sematicon se.SAM™ Embedded – Keys for our new product
The „sematicon Security and Authentication Modules“ – in short se.SAM™ – have been especially designed to meet the requirements of industrial, electronic, IoT and IIoT systems, in which stability, robustness and particular easy handling must be the main focus. The se.SAM™ product line complies with these demands and enables smooth integration and upgrading of digital security on various platforms. se.SAM™ Embedded is a combination of carefully selected Embedded Secure Elements in several designs, which have been chosen based on their ability to be used in easy-to-integrate and platform independent libraries.
More se.SAM™ products
The se.SAM™ N-Series for the network
The se.SAM™ U-Series for integration
The se.SAM™ P-Series for integration
The se.SAM™ Embedded-Series core functions
Keys in hardware
All cryptographic keys are generated in the se.SAM™ security hardware and all cryptographic functions are also calculated in hardware. Attackers never get a hold of the valuable key material because the keys are not usable in the appliance’s main memory. The certified hardware Secure Elements prevent side channel attacks.
Authenticity and protection of data and production (Secure Manufacturing)
se.SAM™ protects digital secrets comprehensively and prevents unauthorised copying of or access to data. At the same time, source as well as destination of data can be clearly identified. se.SAM™ guarantees protection and authenticity of any kind of data, such as measured data, sensor data and other intellectual property.
Easy integration – fast project success
se.SAM™ provides a wide range of cryptographic security functions on a very limited space, which can be implemented in projects in the simplest possible way and without any additional software. Thus, se.SAM™ is not only perfectly suitable for data protection, but also serves as a tool to ensure a fast and secure project success. In-depth cryptographic expertise is no longer necessary – se.SAM™ takes care of it.
Flexible and platform-independent use
No matter whether the module shall be operated indoors, in the control cabinet or outdoors: se.SAM™ is flexible. If space is limited or an extended temperature range is necessary – together we find the best solution.
Guarantee security and save costs
se.SAM™ is the perfect tool to ensure security, minimise risks and realise cost savings. The very low effort for support and integration reduces additional operational costs. Our provisioning service not only gives you the possibility to pre-configure manageable quantities, but also to securely store key material. In addition to Secure Elements, your microprocessors can also be equiped with encrypted firmware. Grey market goods can therefore be pointedly prevented.
Keys belong in hardware. Particularly in this field, however, there are a number of questions that need to be clarified in advance – starting from selecting and ordering the semiconductors to their provisioning with secure firmware (Secure Boot) to the connection to your data centre or the cloud. We are happy to deliver one overall solution from a single source.
All our Embedded Secure Elements come with a simple, but comprehensive and optimised C-library that supports all our se.SAM™ CryptoBlocks. This makes them 100% compatible with more se.SAM™ products and crypto-solutions of third parties. We support you in finding the right tools for your project.
The se.SAM™ Embedded Toolkit
Before you reach a final decision in favour of one solution, let us support your process by sending you necessary hardware including an evaluation board for your usecase. It will give you a first impression and you can assure yourself of our solution’s easy applicability.
The toolkit contains:
- Secure Elements
- Evaluation board with a socket
- se.SAM™ Embedded C-Library with extensive documentation
- Comprehensive demo-software (source code and binary)
The evaluation board’s processor is fully equipped with firmware and comes to you ready to use. To facilitate a potential error search, PINs for a logic-analyzer are included as well. Thus, differences and errors in the course of implementation can be identified quickly.
The “evaluation toolkit” also includes chips in the SOIC-package so the can be exchanged in the socket. For manufacturing you can pick and choose from various package sizes. Please see an example in the illustration.
The different modules support various functions.
- Key storage: 10 symmetric keys and 10 asymmetric key pairs with certificate
- Asymmetric algorithms: RSA 512 until 4096, ECC-NIST-P/secp192r1 until 521r1, ECC-Brainpool 160 until 512, ECC Koblitz/secp160k1 until 256k1, ECDSA , ECDH
- Symmetric algorithms: AES CBC, AES, CTR, AES ECB each 128 and 256 bit, SHA1-HMAC, SHA256-HMAC, SHA384-HMAC, SHA512-HMAC, CMAC-128
- HASH Digest: SHA1, SHA-2-224 until 512
- Key derivations: HKDF
- Additional functions: Secure Hardware-Counter, „Multi Source True Random Number Generator“, key-ACLs, Secure Key Exchange, deactivatable firmware-update, cryptographic self-test, Secure Key Import, Key Usage Counter
- Common Criteria EAL6+ available, depending on the requirement
- More interfaces possible upon request
- size depends on used hardware: UDFN, SOIC, QFN or BGA are possible
- temperature range: -40°C until +128°C possible
- data readability up to 15 years possible
Usecase options (extract)
- Secure Boot and Secure Bootloader
- Secure communication
- Licence- and IP-management
- Secure cloud access
- Application in IT and industry
Secure Boot – confidence between hard- and firmware
The Secure Elements must be equipped with key material before they can be used productively. This can happen on site in your factory. Studies from 2016 show that the production is the second most frequent target for an attack. If production is compromised, malicious software can spread freely.
For this reason it is essential to safeguard the integrity of both firmware and key material. se.SAM™ not only looks after the protection of your firmware, the devices and your know-how, but the accompanying “Secure Manufacturing” – features also prevent illegal good production and product counterfeiting. Together with our se.SAM™ solution, you can focus on keeping the costs low.
Properly implemented, the microcontroller only starts if there is also a Secure Element with a suitable firmware on the board. In turn, the Secure Element can only be activated if the correct software has been installed on the controller (extended Secure Boot). You consequently maintain full control over the produced quantities and the device’s software in your production – even in case of job-order manufacturing from your suppliers.
The key material in the Secure Elements allows a reliable controlling of updates and software or hardware supply chains. The activation of further features subject to aditional costs or of more products by means of a guaranteed worldwide unique and forgery-proof serial number are only a mouse-click away.
The diversification of key material is a prerequisite for a secure operation and easy to achieve with se.SAM™. By using modern cryptography you do not even need a database. The device itself proves by whom it has been produced – based solely on its serial number. This is what our se.SAM™ CryptoBlocks are for.
To guarantee a secure production, the source of all keys and the manufacturer master key must be kept secret at all times. As the key is needed to provision every single device, please make sure that the key material is available in hardware only during the transfer from source to destination. It must not get lost on the way.
The se.SAM™ Hardware Security Modules (HSM) take care of the key material transfer in the easiest and most convenient way for you. They can be installed in the control cabinet, just like the se.SAM™ N200, or directly on the production line in the main hall, just like the se.SAM™ N200X. Identities can be managed and injected safely into the relevant devices.
We have already developed the required tools for you. They are as easy to use as a power socket. With the integrated key management functions and the ability to cryptographically limit keys, se.SAM™ facilitates your process to manage reliable quantities effortlessly.
Industrial key storage
• se.SAM™ N200X – The network-HSM for the factory hall
Key management for the server control cabinet
• se.SAM™ N200 – The network-HSM
Pre-provisioning – Order ready-to-use chips
In case in-house provisioning is not an option for you or the environment is not secure, you can also purchase the Secure Elements already pre-provisioned from us. Please let us know your specific requirements, we will take care of the rest.
In order to provision the Secure Elements for you in advance and in a secured space, we cooperate for example with SEMITRON W. Röck GmbH, a company based in Southern Germany. Therefore, we can make sure that client-specific keys and corresponding microprocessors are delivered including configuration, software and key material.
By using our se.SAM™ Technology, you can concentrate on saving costs and maintain control over managing produced quantities as well as the device’s software not only in your production line, but also in case of job-order manufacturing from your suppliers.
In addition to provisioning and customer-specific programming, the following services in cooperation with SEMITRON W. Röck GmbH are also possible:
- Taping components to any batch size (as required)
- Optic/ visual check
- Authenticity check
- Component check
- Temperature treatment
- Temperature check
- Component analyses
- Mechanical processing (change chip imprint with laser technology)
- Scanning and straightening of component pins
- Dry packing (special packaging for humidity-sensitive components)
- Application-specific services
The provisioning of security chips takes place in a purpose-built security area with the following features:
- Separate security-area with strictly regulated and restricted access control
- Burglar-proof area with alarm system
- Fire door and nitrogen fire extinguishing system
- Fire-proof safe for software with a 2-person-access-control
- 5-fold video surveillance for complete control over the security area
- Fully autonomous server management in the security area
- No internet access in the security area
- Air-conditioned with constant humidity control
- Specially trained staff for security jobs