2 The Trust Manager Experience

The ECC608-TMNGTLS secure authentication IC is focused on making hardware security for IoT products a self-served experience while maintaining a high level of security throughout the entire lifecycle of a project.

What keySTREAM SaaS Provides

The keySTREAM SaaS service provides the necessary HSM infrastructure to set up a root CA and associated PKI, as well as provision it in-field, along with TLS cryptographic keys, data and certificates into the secure boundary of the ECC608-TMNGTLS. These cryptographic credentials are, now, actively managed for the whole product life cycle. The solution allows for:
  • The management of certificates to ensure secure authentication to any cloud platforms. The certificates can be updated or rotated to ensure a certificate expiration date will not disconnect an IoT product. The end result lowers device management cost and complexity.
  • The Infrastructure Agnostic SaaS (IaaS) works with AWS® and Microsoft Azure® out of the box.
  • Cost-effective hosting of the cryptographic keys in keySTREAM HSMs along with associated availability and maintenance

The keySTREAM SaaS offering provides a space-efficient embedded library (keySTREAM Trusted Agent KTA) that is capable of fitting in a memory-constrained MCU all the way to MPU products. This allows security to be implemented across a wide complexity range of devices without paying a significant memory penalty. The tools are tied into a telecom-grade, cloud-hosted platform designed to scale to the wide range of needs for IoT products.

Trust Manager Flow

Getting started with the ECC608-TMNGTLS was implemented to be a relatively simple process.
  1. Sign up with a Kudelski IoT account to gain access to keySTREAM Security Management Services. Provide the unique information associated with your company and your project to ensure that your product will have a unique identity that cannot be cloned. Following the autoclaim process in keySTREAM SaaS, make sure to record the email address of the purchaser used in the Microchip ordering system.
  2. Order ECC608-TMNGTLS devices. Microchip provides 10 unit sample packs to make the cost of entry to evaluate devices low. These devices are available off-the-shelf and do not require any manual provisioning prior to purchasing. The keySTREAM SaaS is capable of validating a specific device to see if it was provisioned for keySTREAM SaaS remote management by Microchip
  3. Use the keySTREAM SaaS to create a custom ROOT CA and associated PKI.
  4. Use the keySTREAM SaaS services to claim the devices purchased through MicrochipDirect. In-field provisioning comes later, when the embedded system connects to Kudelski keySTREAM SaaS. The keySTREAM SaaS services allow for the creation of a custom PKI in a hosted and managed HSM, ability to enter unique customer information, creation of certificates and the ability to create I/O protection keys for secure communication.
  5. Deploy the product in the field.
  6. Use the in-field management capability to rotate keys and/or update or rotate certificates.