Secure Subsystem includes protection
against both active (invasive) and passive (noninvasive) attacks on the
certificates, private and symmetric keys stored within the device. Specific hardware
and firmware elements are included in this peripheral to prevent environmental
(voltage, temperature and frequency) attacks, emissions attacks, Fault attacks,
physical attacks, cloning and many other attack methodologies. All internal memory
for private/symmetric keys or other secret data are encrypted.
Advanced Crypto Engine (ACE) for Execution of All Cryptography Commands
Physical Protection Security
Measures, including Voltage Tampers, Temperature Tampers and Active Shield
Circuitry
Sign/Verify Support:
ECDSA – P224, P256, P384 and 256-bit Brainpool elliptic curves
ECDSA – SECP256K1
(bitcoin/blockchain) curve
RSA 2048-bit signature generation and verification
RSA 3072-bit signature verification only
ECDH/ECDHE/ECBD Key Agreement
Support:
Elliptic-Curve Diffie-Hellman
(ECDH) support for P224, P256, P384 and 256-bit Brainpool
Elliptic-Curve
Burmeiseter-Desmedt (ECBD) support for P224 curve
Internal Symmetric and Asymmetric Key Generation and Derivation:
RSA 1024-bit and 2048-bit
keys encryption/decryption support
NIST SP800-90 A/B/C Random Number Generator (RNG)
16 MHz SPI Interface to communicate
Security Commands between the core and the Secure Subsystem
The Secure Subsystem Advanced Crypto Engine algorithms have achieved JIL HIGH
Rating and are certified by FIPS as per Cryptographic Algorithm Validation
Program (CAVP)
Secure Subsystem with FIPS 140-2 Level 2 with Physical Security Level 3
certification as per Cryptographic Module Validation Program (CMVP) [in
progress].