Embedded software protects IoT endpoints
Embedded security solutions employing general-purpose microcontrollers and microprocessors are offered as new security structures for embedded devices that will function as IoT endpoints in homes and buildings. The first product in the series, the RX231 Communications Security Evaluation Kit, has been released by Renesas.
As well as implementing strong security functions using a trusted secure IP that is already incorporated in the RX231 microcontrollers, the kit provides an evaluation board and a range of software, to prevent virus infections over communication channels and disclosure of confidential information. It also allows embedded devices with strengthened security to be developed easily.
The management of encryption keys correspond to passwords to protect information to implement strong security functions. Encryption keys were previously stored in flash memory or other non volatile memory, so the company developed a technology that protects these encryption keys using trusted secure IP hardware. By providing both an evaluation board and software at the same time the evaluation kit serves is a one-step service and simplifies implementation of security and communications functions.
The trusted secure IP takes advantage of the security technology accumulated by the company, and forms a hardware security layer that cannot be damaged even if attacked externally. This IP features both an encryption engine and reliable protection of encryption keys. The kit supports the implementation of strong security compared to earlier systems, claims the company, in which the encryption keys were managed by user efforts.
The encryption engine supports both encryption and decryption using either 128 or 256bit encryption keys as stipulated by AES. It also supports ECB, CBC, GCM, and CMAC, which can be used for authentication and modification detection. Furthermore, it includes a true random number generator to generate random keys.
Encryption keys are only handled in a secure area within the trusted secure IP. When an encryption key is stored in non volatile memory outside this IP, it is stored in combination with a characteristic semiconductor device ID as key generation information so that the original encryption key cannot be determined. It is therefore possible to protect encryption keys from reverse engineering attacks.
Access to the encryption engine and the encryption keys within this trusted secure IP are monitored, and when an illegal access is detected, further accesses are blocked. This prevents unauthorised use of the encryption engine and the encryption keys.
Embedded devices can be protected from unauthorised programs over communications channels such as wireless LAN and USB
During security updates, a secure firmware update function is that when updating microcontroller user software using communication over wireless LAN or USB channels, if an unauthorised program modification is detected, the install operation is cancelled. As a secure boot function, if an unauthorised modification to the user program is detected at microcontroller boot time, unauthorised program execution is prevented by stopping the boot operation. Furthermore, eavesdropping on communications can be prevented by data encryption/decryption using AES with the encryption engine.
The RX231 on-chip trusted secure IP 32bit microcontroller evaluation board includes a USB and SDHI wireless LAN communications expansion board interface, and can be connected to a wireless LAN communications expansion board. This kit also provides security software, FreeRTOS, Renesas TCP/IP middleware, and a wireless LAN driver as a wireless LAN protocol stack for communications.