICs to Protect a TLS Implementation, that provides more detail on the topic.