Defining a business model and implementing a technical infrastructure are two major phases in building a successful product or IoT system. However, protecting the business model and your customer’s data from the extensive range of potential attackers is just as critical and important.
The Infineon OPTIGA Trust X is a discrete hardware security module with an I2C interface. This device safeguards cryptographic keys and digital certificates. Additionally, Trust X provides a comprehensive set of cryptographic functions to securely use the protected credentials in authentication, secured communication and many further security use cases.
With the release of version 15 of the nRF5 SDK, integrating a discrete hardware-based security solution to nRF5-based IoT devices has become even easier. Infineon Technologies has partnered with Nordic to deliver example code and host libraries to get started with state-of-the art hardware security from Infineon on the nRF5 platform within minutes.
Brand Protection with Infineon OPTIGA Trust X
For example, Infineon OPTIGA Trust X enables brand protection using one-way message authentication. Therefore, Trust X provides cryptographic operations and a hardware-based root of trust to verify the authenticity of an accessory.
During an accessory verification process, a verifying host system sends a challenge message to the accessory that has been connected to the host. The accessory forwards the challenge to Trust X, which uses a protected private key to cryptographically sign the challenge. The challenge, together with an accessory certificate, is returned to the verifying host. The host can check if the accessory is genuine by checking the signature and the digital certificate. A verifier will reject accessories that are not equipped with a vendor-personalized digital certificate corresponding to the private key.
The following code snippet exemplifies how to implement message authentication on an accessory processor. The source code uses Trust X and the OPTIGA command library to cryptographically hash and then sign the challenge message. This resulting digital signature can be used by an accessory verifier to attest the authenticity of the message and thus the genuineness of the accessory.
ret_code_t err_code; uint8_t digest[OPTIGA_HASH_LEN_SHA256]; uint8_t challenge[] = {'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e'}; err_code = optiga_calc_hash(HASH_SHA256, msg, sizeof(msg), digest); err_code = optiga_calc_sign(OID_DEVICE_PRIVATE_KEY_1, digest, sizeof(digest), &p_sig1, &sig1_len);
The complete Infineon OPTIGA Trust X - ECDSA Simple Example with the full source code including error handling can be found in the example project included in the nRF5 SDK. The SDK release also includes the Infineon libraries necessary to interface to the Trust X, which is electrically connected via the I2C bus:
- The OPTIGA command library provides a high-level API to access the general-purpose and cryptographic functions of Trust X.
- The Infineon I2C Protocol stack exchanges commands between a device host CPU and the Trust X device.
- The platform abstraction layer implements the platform-specific interfaces and APIs to the Nordic nRF5 SDK.
Personalization
Following product and system development, a very important step during the manufacturing an IoT product is the initial provisioning of device identities and cryptographic keys and certificates. The Infineon OPTIGA Trust X supports different personalization scenarios depending on the product and system requirements. The personalization procedure can be conducted at secured premises at Infineon or at a distributor. Alternatively, the product vendor, system integrator or manufacturer can conduct the personalization process.
Thus, when protecting an accessory, product or system using Infineon OPTIGA Trust X, the personalization process can be scaled according to the system integrator’s needs and in accordance with the product life cycle.
Summary
The example in this blog article has shown only a small glimpse of what is possible with Infineon OPTIGA Trust X. Nevertheless, authentication is the first and most important step in securing IoT devices and products. Infineon OPTIGA Trust X provides many more security features, including mutual authentication and secured communication using Transport Layer Security (TLS) and Datagram TLS (DTLS).
For more information, download the nRF5 SDK, consult the Nordic Semiconductor Infocenter, and visit the OPTIGA Trust X SLS 32AIA product page at infineon.com.