[原创] NXP EdgeLock SE050物联网(IoT)安全解决方案

nxp公司的EdgeLock SE050是随时可用的物联网(IoT)安全元件解决方案,它基于NXP公司的整体安全架构3.0™,能对各种安全威胁提供安全和有效保护,而安全效率测量由通用准则EAL6+证书来证明.SE050基于综合Javacard操作系统和应用程序可完全自主地操作,直接内存存取仅用应用程序的固定功能就能实现.而存储器的内容完全和主系统隔离.器件有多个逻辑和物理保护层,包括金属屏蔽,端到端加密,存储器加密和窜改侦测,支持RSA和ECC非对称加密算法,未来验证曲线和高键长度如脑池(Brainpool),爱德华兹(Edwards)和蒙哥马利(Montgomery)曲线,支持用于加密和解密的AES和DES对称加密算法,HMAC,CMAC,SHA-1,SHA-224/256/ 384/512运行,主要派生功能的各中种选择包括HKDF,MIFARE KDF和PRF(TLSPSK),采用先进的40nm硅工艺,工作温度-40℃到 +105℃,主要用在智能工业,智能家居,智能城市和智能供应链.本文介绍了SE050主要优势和解决方案框图,功能框图以及评估板OM-SE050ARD主要特性和电路图.

The SE050 is a ready-to-use IoT secure element solution. It provides a root of trust at the IC level and it gives an IoT system state-of-the-art, edge-to-cloud security capability right　out of the box.

SE050 allows for securely storing and provisioning credentials and performing　cryptographic operations for security critical communication and control functions. SE050　is versatile in IoT security use cases such as secure connection to public/private clouds,　device-to-device authentication or protection of sensor data.

SE050 has an independent Common Criteria EAL 6+ security certification up to OS level　and supports both RSA & ECC asymmetric cryptographic algorithms with high key length　and future proof ECC curves. The latest security measures protect the IC even against　sophisticated non-invasive and invasive attack scenarios.

The SE050 is a turnkey solution that comes with Java Card operating system and an　applet optimized for IoT security use cases pre-installed. This is complemented by a　comprehensive product support package, enabling fast time to market & easy designin　with Plug & Trust middleware for host applications, easy to use development kits,　reference designs, and extensive documentation for product evaluation.

The SE050 is a product platform that comes in several pin-to-pin compatible product Variants.

SE050主要优势:

•Plug & Trust for fast and easy design with complete product support package
•Easy integration with different MCU & MPU platforms and OS´ (Linux,RTOS,Windows, Android, etc.)
•Turnkey solution ideal for system-level security without the need to write security code
•Secure credential injection for root of trust at IC level
•Secure, zero-touch connectivity to public & private clouds
•Real end-to-end security, from sensor to cloud
•Ready-to-use example code for each of the key use cases

SE050主要特性:

The SE050 is based on NXP’s Integral Security Architecture 3.0™ providing a secure and efficient protection against various security threats. The efficiency of the security measures is proven by a Common Criteria EAL6+ certification.
The SE050 operates fully autonomously based on an integrated Javacard operating system and applet. Direct memory access is possible by the fixed functionalities of the applet only. With that, the content from the memory is fully isolated from the host system.
•Built on NXP Integral Security Architecture 3.0 ™
•Uses advanced 40 nm silicon foundry technology
•CC EAL 6+ certified HW and OS as environment to run NXP IoT applications,supporting fully encrypted communications and secured lifecycle management
•Effective protection against advanced attacks, including Power Analysis and Fault Attacks of various kinds
•Multiple logical and physical protection layers, including metal shielding, end-to-end encryption, memory encryption, tamper detection
•Support for RSA and ECC asymmetric cryptography algorithms, future proof curves and high key length, e.g. Brainpool, Edwards and Montgomery curves
•Support for AES and DES symmetric cryptographic algorithms for encryption and decryption
•HMAC, CMAC, SHA-1, SHA-224/256/384/512 operations
•Various options for key derivation functions, including HKDF, MIFARE KDF, PRF (TLSPSK)
•Optional extended temperature range for industrial applications (-40℃ to +105℃)
•Small footprint HX2QFN20 package (3x3 mm)
•Standard physical interface I2C slave (High-speed mode, 3.4 Mbps), I2C master (Fast mode, 400 kbps). Both can be active at the same time
•Dedicated CL wireless interface for IoT use cases simplifying configuration set-up,maintenance in the field and late stage configuration
•Secured user flash memory up to 50 kB for secure data or key storage
•Support for SCP03 protocol (bus encryption and encrypted credential injection) to securely bind the host with the secure element
•Support for applet level secure messaging channels to allow end-to-end encrypted communication in multi-tenant ecosystems SE050 use cases
•Secure connection to public/private clouds, edge computing platforms,infrastructure
•Device-to-device authentication
•Secure data protection
•Secure commissioning support
•Secure CL/MIFARE/Wi-Fi interactions
•Device ID for blockchain
•Secure key storage
•Secure provisioning of credentials
•Ecosystem protection

SE050目标应用:

•Smart Industry
•Smart Home
•Smart Cities
•Smart Supply Chains

图1. SE050解决方案框图

图2. SE050功能框图

评估板OM-SE050ARD

The OM-SE050ARD is the development kit for the SE050 Plug & Trust product family.

This kit allows you to evaluate the SE050 product family features and simplifies the development of your custom applications.图3shows a picture of the OMSE050ARD.

图3.评估板OM-SE050ARD外形图

The SE050 uses I2C as communication interface and its commands are wrapped using　the Smartcard T=1 over I²C (T=1oI2C) protocol. In addition, the SE050 supports the　following interfaces:

•I2C interface in slave mode with date rates up to 3.4 Mbps .
•I2C interface in master mode with date rates up to 400 Khz.
•ISO/IEC 14443 T=CL protocol.

The OM-SE050ARD flexible design makes it possible to access the SE050 interfaces byjust changing a few jumper settings.

The OM-SE050ARD is designed with several headers and connectors that allow you to interface with SE050. The OM-SE050ARD is equipped with:

• Arduino-R3 header: It allows you to easily attach it to any NXP MCU/MPU development board with Arduino compatible headers such as many Kinetis, LPC and i.MX MCU boards. The Arduino-R3 female connectors come soldered in the OMSE050ARD.

• External I2C connector: It allows you to connect any non-Arduino compatible MCU boards via I2C slave interface. The OM-SE050ARD includes the mounting holes for the External I2C connector.

• 10-pin header: It allows you to access several pins of the SE050, including the I2C master interface to attach sensors or peripherals to the board. The 10-pin header male connectors come soldered in the OM-SE050ARD.

• DB15 header: It allows you to access several pins of the SE050, including the ISO/IEC 14443 or the I2C master interface to attach sensors or peripherals to the board. The OM-SE050ARD includes the mounting holes for the DB15 connector.

图4.评估板OM-SE050ARD插座和连接器概述图

图5.评估板OM-SE050ARD电路图
详情请见:
https://www.nxp.com/docs/en/data-sheet/SE050-DATASHEET.pdf
和https://www.nxp.com/docs/en/application-note/AN12395-OM-SE050ARD_hardware_overview.pdf
以及k64.pdf">https://www.nxp.com/docs/en/application-note/AN12396-Quick_start_guide_kinetis_k64.pdf
SE050-DATASHEET.pdf
AN12395-OM-SE050ARD_hardware_overview.pdf
AN12396-Quick_start_guide_kinetis_k64.pdf