Our CryptoManager Security Engine is an in-device root-of-trust offered as an embedded hardware core, or as a software agent that can be implemented as a protected element in a trusted OS or directly in the high-level device OS for the secure provisioning of keys and features throughout the device lifecycle. This provides flexible implementation options and allows the CryptoManager Infrastructure to securely communicate with the device to provision keys and manage feature configurations in the supply chain and downstream ecosystems.
CryptoManager Security Engine block diagram
The Security Engine hardware core is suitable for integration in application processors, modems, and other chipsets and features flexible design options that enable functionality, area, and power to be optimized for the required security level. This ensures maximum trust with minimal design impact. The core stores and protects sensitive key and configuration information in One Time Programmable (OTP) memory in the SoC. For feature management, the core manages rights delegation and feature activation based on permission settings. It verifies the digital signatures and security policies, ensuring that only authorized transactions are accepted. Depending on the SoC designer’s requirements, this capability may be used to configure chip features during different stages of manufacturing and enable secure applications in the field.
The Security Engine software agent is designed to offers similar functionality, but is implemented in software that can run in either Trusted Execution Environment (TEE) or High Level OS environments. All implementations of the Security Engine are supported by a trusted provisioning services stack that includes software libraries and drivers for easy integration and enablement of secure applications and services.
- Embedded root-of-trust enables trust to be established early in the manufacturing process, providing ongoing security and trust management throughout the lifecycle of the device.
- Scalable and flexible trust assurance which provides a path from soft trusted endpoint implementations to hardware trusted endpoint implementations while assuring interoperability across all trusted connected smart devices
- Portfolio of on-device software and drivers for seamless integration with CryptoManager secure provisioning and on-device application security services across a wide range of devices.
- Flexible trust management services in support of both traditional Secure Element trust models and modern Host Card Emulation & Tokenization direct-trust models
- Supports a range of implementation options to enable trusted provisioning services with maximum device coverage
- Additional hardware-specific features Entropic Array (EA) – countermeasures to protect against silicon de-processing
- Canary logic – countermeasure for glitching attacks
- Secure private memory management of OTP(or other NVM) memory
- Secure API support for the provisioning of cryptographic data and feature activation controls
- Asymmetric crypto capabilities: RSA 2048, PKCS #1, PSS,
- Ferguson-Schneier key exchange
- Symmetric crypto capabilities: AES128, AES256, and SHA256
- Private bus for direct key delivery
- Robust hardware root-of-trust
- Secure key and feature management
- Secure API support for provisioning
- Strong tamper resistance
- Trust Delegation
- OTP memory management
- Security Engine hardware core including:
- Netlist or encrypted RTL
- Full Documentation
- User guide
- External reference specification
- Tools and Scripts
- Configurator tool
- Synthesis constraints and timing check scripts
- Integration deliverables
- Testbench development
- Use case vectors
- Security Engine software agent including:
- Pre-compiled, device-specific Agent libraries
- Reference application source code
- Full documentation
- Optional porting and integration support
- Trusted provisioning services software libraries and drivers
Block Diagram of the Security Engine IP Core