Skip to content

Setting up a Chain of Trust

Jump to bottom
oscarmicrochip edited this page Aug 11, 2016 · 24 revisions

The development kit is equipped with a pre-configured ECC508A device which assists the end node microcontroller in establishing a secure session with AWS IoT (TLS session). The ECC508A is a CryptoAuthentication(tm) device which provides to the system

  • Keys and certificates stored securely
  • Hardware cryptographic accelerators
  • Tamper protections and hardware security mechanisms

In order to be "trusted" the identity of the ECC508A must be part of a bigger "chain of trust" that can be verified by AWS IoT

(*) The signer resides in Microchip secure manufacturing zone, but a "portable" signer in the form of a secure USB dongle has been included with the kit to simplify the initial setup.

If you wonder why a Chain of Trust is needed in the first place, have a look at this section: [Why do we need a Chain of Trust?](Why do we need a Chain of Trust)

Kit Signer vs. Production Signer

The provisioning of the ECC508A - i.e. generating keys and programming the associated certificates - typically take place during the last manufacturing steps before leaving Microchip factory. Each device contains the necessary certificate uniquely related to the customer.

In the context of the development kit, the ECC508A are pre-configured for AWS IoT operations, but customer specific certificates are unknown to Microchip at the time of shipment.

To that effect, is included along with the kit, tools that mimic the steps taking place on the ECC508A manufacturing line to personalize - or "provision"- the specific identity.

This provisioning step is only needed in the context of the kit and is entirely eliminated once in production.

Steps to create the Chain of Trust with the Kit

The Root Certificate Authority

The kit contains a USB dongle equipped with an ECC508A configured to be a Root Certificate Authority. I.e. with a self-signed certificate. This USB dongle contains the ultimate Root of Trust of the Application and is unique to this kit. It can obviously be used with an unlimited number of signers and end nodes. This device is locked and can't be modified. It contains a private and public key pair and a self-signed certificate. While the private key can't be extracted from the dongle, both the public key and the certificate can be read out by the Secure Insight GUI

The Root CA dongle is identified by a red sticker

Plug the USB dongle with a red sticker in a USB port of the computer running the Secure Insight GUI

The Signer

The kit also contains a USB dongle equipped with an ECC508A configured to be an Intermediate Certificate Authority or Signer CA. This USB dongle is used to sign devices as it would be done in production.

The Signer Certificate will be registered with the AWS IoT server where it will be used to verify the identity of devices.

This device (the USB Signer dongle), also contains a private and public key pair. While the private key can't be extracted from the dongle, both the public key and the certificate can be read out by the Secure Insight GUI

The Signer Intermediate CA dongle is identified by a green sticker

Wiki Home

User Guide

Clone this wiki locally