sematicon se.SAM™ Embedded – Keys for our new product

The „sematicon Security and Authentication Modules“ – in short se.SAM™ – have been especially designed to meet the requirements of industrial, electronic, IoT and IIoT systems, in which stability, robustness and particular easy handling must be the main focus. The se.SAM™ product line complies with these demands and enables smooth integration and upgrading of digital security on various platforms. se.SAM™ Embedded is a combination of carefully selected Embedded Secure Elements in several designs, which have been chosen based on their ability to be used in easy-to-integrate and platform independent libraries.

For the installation as a USB-device, our se.SAM™ U-Series  as well as our se.SAM™ P-Series are also available.

More se.SAM™ products

The se.SAM™ N-Series for the network

se.SAM™ N200 – The network-HSM
se.SAM™ N200X – The network-HSM for the factory hall

The se.SAM™ U-Series for integration

se.SAM™ U110 – The module for the USB-interface
se.SAM™ U200 – The CC-certified USB-module

The se.SAM™ P-Series for integration

se.SAM™ P210 – The module for the MiniPCIe-interface
se.SAM™ P220 – The module for temporary keys

The se.SAM™ Embedded-Series core functions

Keys in hardware

All cryptographic keys are generated in the se.SAM™ security hardware and all cryptographic functions are also calculated in hardware. Attackers never get a hold of the valuable key material because the keys are not usable in the appliance’s main memory. The certified hardware Secure Elements prevent side channel attacks.

Authenticity and protection of data and production (Secure Manufacturing)

se.SAM™ protects digital secrets comprehensively and prevents unauthorised copying of or access to data. At the same time, source as well as destination of data can be clearly identified. se.SAM™ guarantees protection and authenticity of any kind of data, such as measured data, sensor data and other intellectual property.

Easy integration – fast project success

se.SAM™ provides a wide range of cryptographic security functions on a very limited space, which can be implemented in projects in the simplest possible way and without any additional software. Thus, se.SAM™ is not only perfectly suitable for data protection, but also serves as a tool to ensure a fast and secure project success. In-depth cryptographic expertise is no longer necessary – se.SAM™ takes care of it.

Flexible and platform-independent use

No matter whether the module shall be operated indoors, in the control cabinet or outdoors: se.SAM™ is flexible. If space is limited or an extended temperature range is necessary – together we find the best solution.

Guarantee security and save costs

se.SAM™ is the perfect tool to ensure security, minimise risks and realise cost savings. The very low effort for support and integration reduces additional operational costs. Our provisioning service not only gives you the possibility to pre-configure manageable quantities, but also to securely store key material. In addition to Secure Elements, your microprocessors can also be equiped with encrypted firmware. Grey market goods can therefore be pointedly prevented.

se.SAM™ Embedded

Keys belong in hardware. Particularly in this field, however, there are a number of questions that need to be clarified in advance – starting from selecting and ordering the semiconductors to their provisioning with secure firmware (Secure Boot) to the connection to your data centre or the cloud. We are happy to deliver one overall solution from a single source.

All our Embedded Secure Elements come with a simple, but comprehensive and optimised C-library that supports all our se.SAM™ CryptoBlocks. This makes them 100% compatible with more se.SAM™ products and crypto-solutions of third parties. We support you in finding the right tools for your project.

The se.SAM™ Embedded Toolkit

Before you reach a final decision in favour of one solution, let us support your process by sending you necessary hardware including an evaluation board for your usecase. It will give you a first impression and you can assure yourself of our solution’s easy applicability.

The toolkit contains:

  • Secure Elements
  • Evaluation board with a socket
  • USB-cable
  • se.SAM™ Embedded C-Library with extensive documentation
  • Comprehensive demo-software (source code and binary)

The evaluation board’s processor is fully equipped with firmware and comes to you ready to use. To facilitate a potential error search, PINs for a logic-analyzer are included as well. Thus, differences and errors in the course of implementation can be identified quickly.

The “evaluation toolkit” also includes chips in the SOIC-package so the can be exchanged in the socket. For manufacturing you can pick and choose from various package sizes. Please see an example in the illustration.

Specifications

Possible cryptography

The different modules support various functions.

  • Key storage: 10 symmetric keys and 10 asymmetric key pairs with certificate
  • Asymmetric algorithms: RSA 512 until 4096, ECC-NIST-P/secp192r1 until 521r1, ECC-Brainpool 160 until 512, ECC Koblitz/secp160k1 until 256k1, ECDSA , ECDH
  • Symmetric algorithms: AES CBC, AES, CTR, AES ECB each 128 and 256 bit, SHA1-HMAC, SHA256-HMAC, SHA384-HMAC, SHA512-HMAC, CMAC-128
  • HASH Digest: SHA1, SHA-2-224 until 512
  • Key derivations: HKDF
  • Additional functions: Secure Hardware-Counter, „Multi Source True Random Number Generator“, key-ACLs, Secure Key Exchange, deactivatable firmware-update, cryptographic self-test, Secure Key Import, Key Usage Counter

Certifications

  • Common Criteria EAL6+ available, depending on the requirement

Possible connections

  • I²C
  • SPI
  • ISO7816-3
  • UART
  • More interfaces possible upon request

Module features

  • size depends on used hardware: UDFN, SOIC, QFN or BGA are possible
  • temperature range: -40°C until +128°C possible
  • data readability up to 15 years possible

Usecase options (extract)

  • Secure Boot and Secure Bootloader
  • Firmware-protection
  • Secure communication
  • Firmware-verification
  • Licence- and IP-management
  • Secure cloud access
  • Application in IT and industry

se.SAM™ provisioning – “Secure Manufacuring”

Secure Boot – confidence between hard- and firmware

The Secure Elements must be equipped with key material before they can be used productively. This can happen on site in your factory. Studies from 2016 show that the production is the second most frequent target for an attack. If production is compromised, malicious software can spread freely.

For this reason it is essential to safeguard the integrity of both firmware and key material. se.SAM™ not only looks after the protection of your firmware, the devices and your know-how, but the accompanying “Secure Manufacturing” – features also prevent illegal good production and product counterfeiting. Together with our se.SAM™ solution, you can focus on keeping the costs low.

Properly implemented, the microcontroller only starts if there is also a Secure Element with a suitable firmware on the board. In turn, the Secure Element can only be activated if the correct software has been installed on the controller (extended Secure Boot). You consequently maintain full control over the produced quantities and the device’s software in your production – even in case of job-order manufacturing from your suppliers.

The key material in the Secure Elements allows a reliable controlling of updates and software or hardware supply chains. The activation of further features subject to aditional costs or of more products by means of a guaranteed worldwide unique and forgery-proof serial number are only a mouse-click away.

The diversification of key material is a prerequisite for a secure operation and easy to achieve with se.SAM™. By using modern cryptography you do not even need a database. The device itself proves by whom it has been produced – based solely on its serial number. This is what our se.SAM™ CryptoBlocks are for.

To guarantee a secure production, the source of all keys and the manufacturer master key must be kept secret at all times. As the key is needed to provision every single device, please make sure that the key material is available in hardware only during the transfer from source to destination. It must not get lost on the way.

The se.SAM™ Hardware Security Modules (HSM) take care of the key material transfer in the easiest and most convenient way for you. They can be installed in the control cabinet, just like the se.SAM™ N200, or directly on the production line in the main hall, just like the se.SAM™ N200X. Identities can be managed and injected safely into the relevant devices.

We have already developed the required tools for you. They are as easy to use as a power socket. With the integrated key management functions and the ability to cryptographically limit keys, se.SAM™ facilitates your process to manage reliable quantities effortlessly.

Industrial key storage

se.SAM™ N200X – The network-HSM for the factory hall

se.SAM N200X Industrial Appliance

Key management for the server control cabinet

se.SAM™ N200 – The network-HSM

se.SAM N200 Crypto Appliance

Pre-provisioning – Order ready-to-use chips

In case in-house provisioning is not an option for you or the environment is not secure, you can also purchase the Secure Elements already pre-provisioned from us. Please let us know your specific requirements, we will take care of the rest.

In order to provision the Secure Elements for you in advance and in a secured space, we cooperate for example with SEMITRON W. Röck GmbH, a company based in Southern Germany. Therefore, we can make sure that client-specific keys and corresponding microprocessors are delivered including configuration, software and key material.

By using our se.SAM™ Technology, you can concentrate on saving costs and maintain control over managing produced quantities as well as the device’s software not only in your production line, but also in case of job-order manufacturing from your suppliers.

In addition to provisioning and customer-specific programming, the following services in cooperation with SEMITRON W. Röck GmbH are also possible:

  • Taping components to any batch size (as required)
  • Optic/ visual check
  • Authenticity check
  • Component check
  • Selections
  • Temperature treatment
  • Temperature check
  • Component analyses
  • Mechanical processing (change chip imprint with laser technology)
  • Scanning and straightening of component pins
  • Dry packing (special packaging for humidity-sensitive components)
  • Application-specific services

Security area

The provisioning of security chips takes place in a purpose-built security area with the following features:

  • Separate security-area with strictly regulated and restricted access control
  • Burglar-proof area with alarm system
  • Fire door and nitrogen fire extinguishing system
  • Fire-proof safe for software with a 2-person-access-control
  • 5-fold video surveillance for complete control over the security area
  • Fully autonomous server management in the security area
  • No internet access in the security area
  • Air-conditioned with constant humidity control
  • Specially trained staff for security jobs

All services of sematicon AG and  Semitron W.Röck GmbH take place entirely in Germany

sematicon AG - Made in Germany - Logo
Secure Coding Basics Video Michael Walser sematicon AG 2021Secure Coding Basics Video Michael Walser sematicon AG 2021

Mastering Windows Code Signing – Standard vs. EV Certificates

Windows device drivers must be protected using strongest EV certificates. Otherwise, these drivers are not accepted by the operating system. Furthermore, Windows SmartScreen-filter in Windows 10 warns for software packages and executables not signed by an EV code signing certificate. But what exactly are EV code signing certificates and what is the difference to standard code signing certificates?
HSM-Safe (Credentials, Personal Data, Business Secrets, Finance Data)

Keys in hardware: encryption using an HSM

Häufig müssen vertrauliche Informationen, z.B. personenbezogene Daten, Zugangsdaten, Finanzdaten oder Firmengeheimnissen, in Server- oder Cloud-Anwendungen verschlüsselt abgespeichert werden