Confidentio. Integrated security processing unit. Including key management module, encryption engine and random number generator

Transcription

1 Confidentio Integrated security processing unit Including key management module, encryption engine and random number generator Secure your digital life

2 Confidentio : An integrated security processing unit offering a key management module, encryption engine and a random number generator. The tremendous growth in the use of mobile devices and internet connectivity gives rise to a whole new range of possibilities such as mobile payments, internet-based provisioning of media and software apps and cloud storage facilities to keep all our digital data at hand, everywhere and anytime. But security remains a concern: people s identities get stolen and abused, credit card data is tampered with and the piracy of media content and software apps is skyrocketing. To address these problems a strong security solution is required that is based on secret key storage and crypto functionality that can easily be deployed on mobile devices. Building such security solutions poses many challenges: How can secret keys be stored in a way that they cannot be tampered with, so that cloning of systems is prevented? How can one control the programming of secret keys in the field without relying on a chip or system manufacturer? How can one achieve an efficient and secure integration of key storage functionality with cryptographic functions like encryption/decryption, random number generation, etc.? How can one avoid a significant increase in the cost of devices by adding security? How can one retrofit existing embedded systems, phones, tablets, PCs with top-level security without spending long cycles in a hardware re-spin?

3 Confidentio is an integrated securityprocessing unit that serves as a root of trust in mobile applications such as: mobile payment, media content provisioning and securing the cloud. Confidentio comprises a hardware IP core that targets secure element implementations in: SIM/smartcard, Secure SDCard and embedded secure elements in mobile devices. It supports PPC, Intel, ARM, MIPS and other popular CPU architectures (custom or proprietary) and it provides a natural fit as root of trust in a GlobalPlatform compliant Trusted Execution Environment (TEE). Furthermore, Confidentio comprises a software module that connects to the hardware IP core and provides a high level API for easy integration with other software applications. Confidentio comes with an out-of-the-box support for the Intrinsic-ID s Saturnus Security Framework SDK that enables developers to take full advantage of the enhanced security in their apps. Secure your digital life

4 What is Confidentio? Confidentio is an integrated and optimized IP solution that offers superior security at a smaller silicon and/or software footprint compared with alternative solutions based on key storage in secure non-volatile memory and individual crypto cores. It combines: 1. Intrinsic-ID s flagship product Quiddikey for secret key storage 2. Intrinsic-ID s random number generator irng for generating strong cryptographic keys 3. An AES encryption/decryption engine Confidentio is the world s first and only encryption module that has a built-in key storage functionality without requiring embedded non-volatile memory, making Confidentio -SC the corner stone of a Secure Element solution. Confidentio is used for: content protection, secure transactions, secure boot and secure file storage in the cloud using the device unique fingerprint originating from deep submicron manufacturing process variations. Its flexible key management is designed to enable usage of multiple cryptographic keys, providing secure storage of personal keys and content keys for secure file storage and other applications. Confidentio integrates seamlessly into existing customer platforms. Hardware Intrinsic Security Instead of storing keys in non-volatile memory (typically secure EEPROM or E-fuses), Confidentio TM -SC allows for secure key extraction and programming from unique physical properties of the underlying hardware. This patented approach is called Hardware Intrinsic Security (HIS) and makes use of Physical Unclonable Functions (PUFs). The principle can best be described as biometrics for electronic devices and uses the device unique start-up values of an uninitialized SRAM block.

5 How does Confidentio work? Confidentio consists of two components: 1. a software security library with a fixed interface to the Confidentio hardware core i.e., a software driver for Confidentio TM 2. the Confidentio hardware core itself The Hardware Intrinsic Security (HIS) functionality can be implemented both in hardware (into the chip) or software/firmware (run as executable on an embedded CPU). In both cases it will use the start-up values of an SRAM memory to protect data on systems and in the cloud. It binds data with the hardware of a particular device. The only hardware component needed to be able to use HIS is a small block of SRAM. Customers and OEMs can build their own secure applications on top of Confidentio, directly accessing the Confidentio TM API. Each application can program its own secret keys. Furthermore, on most mobile and desktop platforms, developers can leverage can leverage the Saturnus Security Framework SDK (separate product). This is a software library that enables access to Confidentio TM, adding enhanced security functions and supporting e.g., authentication, secure cloud access, mobile payment. It is available for popular mobile platforms and provides backwards-compatibility to devices that do not have Confidentio TM. Figure 1: Confidentio TM components

6 An application can generate its device unique cryptographic master key by running the enrollment procedure. This is a one-time step in which SRAM PUF data are read out and a non-sensitive Activation Code (AC) is output. The application can store this AC in its private memory space. Random content keys can then be generated and stored in encrypted form on the device. These encrypted keys can be used by Confidentio to encrypt and decrypt content. Hence no key data needs to be stored in plain on the device. Figure 2: Confidentio TM HW core Cloning and counterfeit protection Copying the Activation Code to another device results in a non-functional device, since that device s SRAM PUF data does not match with this activation and key code. Even a physical clone of another device together with all the data stored on the device will not create a new functional product. This protects the system against cloning and counterfeiting.

7 Unique features Superior anti-tamper and anti-cloning protection based on HIS. Integrated security processing unit with secret key storage, AES encryption and decryption engine and random number generator Targets secure element implementations Supports PPC, Intel, ARM, MIPS and other popular CPU architectures including custom and/or proprietary CPUs Root of trust for media content provisioning and securing the cloud Natural fit as root of trust in a GlobalPlatform compliant Trusted Execution Environment (TEE). Flexible and secure key programming of multiple, cryptographically separated keys without requiring non-volatile memory on the target device. Out-of-the-box support for the Intrinsic- ID s Saturnus Security Framework SDK. Benefits Uses only a small block of standard SRAM applicable in all process nodes. Easy and fast integration in hardware - pure digital logic hardware component. Fast-track implementations in software. Cost efficient small silicon area and/or software footprint. Enables killer differentiating applications: secure cloud, payments, content protection, etc.. Based on best-in-class and industryproven Physical Unclonable Function technology.

8 Wish to learn more about Confidentio TM? Contact or visit us High Tech Campus AE Eindhoven The Netherlands Tel: sales@intrinsic-id.com Intrinsic-ID is the world-wide leader in security IP cores and applications based on Hardware Intrinsic Security, also referred to as Physical Unclonable Function (PUF). HIS enables a total protection of electronic data in the cloud and on other electronic systems. It prevents counterfeiting and cloning of systems, piracy of media content and software apps, theft of identity, and software reverse engineering. and financial losses by securing mobile payments. Intrinsic-ID was founded in 2008 as a spin-out of Royal Philips Electronics and has its headquarters in The Netherlands. Sales offices are located in: USA, Japan and Korea. Copyright 2014 Intrinsic-ID B.V. Intrinsic-ID, Quiddikey, Quiddicard, Saturnus, irng and other designated brands included herein are trademarks of Intrinsic-ID. All other trademarks are the property of their respective owners.