Part 1 of this two-part series on security design discussed using a stand-alone security chip. Here in Part 2, we’ll cover solutions that use an integrated chip and module, combining security and microcontroller (MCU) functions in a single chip.
Integrated chip
Cypress’ PSoC 6 MCU single-chip, dual-core architecture comprises the Arm Cortex-M4 and the Arm Cortex-M0+. Based on 40nm technology, the chip draws 22 microamps per Megahertz (M4) and 15 microamps per Megahertz (M0+). The security functions such as authentication are built-in. Additional security is implemented with hardware isolation using memory and peripheral protection.
As with a submarine, when one compartment is damaged with water rushing in, another compartment can be sealed off to keep the water out. Similarly, hardware isolation within the PSoC 6 MCU prevents malware from spreading, even when one segment is successfully attacked. (Figure 1).
Modular approach
Designing digital circuitry is one thing. Working with RF signals is an entirely different challenge. That is why some OEMs or developers prefer taking a modular route. OneThinx has integrated the Cypress PSoC 6 and the Semtech radio chip on one module. Measuring 24.5 x 20 x 2.4 mm, the Onethinx Core LoRaWAN™ Module has been pre-certified by the LoRa Alliance. When the module is incorporated into a final system, the OEM or integrator is not required to go through the LoRa Alliance certification process again. This potentially saves time and resources. (Figure 2).
Implementing the Cypress’ PSoC 6 protects the root keys in the following manner.
- The Cypress chip provides a mechanism to securely transfer the root keys from the key management system (KMS) to the device at manufacturing time (for example by using a TLS communication channel between the KMS and the end-device). TLS refers to transport layer security, a protocol that protects communications between client/server applications.
2) The Cypress chip securely isolates the LoRaWAN stack, which has access to the keys, from the user code, which may potentially contain paths to exploit the root keys.
As shown in Figure 3, the Cypress PSoC 6-based module will perform all the security functions including the over-the-air activation (OTAA) and securely perform the authentication through the gateways and network servers and then to the join servers. The join server will finish the key provisioning tasks.
Conclusions
Part 1 and Part 2 of this series survey two different approaches to security. With one approach, the use of a stand-alone security chip gives designers more flexibility, in that individual MCUs can be selected from STMicroelectronics, NXP, Renesas or others. On the other hand, with the modular approach, many design decisions and integration choices have been determined, which shortens development and test time with proven results. Additionally, with the LoRa Alliance pre-certified module, developers can avoid going through a potentially lengthy certification process.
Leave a Reply