Foundational security for Internet of Things (IoT) devices starts in silicon, a realization that can be seen today as semiconductor companies ramp up production of integrated circuits (ICs) that either incorporate security functions or act as complete standalone cryptographic devices themselves.
The first in a series of monthly interviews on cyber security with Andrew Girson, Co-Founder and CEO of embedded training and consulting firm Barr Group, we discuss the various implementations of security that can be found in modern semiconductors, and weigh the costs and benefits of using each in a given connected device design.
Discrete security ICs are gaining traction as a way to reduce security overhead in resource-constrained devices. Are separate security processors the wave of the future, or just a passing trend?
GIRSON: There is a case to be made for security being integrated into multi-function semiconductor devices such as microcontrollers (MCUs), but also as separate security devices. For sophisticated applications that require greater levels of security or where encrypted communications throughput must be high, one can envision continued availability of best-of-breed security semiconductor devices. Yet, we are seeing a push by semiconductor manufacturers to integrate security technology into even their lower priced MCUs, and one can eventually see security becoming a standard feature on many mobile and IoT MCUs.
Beyond this, there are classes of secure IoT devices that are, in fact, low performance and extremely cost-constrained, so unable to support even the cost of an MCU. A great example of this is medical consumables. Even today, we see higher end medical consumables (such as surgical probes) incorporate security electronics to prevent unauthorized reuse or cloning. This serves legitimate public health purposes as well as the corporate financial needs of the device manufacturer. But, how far can we take this concept?
While I’m not sure we’ll ever see a secured tongue depressor, there are quite a few medical consumables that are sold for just a few dollars or even less. And, the public health and corporate financial issues for these devices are just as relevant as they are for higher end devices. Extending the concept even further, could we eventually see the so-called “razor-and-blades” model extended to things as simple as razors and blades themselves, so blades are secured to their manufacturers’ razors and cannot be cloned?
We’ve already seen an ill-fated effort by Keurig to simplistically authenticate K-Cups in their coffeemakers, as well as efforts to authenticate printer ink and laptop batteries. It’s hard to say how low this will go, but there is a definite profit incentive with the growing interest in IoT to put security into very, very inexpensive devices. This will lead to all sorts of interesting integrated and standalone security products in the semiconductor sector, at varying price points.
A security IC such as a trusted platform module (TPM) is not the same as a trusted execution environment (TEE), such as ARM TrustZone. Both of these are different from a secure element (SE). What are the differences, and what should the secure design expectations be when deploying each?
GIRSON: The meaning of these terms is evolving as the range of computing devices requiring security grows. And, it is important to remember that building a secure system is like building a skyscraper – a strong foundation is required.
Security built into bootloaders, operating systems (OSs), and applications will need to rely on a so-called “root of trust.” In other words, to trust higher level software functions (e.g., apps), one must be able to trust lower level software functions (e.g., OSs and bootloaders) and hardware functions (e.g., devices/memories that store software and cryptographic keys).
With this in mind, an SE is a device that can be embedded into a credit card or other small form factor device and is a complete entity for executing the security (encrypting and decrypting data, managing encryption keys, etc.) and product-specific application needs of a device. Like an SE, a TPM generally is a device that provides secure storage/analysis capabilities for cryptographic operations, but exists as an entity within a more complex system and is used to secure/verify other, more sophisticated hardware/software contained outside of the TPM. A TEE is a feature of certain processors that creates trusted software execution environments that can operate alongside untrusted software execution environments. One might use a TEE to allow certain software tasks on a device to operate in a secured manner while other tasks operate in a less secure environment.
As an example of the evolution of these terms, in constrained systems like IoT devices, the concept of a TPM may be more virtual and utilize features of a TEE to implement its functionality. The security, performance, cost, and power consumption of this approach relative to other design approaches that incorporate these various concepts/devices should be the subject of close analysis when evaluating the security needs of your device design.
What are the design tradeoffs of a separate security chip versus MCUs and system on chips (SoCs) that (now or in the future) integrate these functions into the main processor?
GIRSON: There are standard tradeoffs that all board-level designers must consider, as well as some tradeoffs specific to security. The standard size, weight, power, and cost (SWaP-C) factors are relevant in determining how tightly to integrate functionality on a printed circuit board (PCB). So, while some designers may desire the unique best-of-breed features in a standalone security chip, this may come at a cost of greater power consumption, board real estate, and overall bill of materials (BOM) and build costs. Beyond this, the ability to secure an overall system is impacted by the choice of a semiconductor security solution. If a PCB must be encased in some sort of secure enclosure or treated with a chemical/material to make it tamper resistant, the costs and power/cooling of these additional items are impacted by the makeup of the PCB. So, separate security chips that alter PCB size and thermal factors will have a ripple effect on the overall design within standard SWAP-C constraints, as well as those additional electromechanical security layers that are a part of securing the complete IoT device.