//php echo do_shortcode(‘[responsivevoice_button voice=”US English Male” buttontext=”Listen to Post”]’) ?>
The hardware choices for embedded security are growing dynamically amid the push for more secure Internet of Things (IoT) devices and applications. The secure hardware technologies targeted at the IoT include secure elements, hardware security modules (HSMs), and physically unclonable function (PUF) capabilities.
Shipments for secure hardware serving digital authentication and embedded security will reach 5.3 billion by 2024, doubling the number of shipments in 2019, according to ABI Research. “Hardware-based security offers better protection from manipulation and interference than its software-based counterpart because it’s more difficult to alter or attack the physical device or data entry points,” said Michela Menting, digital security research director at ABI Research.
The key driver for security implementations moving from software to hardware in embedded applications is the increasing emphasis for security on these platforms to keep up with growing functionality and automation. Attack scenarios against embedded systems have increased in sophistication with increasing computing power, according to Nuri Dagdeviren, corporate VP for the security products business unit at Microchip Technology.
“The range of defenses provided by the hardware and software implementations differ significantly against these evolving attack scenarios, and more and more applications justify the hardware implementations,” Dagdeviren said. For example, the importance of building defenses against hacking an isolated thermostat or a car radio may not be a priority concern. In contrast, the importance of securing the integrity of an autonomous industrial robot or the navigation system of an autonomous vehicle connected to the Internet should be apparent at once.
Anatomy of hardware security
Hardware, which is more difficult to tamper with than software, serves as the foundation of the complex systems that address security. It’s the layer on top of which all other layers are built and mounted: firmware, operating systems, connectivity libraries and application software.
“This is the concept of the root of trust,” said Denis Noël, director of product marketing for secure authentication at NXP Semiconductors. “Counterfeit protection is a strong driver to defend the originality of the products, as this can only be accomplished through hardware.”
In this regard, he also mentioned connected devices—complex systems where software operating at different layers of abstraction executes over hardware.
Hardware security includes numerous safety features and components. That includes true random number generation (TRNG), secure boot mechanisms, secure update, secure debug, cryptographic acceleration, and isolation of sensitive and critical functions with security subsystems. Then there are tamper resistance and protection of secrets, tamper detection, on-the-fly memory encryption, process/functions isolation, and run-time integrity protection.
More importantly, the way security is implemented is fundamental, Noël noted. “Effective security solutions are the result of a strict development process with clearly defined design rules, multiple iterations of careful review, and full control over the many sub-components involved in the design.”
That’s why security certification is critical, he added. It provides design engineers with an external proof point for the device’s level of security and makes it easier to compare security solutions.
Security embedded into SoCs
The key element of an information security implementation is strong encryption with a securely protected encryption key. Modern MCUs, secure elements and integrated HSMs all provide strong encryption capabilities.
“Secure elements and HSMs provide the highest levels of protection for the encryption keys,” Dagdeviren said. “PUF is a unique technique that overlays the key protection capability on MCUs via modest incremental implementation complexity.”
At the same time, security IPs and subsystems are being integrated into system-on-chip (SoC) designs. Many NXP processors today come to market with integrated security subsystems, including the company’s i.MX 9 applications processor series.
As Noël noted, however, there are tradeoffs to integrating security directly in the processors. For example, an integrated secure subsystem will necessitate a large die.
“For some device types, these tradeoffs are worthwhile, but for others with a smaller attack surface or reduced security exposure, discrete components may be a better fit to the overall design,” Noël said. “Therefore, in the future, we will see a mix of processors with and without hardware security enhancements.”
Meanwhile, discrete companions like secure elements will continue to play an important role for these embedded systems, providing a turnkey provisioning solution associated with flexibility and reuse of scalable architectures for device identity and cryptographic key management. Dagdeviren said that this trend is well underway.
“Given the enormous range of MCU and SoC configurations, it will take a long time and a lot of effort to integrate security IP to the plurality of these different MCU/SoC platforms one by one,” he said. “We expect this trend to continue for the long term.”
In the meantime, applications that demand high security prior to the availability of their preferred MCU configuration with an integrated HSM can easily integrate a discrete secure element on the board for an equivalent solution.
Software’s complementary role
While assessing the shift from software to hardware in the embedded security space, it’s important to put things in perspective. “Security cannot be something that happens only at the hardware level,” Noël said. “Every piece of the system, from hardware to software, must be designed carefully with security in mind.”
In hardware security, the implementation of security functions in software layers, such as access control and secure software (vulnerability-free software, including application functions), are also crucial. “All contribute to the security of a final product,” Noël said. “So, these different layers must work together to help ensure the security of the entire system.”
For example, hardware can help maintain isolation between different software processes in the system. This means that if a vulnerability in one area of the software is attacked, the isolation implemented at the hardware level can prevent malware from spreading to other, potentially more impactful areas of the software stack.
“The more hardware security you have, the better you can mitigate and manage any potential vulnerabilities in the software,” Noël said.
Dagdeviren also acknowledged software’s complementary role in hardware security. “Security is a system-level concept in which hardware is effective in implementing the essential building blocks of strong encryption and key protection,” he said. “Leveraging these essential elements into a secure application requires a lot of carefully layered software integrated with the application on one side and the hardware on the other.”
As a result, hardware and software coexistence will be a part of secure implementations for the foreseeable future, with ideal implementations incorporating both secure hardware and software elements. In this case, advanced algorithms may skew the hardware/software boundaries in a modest manner, but not to the extent of obviating one against the other.
Hardware is already providing support for essential security functions, such as TRNG and the protection of cryptographic keys and secrets. We also see an increasing demand for hardware security across various forms: secure elements and authenticators as well as security functions like secure boot support built into MCUs and MPUs.
However, when it comes to the transition from software- to hardware-based security, Dagdeviren admits that we are still in the early stages of this transition. “It’s following a non-uniform progression starting with the highest value targets.”
Still, according to industry watchers like ABI Research, hardware-centric security technology development is accelerating rapidly.
Some hardware solutions are adopted from existing security technologies like trusted platform modules and secure elements, while new solutions like secure MCUs are also emerging. Third parties like IoT enablement platforms and cloud service providers also joining the hardware security bandwagon further bolsters the transition from software to hardware.