{"id":7077,"date":"2024-11-26T05:49:01","date_gmt":"2024-11-26T05:49:01","guid":{"rendered":"https:\/\/www.pufsecurity.com\/?post_type=dlp_document&p=7077"},"modified":"2024-11-26T05:49:31","modified_gmt":"2024-11-26T05:49:31","slug":"the-ideal-crypto-coprocessor-with-root-of-trust-to-support-customer-complete-full-chip-evaluation-pufcc-gained-sesip-and-psa-certified-level-3-rot-component-certification","status":"publish","type":"dlp_document","link":"https:\/\/www.pufsecurity.com\/zh-hant\/document\/the-ideal-crypto-coprocessor-with-root-of-trust-to-support-customer-complete-full-chip-evaluation-pufcc-gained-sesip-and-psa-certified-level-3-rot-component-certification\/","title":{"rendered":"The Ideal Crypto Coprocessor with Root of Trust to Support Customer Complete Full Chip Evaluation: PUFcc gained SESIP and PSA Certified\u2122 Level 3 RoT Component Certification"},"content":{"rendered":"\n

How PUFcc and Corstone Form a Comprehensive Security Architecture that Passed SESIP and PSA Certified<\/strong><\/p>\n\n\n\n

Building on the success of achieving PSA Certified\u2122 Level 2 Ready through the integration of PUFcc with Arm\u2019s CPU, Corstone platform, and TF-M, PUFsecurity and Arm move forward to the next level and successfully attain SESIP and PSA Certified\u2122 Level 3 RoT Component certification for PUFsecurity\u2019s Crypto Coprocessor IP, PUFcc. This collaboration delivers a critical advantage for semiconductor companies seeking a trusted Root of Trust subsystem, providing a robust solution to meet the stringent security demands of PSA Certified\u2122 Level 3.<\/p>\n\n\n\n

PUFcc exemplifies a robust PSA-certified solution tailored for customers prioritizing high-level security. It is a crypto coprocessor built on a hardware root of trust, featuring a comprehensive crypto accelerator for secure operations such as secure boot, secure updates, TLS, and key management.<\/p>\n\n\n\n

In the project of PSA Certified\u2122 Level 3 RoT Component in 2024, PUFcc was combined with the Arm\u00ae Corstone\u2122-300 IoT reference design platform and evaluated under the SESIP (Security Evaluation Standard for IoT Platforms) profile. This evaluation (including penetration testing) was then carried out by an independent laboratory using five mandatory and five optional security functional requirements (SFR) as the main criteria. The mandatory requirements are verification of platform identity, secure update of the platform, physical attacker resistance, secure communication support, and secure communication enforcement. The optional requirements include verification of platform instance identity, attestation of platform genuineness, cryptographic operation, cryptographic random number generation, and cryptographic key generation.<\/p>\n\n\n\n

Below table shows the Security Functional Requirements (SFR) that PUFcc had passed in PSA Certified Level 3 RoT Component certification.<\/p>\n\n\n\n

<\/p>\n\n\n

\n
\"\"
Table 1. Certified SESIP SFR and corresponding PSA Certified security function<\/figcaption><\/figure><\/div>\n\n\n

<\/p>\n\n\n\n

The New Version of PUFcc: Comprehensively- strengthened Physical Attacker Resistance<\/strong><\/p>\n\n\n\n

The new version of PUFcc which passed PSA Certified Level 3 RoT Component has significantly enhanced its anti-tamper design, particularly against physical attacks. The following physical attack protections are developed on the hard-macro portion of the platform:<\/p>\n\n\n\n

    \n
  • Intrinsic physical security<\/li>\n\n\n\n
  • Countermeasures for voltage contrast attack<\/li>\n\n\n\n
  • Top metal shielding<\/li>\n\n\n\n
  • Security-oriented IP layout<\/li>\n\n\n\n
  • Active sense-amplifier read protection<\/li>\n\n\n\n
  • Hidden and obfuscated data interface<\/li>\n\n\n\n
  • Unified program power to prevent electrical analysis<\/li>\n\n\n\n
  • Power detection of VDD\/VDDIO floating<\/li>\n<\/ul>\n\n\n\n

    The countermeasures adopted in Verilog RTL design to resist physical attacks are shown as follows:<\/p>\n\n\n\n

      \n
    • Device-specific data address scrambler and I\/O shuffler for the OTP and PUF using its PUF<\/li>\n\n\n\n
    • PUF and OTP output data fault detection<\/li>\n\n\n\n
    • Random dummy insertion read for the PUF and OTP<\/li>\n\n\n\n
    • Entropy source health check<\/li>\n\n\n\n
    • Fault injection prevention on mode, address, and post-masking mechanism for the PUF and OTP<\/li>\n\n\n\n
    • Control protection with redundancy for PUFrt, public key operations (RSA\/ECC), and key wrapping operations (KWP)<\/li>\n\n\n\n
    • Key check by cyclic redundancy check (CRC) for RSA\/ECC, key bus (KB), and KWP.<\/li>\n\n\n\n
    • Elliptic curve point validation for public key operations (ECC)<\/li>\n\n\n\n
    • Exponent blinding and message blinding for modular exponentiation operations (RSA)<\/li>\n\n\n\n
    • Scalar blinding and projective coordinates blinding for elliptic curve operations (ECC)<\/li>\n\n\n\n
    • Boolean masking for block cipher (AES) and SHA-2 operations<\/li>\n\n\n\n
    • Dual-core lock step for block cipher (AES) and SHA-2 operations<\/li>\n\n\n\n
    • Error detection code (EDC) for SRAM interfaces<\/li>\n<\/ul>\n\n\n\n

      PSA Level 3 certification marks a substantial advancement in security compared to Level 2, primarily due to three key differences: rigorous physical penetration testing, extended testing duration (35 days versus 25 days), and higher attack potential (21 versus 16), allowing for more sophisticated and invasive testing scenarios. These certifications, tailored by PSA Certified for products like PUFcc designed as trusted subsystems within larger systems, facilitate comprehensive system certification through certificate layering\u2014a process known as “composition” by GlobalPlatform.<\/p>\n\n\n\n

      <\/p>\n\n\n\n

      How PUFcc Support Clients to Achieve PSA Certified Level 3 <\/strong><\/p>\n\n\n\n

      For products striving to attain PSA Certified certification, integrating PUFcc is highly advantageous. Compared to building everything ground up, PUFcc provides critical functionalities to reduce the design effort and facilitate the system-level certification process, whether for PSA Level 2 or Level 3, especially on aspects such as firmware updates, attestation, physical security, and other items marked as \u201cO\u201d in Table 2\u2019s \u201cSupport Level with PUFcc\u201d column. Leveraging PUFcc\u2019s crypto and hardware root of trust helps offload the design work and accelerate the certification flow. For the F. CRYPTO, PUFcc fully supports the cryptographic aspects at the anti-physical-attack level, which is a significant benefit. The rest items marked in \u2206 are about the system designs that need to be completed by clients.<\/p>\n\n\n\n

      <\/p>\n\n\n

      \n
      \"\"
      Table 2. How PUFcc Help Client Get PSA Certified Certification<\/figcaption><\/figure><\/div>\n\n\n

      <\/p>\n\n\n\n

      Use Cases<\/strong><\/p>\n\n\n\n

      The complete integration and CAVP-certified crypto engines have helped multiple customers\u2019 products with their time-to-market and certification needs. One of the PUFcc\u2019s latest adoptions is in the industrial sector. The design utilizes PUFcc for identity verification and authority management, which is essential as the product will be deployed for enterprise usage. Securely updating software and firmware with version control is another key feature against potential attacks such as version rollback. Behind the operations mentioned above are the key storage and management, which form the foundation of the secure operations. PUFcc\u2019s low power consumption provides an additional edge for battery-powered applications. Other interesting examples include electronic devices, where customers use PUFcc to protect copyrighted assets built into the device.<\/p>\n\n\n\n

      <\/p>\n\n\n\n

      Conclusions<\/strong><\/p>\n\n\n\n

      Security has elevated from an optional feature to necessity as customers demand more protection, especially for the connected devices that are trusted to handle their private data. To assure consumers that their data is protected, the trend nowadays is for the devices be third-party certified, such as PSA Certified, to back up their security claims and to earn the public\u2019s trust. To help solve the dilemma chipmakers face between the time to market, security implementation and certification, PUFsecurity collaborated with Arm on PSA Certified Level 3 RoT Component certification. Thus, it proves the capability of PUFcc to offer one of the highest levels of protection against substantial software and hardware attacks. The comprehensive interfaces and the CAVP-certified crypto engines make PUFcc a drop-in and play IP to help accelerate the design cycle.<\/p>\n\n\n\n

      <\/p>\n\n\n\n

      <\/p>\n","protected":false},"excerpt":{"rendered":"

      How PUFcc and Corstone Form a Comprehensive Security Ar […]<\/p>\n","protected":false},"author":3,"featured_media":7064,"template":"","doc_tags":[290,200,289],"class_list":["post-7077","dlp_document","type-dlp_document","status-publish","has-post-thumbnail","hentry","doc_categories-article","doc_tags-otp","doc_tags-root-of-trust","doc_tags-sram-repair"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.pufsecurity.com\/zh-hant\/wp-json\/wp\/v2\/dlp_document\/7077"}],"collection":[{"href":"https:\/\/www.pufsecurity.com\/zh-hant\/wp-json\/wp\/v2\/dlp_document"}],"about":[{"href":"https:\/\/www.pufsecurity.com\/zh-hant\/wp-json\/wp\/v2\/types\/dlp_document"}],"author":[{"embeddable":true,"href":"https:\/\/www.pufsecurity.com\/zh-hant\/wp-json\/wp\/v2\/users\/3"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.pufsecurity.com\/zh-hant\/wp-json\/wp\/v2\/media\/7064"}],"wp:attachment":[{"href":"https:\/\/www.pufsecurity.com\/zh-hant\/wp-json\/wp\/v2\/media?parent=7077"}],"wp:term":[{"taxonomy":"doc_tags","embeddable":true,"href":"https:\/\/www.pufsecurity.com\/zh-hant\/wp-json\/wp\/v2\/doc_tags?post=7077"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}