23066 SEC4

Authentication and Secure

Communications for IoT Projects
Using AWS IoT Core
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 1
 Class Objectives

When you walk out of this class you will…

• Explain how PKI can be used to authenticate IoT
projects.
• Show how the ATECC608A can be used to secure
credentials/keys.
• Demonstrate how to setup AWS’s IoT service to
securely authenticate IoT devices.

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 2
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 3
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 4
 Poor Security - Information

• Compromised IoT
devices can provide a
lot of opportunity to
attackers
• Attackers can get access to sensitive data
• Financial information (point of sale systems)
• Camera and microphone (security systems)
• Credentials to other systems (passwords)

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 5
 Poor Security - Resources

• Attackers can use an IoT device’s resources

• Processing or network bandwidth
• Spread viruses and malware
• Part of DDOS attack
• Bitcoin mining
• Spam
• Malicious advertising

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 6
 Poor Security - Access

• Attackers can get access to the IoT device’s

functionality
• Disable security system
• Gateway for attacking internal network
• Cause IoT device to misbehave
• Critical for health and dangerous devices
• Brick IoT device

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 7
 Effects of Proper Security

• Protects your reputation

• Compromised devices erode customer trust

• Gives you control

• Over manufacturing and subcontractors
• Over unauthorized devices (counterfeiters)

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 8
 Aspects of IoT Security

• Authentication
• Encryption Class Focus
• Key Storage
• Firmware Protection
• Firmware Updates
See other security classes
• Testing • SEC5 – Secure boot
• Etc… • SEC6 and SEC7 –
Secure applications
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 9
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 10
 Asymmetric Crypto Review

• Uses two mathematically related keys

• Private and Public Key
• Public key can be distributed without
compromising security
• Can be used for CIA (Confidentiality, Integrity, and
Authentication) without distributing shared
secrets

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 11
 Digital Signature Algorithm
Host Subject
Subject Public Private
Public Key Distribute Key Key

Message Sign
Verify

OK? Signature

Elliptic Curve Cryptography

• ECDSA Sign
• ECDSA Verify
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 12
 Certificate Signing
Authority Subject
Private Public Public Private
Key Key Key Key
Authority Info Subject Info
CSR
Validate (Certificate Signing Request)
OK?
TBS (To Be Signed) Certificate
Authority Info Authority Info
Sign Certificate Info Certificate Info
(ECDSA) Subject Info Subject Info
Subject Public Key Subject Public Key
Signature
Signature
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 13
 Certificate Verification
Host Subject
Authority Public Private
Public Key Key Key

Certificate
Authority Info
TBS (To Be Signed) Certificate Info
Verify
(ECDSA) Subject Info
Subject Public Key
OK? Signature

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 14
 Certificate Authentication
Host Subject
Authority Public Private
Public Key Key Key
Certificate (Verified) Certificate
Authority Info
Certificate Info
Subject Info
Subject Public Key
Signature

Verify Challenge Sign

(ECDSA) (Random) (ECDSA)
OK?
Signature
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 15
 X.509 Certificates

• Standard certificate format

• Origins with X.500 standard for network directory services
• Current version (v3) specified in RFC5280
• Detailed information about the subject
• Subject and Issuer (Authority) Names
• Certificate validity time frame
• Capabilities of the subject

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 16
 Certificate Chains
Root
CA

Intermediate Intermediate
CA CA

Intermediate Intermediate User User

CA CA

User User User User

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 17
 Public Key Infrastructure (PKI)

• The management of public key based certificates

• Roles
• Authorities, Servers, Clients, Users, etc…
• Policies and procedures
• Who controls the authorities
• How should keys be protected
• How to validate a certificate
• Revocation
• Not trusted any more

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 18
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 19
 AWS Introduction
Cloud computing is the on-demand delivery of compute power, database storage,
applications, and other IT resources through a cloud services platform via the internet
with pay-as-you-go pricing.

• Trade capital expense for variable expense

• Benefit from massive economies of scale
• Stop guessing capacity
• Increase speed and agility
• Stop spending money on running and
maintaining data centers
• Go global in minutes

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 20
 Our concept of IoT
Things Cloud
Sense & Act Storage & Compute

Intelligence
Insights & Logic → Action

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 21
 AWS IoT Architecture

Things Cloud
Sense & Act Storage & Compute

Secure device
connectivity
and messaging

Intelligence
Insights & Logic → Action

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 22
 AWS IoT Architecture

Things Cloud
Sense & Act Storage & Compute

Secure local Secure device Fleet onboarding, Fleet IoT data analytics
triggers, actions, connectivity management and audit and and intelligence
and data sync and messaging SW updates protection
Endpoints
Gateway

Intelligence
Insights & Logic → Action

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 23
 Authentication

ClientId, Cert
Session

• Requires Transport Layer Security

(TLS)
• Uses mutual authentication

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 24
 AWS IoT Certificate Management

• AWS IoT Managed

• Customer Managed

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 25
 AWS IoT Managed Certificates

• Manual / on-demand certificate provisioning

• CA managed and operated by AWS
• Not suitable for manufacturing processes
• Just in time Provisioning

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 26
 Customer Managed Certificates

• On-demand and custom provisioning

• CA managed and operated by customer
• CA key secured by customer
• Suitable for manufacturing processes

How do we integrate and automate?

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 27
 Bring Your Own Certificate (BYOC)
Customers
Hardware
Security
Module
(HSM)

CSR

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 28
 Just In Time Registration

• JITR (jit-ter)
• Pairs with Bring Your Own Certificate (BYOC)
• Decouples certificate provisioning and registration
• Enables event driven hook for post-registration actions
• Certificate deactivation and revocation

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 29
 Amazon FreeRTOS
IoT Operating System for Microcontrollers
Amazon FreeRTOS, based on the popular FreeRTOS, is a microcontroller
operating system that makes small, low powered edge devices easy to program,
deploy, secure, connect, and maintain.

1010101101
0101110101
1010101010
1010010101
0101001010
0101010111
?
0101011001
1001011001
00101101

Will it work on my chip? Does it have the Where do I get it? How do I start?
functionality I need?

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 30
 Amazon FreeRTOS
IoT Operating System for Microcontrollers
Amazon FreeRTOS, based on the popular FreeRTOS, is a microcontroller
operating system that makes small, low powered edge devices easy to program,
deploy, secure, connect, and maintain.

EMBEDDED APPS

CONNECTIVITY

GREENGRAS
S LIBRARIES
OVER THA AIR
(OTA) AGENT
LIBRARIES

LIBRARIES

CLOUD &
SECURTIY
HELLO

FreeRTOS
HW DRIVERS

Will it work on my chip? Does it have the Where do I get it? How do I start?
functionality I need?

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 31
 IoT microcontroller device concerns: User program

Making your app special

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 32
 IoT microcontroller device concerns: Security

Making your app special

Keeping your communication secure Security

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 33
 IoT microcontroller device concerns: Communications

Making your app special

Keeping your communication secure

Networking your app Communications

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 34
 IoT microcontroller device concerns: Key management

Making your app special

Keeping your communication secure

Networking your app Communications

Protecting your app’s identity Key management

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 35
 IoT microcontroller device concerns: Peripherals

Making your app special

Keeping your communication secure

Networking your app Communications

Protecting your app’s identity Key management

Driving input, output, storage Peripherals

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 36
 IoT microcontroller device concerns: Bootloader

Making your app special

Keeping your communication secure

Networking your app Communications

Protecting your app’s identity Key management

Driving input, output, storage Peripherals

Initializing your app’s world Bootloader

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 37
 IoT microcontroller device concerns: Bootloader

Making your app special faster

Keeping your comms more secure

Amazon FreeRTOS
Networking your app flawlessly Communications

Protecting your app’s identity simply Key management

Driving input, output, storage cleanly Peripherals

Initializing your app’s world powerfully Bootloader

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 38
 Microcontroller development environments

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 39
 Microcontroller development environments

Amazon
Commercial
FreeRTOS
IDE support

Vendor IDE
support

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 40
 Microcontroller development environments

Amazon
Commercial
FreeRTOS
IDE support

Vendor IDE
support

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 41
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 42
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 43
 Lab 1 Objectives

• Setup AWS IoT for Just in Time Registration (JITR)

of device certificates
• Obtain temporary AWS Account
• Create registration Lambda Function
• Create registration IoT Rule

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 44
 Setting up AWS IoT for JITR

• Initial account setup

• Needs to be done from an administrative account
• User with permission to setup the kit
• Lambda function role with permission to register devices

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 45
 Create Registration Lambda Function

• Essential Functions
• Adds device certificate to IoT account
• Attaches policy to device certificate
• Can Be Extended
• Perform additional validation
• Trigger other registration actions

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 46
 Creating IoT Rule

• Rules perform certain actions based on events

• Registration rule triggers when a new device
attempts to connect
• Device must have supplied a certificate that chains back
to a registered CA
• Registration rule will run the registration lambda
function as its action

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 47
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 48
 TLS (Transport Layer Security)

• Communications protocol providing C I A

Confidentiality Encrypts data
Integrity Protects data from changes
Authentication Confirm identity of the other side
• Used to secure websites (https)

• Many other communication purposes

• Like MQTT for IoT devices
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 49
 TLS Position

Layer Description
7 Application High-level APIs (e.g. MQTT)
6 Presentation Encoding/compression/encryption Transport
5 Session Collections of messages Layer Security
4 Transport Reliable transmission of data (e.g. TCP or UDP)
3 Network Moving data between network nodes (e.g. IP)
2 Data Link Data transfer on a direct connection (e.g. MAC)
1 Physical The business of physically moving bits

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 50
 TLS Authentication

• Verify who you are talking to

• Certificates (X.509)
• Can be one-way
• Client authenticates server
• or mutual
• Client and server authenticate each other
• This is what AWS IoT uses

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 51
 Trust Store

• List of Trusted Certificate Authorities

• Needs to be preloaded
• IoT device trust store
• Authenticates server
• AWS IoT lists root CAs
https://docs.aws.amazon.com/iot/latest/developerguide/managing-
device-certs.html
• AWS IoT server trust store
• Uses device certificate directly
• Device CA certificates are used for JITR
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 52
 TLS Symmetric Keys

• Asymmetric operations are slow

• Encrypt / decrypt / sign / verify
• Symmetric keys used for encryption and
integrity checking
• Key exchange/agreement
• Results in a pre-master secret

Client Server
Key Exchange
Calculate Calculate
Key Agreement

Premaster Same Premaster

Secret Secret Secret
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 53
 TLS ECDHE

Elliptic Curve Diffie Hellman Ephemeral

Client Server
Private Public Identity Public Private
Key Key Keys Key Key
RNG RNG
Private Public Ephemeral Public Private
Key Key Keys Key Key

ECDH ECDH
Forward Secrecy

Premaster Same Premaster

Secret Secret Secret

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 54
 TLS Cipher Suites

• TLS was built to be very flexible

• Cipher suites describe crypto parameters
• Key exchange algorithm
• Authentication algorithm
• Cipher
• Algorithm, strength, mode
• MAC or PRF

TLS Cipher Suite List

https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 55
 TLS Cipher Suite Example
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

ECDHE Key exchange/agreement algorithm

ECDSA Server authentication algorithm
AES Cipher algorithm
128 Cipher strength
GCM Cipher mode
SHA256 PRF (Pseudo Random Function)

Cipher mode is AEAD (combine encryption and

integrity check)
Last portion specifies PRF algorithm
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 56
 TLS Handshake – One Way
Client Server
ClientHello
ServerHello
Certificate
ServerKeyExchange

ServerHelloDone

ClientKeyExchange

Finished
Finished
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 57
 TLS Handshake – Mutual
Client Server
ClientHello
ServerHello
Certificate
ServerKeyExchange
CertificateRequest
ServerHelloDone
Certificate
ClientKeyExchange
CertificateVerify
Finished
Finished
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 58
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 59
 Why Hardware Security?

• Storing and using keys in the processor exposes

them
• Operating systems and software have bugs
Heartbleed for OpenSSL was notable, easily exposing
secret data and keys
• Side-channel attacks
• Hardware security devices provide a hardened key
storage and execution environment

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 60
 ATECC608A Introduction

• Provides secure storage and execution environment for

keys
• Symmetric (SHA256, AES)
• Asymmetric (elliptic curve)
• Supports NIST P-256 curve
• a.k.a. secp256r1 and prime256v1
• 10.5Kb storage across 16 slots
• High-quality internal RNG
• Supports SHA256, ECDSA, ECDH, various KDF, and AES
algorithms
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 61
 ATECC608A HW Security

Advanced Multi-Level HW Security

• Active shield over entire chip
• All memories internally encrypted Microchip Active Shield
• Data independent execution
• Internal state consistency checking
• Power supply tamper protection
• Temperature lockouts
• Internal clock generation Standard uC, logic & memory
• Secure test methods
• No die features can be identified
• No package or die identification

Designed to defend against a

multitude of attacks
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 62
 ATECC608A Acceleration
ATECC608A versus Cortex® M0+ running at 48MHz
H/W vs S/W Benchmark
6000

5000
milliseconds

4000

3000

2000

1000

P256 Key Gen ECDSA Sign ECDSA Verify ECDHE

ATECC608A Cortex M0+ @ 48MHz

Reduces code size (no elliptic curve crypto library)

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 63
 ATECC608A TLS Support

• Supports authentication (ECDSA) and key

exchange (ECDH)
• Encryption (AES) is still handled by the host MCU
• ATECC608A can do AES, but would be slow – meant for
small MCUs
• Protects the device’s identity key
• Accelerate verification and key agreement

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 64
 ATECC608A TLS Support
ATECC608A Client Server
Random ClientHello
ServerHello
Verify Certificate
Verify ServerKeyExchange
CertificateRequest
ServerHelloDone
GenKey Certificate
ECDH ClientKeyExchange
Sign CertificateVerify
Finished
Finished
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 65
 ATECC608A for AWS IoT (TLS)

• ATECC608A is very configurable

• AWS configuration preconfigures for use with
AWS IoT
• Slot 0 – Device private key
• Slots 10-12,14 – Device and signer certificates
• Other slots pre-configured for common use cases

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 66
 ATECC608A Key Agreement

• Ephemeral private key

• Helps speed and code size
• Regenerated for every session
• Stored in SRAM (TempKey)
• Used with ECDH command to generate pre-master
secret

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 67
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 68
 AWS IoT CAs

• Need to setup Certificate Authorities (CAs) first

• Recommend 3 levels
Root CA Signer CA Device
• Top-level represents your ecosystem, doesn’t
need to be an actual root CA
CA Ecosystem CA Signer CA Device

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 69
 Microchip Provisioning Services

• Microchip has provisioning services

• All keys are secured in HSMs (Hardware Security
Modules)
• Access to HSMs is carefully controlled via
software and hardware
• Asymmetric keys are always internally generated
• Symmetric keys and secrets are never exposed
• Secrets are encrypted even on the bus
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 70
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 71
 Lab 2 Objectives

• Create Certificate Authorities (CAs) for your IoT

devices
• Register your signer CA with AWS IoT
• Provision an ATECC608A device for operation
with AWS IoT
• See the IoT device registration, authentication,
and communication with AWS IoT

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 72
 Create Certificate Authorities

• Create Root CA
• True root
• Self-signed certificate
• Create Signer CA
• Create CSR (certificate signing request)
• Create Certificate from Root CA

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 73
 Registering the Signer

• Adds an authorized signer (CA) certificate to AWS

IoT account
• Need Verification Certificate
• Get registration code from AWS IoT
• Create certificate with registration code
• Sign certificate using the signer
• Proves to AWS IoT you have access to the signer private
key

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 74
 Hardware Setup

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 75
 Provisioning the Thing

• Provisioning application bridges communication

between signer (CA) and ATECC608A
• ATECC608A returns CSR with its public key
• Signer (CA) signs certificate and sends it back along
with its own certificate
• Both certificates are saved to the ATECC608A
• Additional AWS connection information

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 76
 Register CA with AWS IoT
Signer AWS IoT
Private Key

Create and Sign GetRegistrationCode

Verification
registrationCode Registration Code
Certificate
RegisterCACertificate

verificationCertificate Validate
Signer Certificate caCertificate Ok?

Register CA

CAs
Signer Certificate

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 77
 Just In Time Registration
Device AWS IoT
Connect Is Device Cert
Device Certificate in Cert Registry?
Signer Certificate
No
Disconnect
Is Signer Cert CAs
in CA Registry? Signer Certificate
Yes

Publish to topic:
$aws/events/certificates/registered/<ca id>
ZeroTouchJustInTimeRegistration
rule triggers
Run lambda function:
ZTLambdaJITR
Registers Device Certificate

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 78
 ATWINC1500

MCU ATWINC1500

Application
TLS DNS DHCP …

WINC1500

Radio
Driver

MCU
TCP / UDP
IP
WIFI

• TLS Stack is completely internal

• Certificate validation and key exchange (RSA only)
• Encryption/decryption (AES128 CBC or GCM)
• Except - ECC certificates and key exchange with external
support
• Starting with 19.5.2 firmware

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 79
 WINC1500 and ATECC608A TLS
integration
• WINC1500 implements TLS for user
• Elliptic Curve math not supported
• WINC1500 requests EC math be performed by crypto
proxy in firmware
• Firmware crypto proxy performs actual operations
using the ATECC608A
• WINC1500 stores required certificates

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 80
 ATWINC1500 ECC Pass-through

ATECCx08A MCU ATWINC1500

Private ECDSA Sign Request
Key Sign Command

ECDSA
Sign
Signature
Signature

• Same process is used for all ECC operations

• Generate key pair, ECDH, ECDSA sign, ECDSA verify

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 81
 Client Certificates

• WINC1500 has internal store for client certificates

• Firmware must load them from the ATECC608A
• Reconstruct signer and device certificates
• Save them to the WINC1500
• One-time operation

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 82
 MQTT Communication

• MQTT is a light-weight messaging protocol

designed for IoT devices
• Has a topic subscribe and publish architecture
• AWS policies can set what topics a device can use
• Shadow topic designed store device state in AWS
cloud

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 83
 Lab Summary

• Enabled Just In Time Registration on AWS IoT

• Registered a Certificate Authority (Signer) with
AWS IoT
• Provisioned an ATECC608A using the Signer
• Saw the device register with AWS IoT
• Passed MQTT messages

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 84
 Class Agenda
• Importance of IoT Security
• PKI & Certificates for Authentication
• AWS IoT Authentication, JITR, and FreeRTOS
• Lab 1: AWS Account Setup
• TLS (Transport Layer Security)
• ATECC608A Secure Element
• Provisioning
• Lab 2: Provisioning and Connecting
• Summary
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 85
 AVR-IoT and PIC-IoT Platform

• Wi-Fi Connected Sensor Node

• Complete solution for AWS and others
• Rapid Development in Atmel Studio and START
• Onboard Light and Temperature sensors
• LiPo battery support (including charger)
• Small form factor (~6 cm x 2.5 cm)

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 86
 AVR-IoT PIC-IoT Platform
Smart
User App
PIC® & MQTT*
AVR® JWT*
MCUs

Connected Secure
WINC1500 ECC608

WiFi Key Storage

TCP/IP Authentication
TLS Crypto

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 87
 Summary

• IoT security is important from the start

• PKI authentication can create a scalable provisioning
architecture
• The ATECC608A provides essential protection of the
keys and hardware crypto acceleration
• AWS IoT provides the cloud infrastructure for managing
devices and their communication
• Amazon:freeRTOS provides a platform abstraction layer
to implement on.
© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 88
 Resources

• Zero Touch Provisioning kit for AWS IoT Release -

at88ckecc-aws-xstk-b
• Software at https://github.com/MicrochipTech/aws-iot-zero-touch-secure-provisioning-kit

• AVR-IoT WG Development Board - AC164160

• PIC-IoT WG Development Board - AC164164
• AWS IoT - https://aws.amazon.com/iot/
• Amazon free:RTOS - https://aws.amazon.com/freertos/

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 89
 LEGAL NOTICE
SOFTWARE:
You may use Microchip software exclusively with Microchip products. Further, use of Microchip software is subject to the copyright notices, disclaimers, and any license terms accompanying such software, whether set forth at the
install of each program or posted in a header or text file.

Notwithstanding the above, certain components of software offered by Microchip and 3 rd parties may be covered by “open source” software licenses – which include licenses that require that the distributor make the software
available in source code format. To the extent required by such open source software licenses, the terms of such license will govern.

NOTICE & DISCLAIMER:

These materials and accompanying information (including, for example, any software, and references to 3 rd party companies and 3rd party websites) are for informational purposes only and provided “AS IS.” Microchip assumes
no responsibility for statements made by 3 rd party companies, or materials or information that such 3 rd parties may provide.

MICROCHIP DISCLAIMS ALL WARRANTIES, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING ANY IMPLIED WARRANTIES OF NONINFRINGEMENT, MERCHANTABILITY, AND FITNESS FOR A
PARTICULAR PURPOSE. IN NO EVENT WILL MICROCHIP BE LIABLE FOR ANY DIRECT OR INDIRECT, SPECIAL, PUNITIVE, INCIDENTAL, OR CONSEQUENTIAL LOSS, DAMAGE, COST, OR EXPENSE OF ANY KIND
RELATED TO THESE MATERIALS OR ACCOMPANYING INFORMATION PROVIDED TO YOU BY MICROCHIP OR OTHER THIRD PARTIES, EVEN IF MICROCHIP HAS BEEN ADVISED OF THE POSSIBLITY OF SUCH
DAMAGES OR THE DAMAGES ARE FORESEEABLE. PLEASE BE AWARE THAT IMPLEMENTATION OF INTELLECTUAL PROPERTY PRESENTED HERE MAY REQUIRE A LICENSE FROM THIRD PARTIES.

TRADEMARKS:
The Microchip name and logo, the Microchip logo, Adaptec, AnyRate, AVR, AVR logo, AVR Freaks, BesTime, BitCloud, chipKIT, chipKIT logo, CryptoMemory, CryptoRF, dsPIC, FlashFlex, flexPWR, HELDO, IGLOO, JukeBlox,
KeeLoq, Kleer, LANCheck, LinkMD, maXStylus, maXTouch, MediaLB, megaAVR, Microsemi, Microsemi logo, MOST, MOST logo, MPLAB, OptoLyzer, PackeTime, PIC, picoPower, PICSTART, PIC32 logo, PolarFire, Prochip
Designer, QTouch, SAM-BA, SenGenuity, SpyNIC, SST, SST Logo, SuperFlash, Symmetricom, SyncServer, Tachyon, TempTrackr, TimeSource, tinyAVR, UNI/O, Vectron, and XMEGA are registered trademarks of Microchip
Technology Incorporated in the U.S.A. and other countries.
APT, ClockWorks, The Embedded Control Solutions Company, EtherSynch, FlashTec, Hyper Speed Control, HyperLight Load, IntelliMOS, Libero, motorBench, mTouch, Powermite 3, Precision Edge, ProASIC, ProASIC Plus,
ProASIC Plus logo, Quiet-Wire, SmartFusion, SyncWorld, Temux, TimeCesium, TimeHub, TimePictra, TimeProvider, Vite, WinPath, and ZL are registered trademarks of Microchip Technology Incorporated in the U.S.A.
Adjacent Key Suppression, AKS, Analog-for-the-Digital Age, Any Capacitor, AnyIn, AnyOut, BlueSky, BodyCom, CodeGuard, CryptoAuthentication, CryptoAutomotive, CryptoCompanion, CryptoController, dsPICDEM,
dsPICDEM.net, Dynamic Average Matching, DAM, ECAN, EtherGREEN, In-Circuit Serial Programming, ICSP, INICnet, Inter-Chip Connectivity, JitterBlocker, KleerNet, KleerNet logo, memBrain, Mindi, MiWi, MPASM, MPF,
MPLAB Certified logo, MPLIB, MPLINK, MultiTRAK, NetDetach, Omniscient Code Generation, PICDEM, PICDEM.net, PICkit, PICtail, PowerSmart, PureSilicon, QMatrix, REAL ICE, Ripple Blocker, SAM-ICE, Serial Quad I/O,
SMART-I.S., SQI, SuperSwitcher, SuperSwitcher II, Total Endurance, TSHARC, USBCheck, VariSense, ViewSpan, WiperLock, Wireless DNA, and ZENA are trademarks of Microchip Technology Incorporated in the U.S.A. and
other countries.
SQTP is a service mark of Microchip Technology Incorporated in the U.S.A.
The Adaptec logo, Frequency on Demand, Silicon Storage Technology, and Symmcom are registered trademarks of Microchip Technology Inc. in other countries.
GestIC is a registered trademark of Microchip Technology Germany II GmbH & Co. KG, a subsidiary of Microchip Technology Inc., in other countries.
All other trademarks mentioned herein are property of their respective companies.
© 2019, Microchip Technology Incorporated, All Rights Reserved.

© 2019 Microchip Technology Incorporated. All Rights Reserved. 23066 SEC4 Slide 90