Secure MCU offerings range from 8-bit to 32-bit CPUs with dedicated encryption engines, random number generators, and additional features to secure communication channels and protected data.
In this internet age, identity theft, intellectual property protection, and financial account and payment protection are key concerns to both consumers and designers. To keep everything safe, many systems employ security measures such as data encryption and physical shielding to prevent hackers and other malicious activities from accessing data, financial information, or even intellectual property. Even the simple car door entry key/ignition key has become more secure with embedded processors running challenge and response authentication to prevent vehicle theft. Furthermore, the movement to "smarten" the energy grid will also escalate the demand for secure communications to prevent hackers or terrorists from wreaking havoc on the power grid.
Although general-purpose embedded processors can do the encryption and decryption of the data, the compute-intensive requirements of encryption standards such as DES (data encryption standard), AES (advanced encryption standard), Elliptic Curve, SHA-1 (secure hash algorithm), and others can bog down a processor and slow down the overall transaction. To speed up the computations on its advanced processors, Intel added new instructions to accelerate AES encryption and decryption, as well as AES-Galois Counter Mode (AES-GCM) authenticated encryption. When running at multi-GHz speeds, these processors can deliver performance comparable to dedicated encryption solutions.
However, power consumption for a desktop-class Intel i3, i5, i7 or Xeon-class processor could hit 50 W or more. Such a solution is not practical for embedded systems that run constantly, have limited cooling capabilities, and require milliwatt power consumption levels.
In past years, to speed up the computations, separate data-encryption chips have been implemented, but the connection between the processor and the encryption chip is a good target for hackers. To prevent hackers from accessing the connections between chips, designers enclosed the board in a metal shield and included tamper sensors that erased the data and encryption keys if any tampering was detected.
Today, the level of integration possible allows processor vendors to integrate the encryption engine into their embedded processor/microcontroller, thus making the system a bit more secure. The dedicated engine accelerates the computations so that transactions can be done in real-time with no noticeable delay, thus reducing the wait for the user and allowing the system to handle more transactions per minute.
Many embedded processor vendors — Atmel, Freescale, Maxim, Microchip, NXP, PalmChip, STMicroelectronics, Texas Instruments, and others — have included dedicated encryption/decryption engines and random number generators on their processor chips. Additionally, encryption engine blocks are available from several vendors of intellectual property, and such blocks can be co-integrated with a processor core on a custom chip, or embedded in a field programmable gate array along with a processor core.
In the financial market, there are several key standards for equipment such as banking and credit card terminals. One such standard, PCI PTS 3.0, is the latest effort of the Payment Card Industry Security Standards Council (PCI SSC), which was created by many of the payment-products companies — MasterCard, VISA, American Express, and JCB. This standard deals with the logical and physical approaches that attempt to extract security personal identification number (PIN) codes and encryption keys from point-of-interaction (POI) systems such as banking terminals (automated teller machines and credit card terminals) and other systems.
Processor choices range from 8 to 32 bits
Depending on the application requirements, designers have a wide range of encryption solutions, from low-cost, 8-bit microcontrollers to top-performing, 32-bit embedded processors. At the high end of the spectrum are several security processors with dedicated on-chip encryption engines based on an ARM CPU core — the AT91SAM family from Atmel, the ZA9L1 from Maxim, the ST33 series from STMicroelectronics, and the CC430 series from Texas Instruments, to name a few. Additional secure processors based on other 32-bit cores include multiple families based on the ColdFire and PowerPC cores offered by Freescale Semiconductor, and a family of secure chips based on the SmartMX2 CPU core from NXP.
The AT91SAM family, for example, uses an ARM7TDMI Thumb 32-bit processor and includes 128 to 512 kb of flash code storage and from 32 to 128 kb of high-speed SRAM. Both AES and triple DES encryption engines are included on the chip. The AES engine handles 256-, 192-, or 128-bit key algorithms and is compliant with the FIPS PUB (Federal Information Processing Standard Publication) 197 specifications. The triple DES engine handles two-key or three-key algorithms and is compliant with the FIPS PUB 46-3 specifications. A full system on-a-chip, the AT91SAM processors also include many other system resources — a USB port, a 10/100 Ethernet MAC, a CAN controller, multiple serial ports, multiple timer/counter blocks, an 8-channel 10-bit A/D converter, and other system support functions.
Moving up to an ARM922T 32-bit processor, the ZA9L1 Zatara processor is also a highly integrated system-on-a-chip which runs at up to 200 MHz (see Figure 1). Supporting the processor are multiple tamper sensor inputs, an AES 128-bit encryption/decryption engine, a true random number generator for key and challenge creation, a secure boot mechanism to ensure code authenticity, and 4 kb of zeroizing (tamper detection will set all bits to zero to erase the memory contents if the circuitry detects an intrusion), non-volatile, static RAM for secret storage. The chip has the horsepower and the security features to tackle sensitive applications which place high demands on system performance. Thanks to the secure boot capability, designers have the flexibility of using off-chip storage for the control programs and are not limited by on-chip flash storage, such as that used by many of the other secure processors.
Figure 1: Maxim's ZA9L1 Zatara secure processor. (Source: Maxim Integrated Products. Used with permission.)
Offering the largest on-chip flash storage, the ST33 series developed by STMicroelectronics packs up to 1.25 Mb of flash as well as up to 30 kb of RAM. Based on an ARM SC300 core, the ST33 series includes the company's NESCRYPT (Next Step Cryptography) cryptographic engine for public-key cryptography, a true random number generator, and a DES accelerator. Each chip also includes a unique serial number and an ISO 3309 CRC (cyclic redundancy code) calculation block that can be used to help in detecting program or data tampering. Targeting at applications such as smart cards, mobile TV, and banking applications, the chip can operate from power supplies as low as 1.8 V.
The NESCRYPT engine supports BAC (basic access control), EAC (extended access control), and AA (active authentication).This platform implements very fast e-passport transactions (in less than three seconds), and also supports the IAS ECC specification based on the European Citizen Card (ECC). It has been certified by Common Criteria EAL6+ (Evaluation Assurance Level). STMicroelectronics claims that the ST33 series is the world's first secure microcontroller series to achieve EAL6+ certification, according to the Common Criteria 3.1 methodology.
Security offerings from Texas Instruments include multiple families of products based on different ARM cores — the Stellaris family employs an ARM Cortex-M3, both the Sitara and Integra families use the ARM9 and Cortex-A8, and the DaVinci digital media processors use the Cortex-A8. The AM3894/3892 media processors run the Cortex-A8 core at 1.2 GHz and include AES, Triple DES, and a random number generator on the chip along with a three-dimensional graphics engine and high-definition video encoding/decoding.
8- and 16-bit processors are up to the task, too
Taking aim at applications such as smart card readers, USB secure tokens, and financial terminals, the MAXQ1050 and MAXQ1850 are based on 32-bit, internally developed RISC processor cores and include accelerators which perform high-speed encryption with AES, RSA, DSA, ECDSA, SHA-1, SHA-224, SHA-256, DES, and triple DES algorithms. The chips also include a Random Number Generator for key generation and challenge generation. Also incorporated on the chip is a sophisticated security mechanism to protect secret key data when the processor is under attack. Two self-destruct inputs and environmental sensors (temperature and voltage) can be set to erase secret key data when an attack is detected.
Other non-ARM based, 32-bit secure processors are available from vendors such as Freescale (using either the ColdFire or PowerPC processor cores) and from NXP, which employs its SMARTX2, a proprietary 32-bit processor core. The offerings from Freescale include the recently released QorlQ quad-core processor based on the PowerPC which targets mixed control-plane and data-plane applications. The on-chip SEC 4.2 encryption engine handles many algorithms — public key acceleration, DES, AES, message digest accelerator, random number generation, ARC4, SNOW 3G F8 and F9, CRC, and Kasumi.
Introduced by NXP in late 2010, its new IntegralSecurity architecture was designed to protect the integrity and confidentiality of user data and applications targeting CC EAL 6+ certification. IntegralSecurity is based on over 100 dedicated security mechanisms which create a dense protection shield including redundancy and multiple layers. A hardened Fame2 crypto coprocessor, also developed by NXP, provides even more DPA resilience, serving the full range of RSA/ECC crypto algorithms with a flexible RSA key length of up to 4,096 bits. In addition, the SmartMX2 includes the NXP-patented SecureFetch feature, which protects against light and laser attacks, and also covers data other than software code. Lastly, the processor also includes NXP's patented GlueLogic feature for advanced protection against reverse-engineering attacks.
When the high throughput of a 32-bit processor is not needed, designers can select from many low-power 8- and 16-bit microcontroller solutions. Freescale, Inside Secure, Maxim, Microchip, NXP, PalmChip, and STMicroelectronics are just some of the suppliers of microcontrollers with embedded encryption engines. The SecureAVR series offered by Inside Secure (previously offered by Atmel), for example, includes a proprietary 8/16-bit RISC processor core and hardware DES, Triple DES, and hardware AES engines that are all DPA/DEMA resistant. Also on board is a checksum accelerator, both 16- and 32-bit CRC engines, and a 32-bit AdvX cryptographic accelerator for public key operations which comes with a cryptographic library (RSA, ECC, key generation, and other functions).
One of the chips in the family, the AT90SO128, (see Figure 2) uses the Atmel SecureAVR RISC processor core, which allows the linear addressing of up to 8 Mb of code and up to 16 Mb of data as well as a number of new functional and security features. The AdvX cryptographic engine, developed by Atmel and licensed to Inside Secure, is a 32-bit accelerator dedicated to performing fast encryption and authentication functions. It is combined with a 32 kb ROM that stores the secure crypto firmware. The ability to map on-chip EEPROM into the code space allows parts of the program memory to be reprogrammed in-system. This technology combined with the versatile 8/16-bit CPU provides a highly flexible and cost-effective solution to many smart-card applications. Additional security features include power and frequency protection logic, logical scrambling on program data and addresses, power analysis countermeasures, and memory accesses controlled by a supervisor mode. The chip also includes dedicated hardware for protection against SPA/DPA/SEMA/DEMA attacks, as well as protection against physical attacks including an active shield.
Figure 2: Based on a proprietary 8/16-bit SecureAVR processor core, the AT90SO128 offered by Inside Secure includes hardware DES, and Triple DES and AES engines. (Source: Inside Secure. Used with permission.)
Offering a range of secure 8- and 16-bit solutions, Maxim's MAXQ series of low-power microcontrollers include several devices that leverage the company's 16-bit MAXQ pipelined RISC CPU. The MAXQ1004, for example, contains an AES encryption engine, a random number generator, and the company's proprietary 1-Wire slave interface (see Figure 3). Another device, the MAXQ1010, includes both a DES accelerator and an AES engine, allowing applications to rapidly respond to challenges and authenticate other devices by using standards-based cryptography. A true random-number generator is also on the chip and it can be used for key generation, random padding, challenge generation, and other applications. This processor also contains a 128-byte secure key storage memory which is instantly erased when a "self-destruct" input is received. Both the MAXQ1004 and the 1010 have ultra-low power stop modes which cut the current drain to less than 400 nA (typically), helping conserve power in battery-operated systems.
Figure 3: A 16-bit MAXQ pipelined RISC CPU developed by Maxim is at the heart of the MAXQ1004, which the company targets for portable electronics, battery chargers, and battery packs. (Source: Maxim Integrated Products. Used with permission.)
Oldies but goodies
Even the venerable 8-bit 8051 is still a viable microcontroller when co-integrated with a crypto accelerator (see Figure 4). The AcurX51 secure microcontroller from PalmChip is a good example of leveraging a low-cost controller core for markets such as the smart grid and home area networks. The revamped 8051 core executes instructions in a single cycle, thus considerably improving the execution efficiency of the basic instruction set. Coupling that with a dedicated encryption engine, the processor delivers enough performance for most smart-grid applications.
Also employing an 8051 at their hearts, the DS5002 and DS5003 from Maxim store data in encrypted form using an on-chip 64-bit key. Included in both chips is a true Random Number Generator to create the key, and a self-destruct input to blank the memory should the chip detect tampering. Another family member, the DS5250, targets applications such as PIN pads, financial terminals, and other security applications. The chip encrypts its program memory and can also optionally encrypt its data memory with a hardware-based, single- or triple-DES algorithm, making it almost impossible to extract information. The chip also employs block cipher encoding that uses block addresses to modify the encrypted data, still further enhancing the data security.
Figure 4: A typical system-on-a-chip based on the Acurx51 modular architecture can employ an 8-, 16-, or 32-bit RISC processor, depending on the expected workload. (Source: PalmChip. Used with permission.)
Based on its proprietary 8-bit PIC processor core, Microchip also offers security-enhanced processors, such as the PIC12F635/PIC16F636/639. These 8-bit processors include a cryptographic module the company calls KEELOQ (see Figure 5). The module employs a block-cipher encryption algorithm based on a block length of 32 bits and a key length of 64 bits. The algorithm obscures the information in such a way that even if the unencrypted/challenge information differs by only one bit from the information in the previous challenge, the next coded response will be totally different. Statistically, if only one bit in the 32-bit string of information changes, approximately 50 percent of the coded transmission will change.
Figure 5: The PIC12F636 is built around Microchip's 8-bit PIC processor core and incorporates the company's KEELOQ cryptographic module that employs a block-cipher algorithm to encrypt the data. (Source: Microchip. Used with permission.)