In our increasingly connected world, mobile devices are tasked with generating and storing a significant amount of sensitive data for a wide variety of applications. Consequently, chip and device companies are required to meet complex security requirements for each potential use case or capability.
Most security measures require the injection of secret identity data and cryptographic keys. Currently, cryptographic keys are provisioned in the open – without encryption on test equipment that is operated by third party contract manufacturers. Such provisioning methods expose chip manufacturers to liability and risks for any security breach that occurs within their respective supply chains.
<a href=”https://www.rambus.com/security/cryptomanager-platform/cryptomanager-security-engine/”>Rambus’ CryptoManager Security Engine</a> core IP offers SoC architects access to an integrated design for the secure provisioning of cryptographic keys during chip manufacturing. For OEM device manufacturing, this feature also enables remote secure key provisioning at the ODM.
<img class=”aligncenter size-full wp-image-34016″ src=”https://3s81si1s5ygj3mzby34dq6qf-wpengine.netdna-ssl.com/wp-content/uploads/2017/02/Picture1-3.png” alt=”” width=”871″ height=”452″ />
<strong>Figure 1: Secure Provisioning of Keys during Manufacturing</strong>
As illustrated in Figure 1, the <a href=”https://www.rambus.com/security/cryptomanager-platform/”>CryptoManager</a> solution facilitates the provisioning of keys and other sensitive data at any point in the manufacturing flow and throughout the (manufacturer’s) supply chain. Moreover, the provisioning of keys may even be pushed to the ODM for downstream provisioning at boardlevel test or as a postproduction provisioning step prior to shipping.
Since the communication channel is secured to a silicon root-of-trust provided by the Security Engine (see Figure 2 below), robust provisioning is made possible at the earliest stages of manufacturing. In addition, the CryptoManager platform offers flexibility for highly specialized key management requirements such as the provisioning of key splits at various stages of manufacturing. For unique keys, there are also features to protect against key duplication in multiple devices. The uniqueness of these keys is checked at multiple locations during a provisioning event. This includes duplicate verification at the CryptoManager Service (see Figure 2) located in the data center of the chip or device manufacturer and at the CryptoManager Appliance located in the contract manufacturing location.
It should also be noted that the CryptoManager solution helps solve challenging business use cases for manufacturing with the use of modules which specify device service transactions such as key provisioning. A module may provision one or multiple key types depending on customer requirements. Each module is authorized for the provisioning of key(s) at specified manufacturing locations.
<img class=”aligncenter size-full wp-image-34017″ src=”https://3s81si1s5ygj3mzby34dq6qf-wpengine.netdna-ssl.com/wp-content/uploads/2017/02/Picture2-2.png” alt=”” width=”975″ height=”286″ />
<strong>Figure 2: Secure key provisioning communications channel</strong>
As illustrated in Figure 2, the CryptoManager Infrastructure may handle third party keys or keys
generated at the factory. All keys slated for provisioning are loaded into the Service in the host data center. The Infrastructure automatically distributes keys to factory locations based on the module settings and inventory thresholds set by the system operator (see Figure 3 below). Key management requirements are specified by the module, allowing for additional modules as new key provisioning requirements arise. The CryptoManager security platform – which securely provisions keys – also acknowledges and logs each completed transaction for auditing and forensic purposes.
<img class=”aligncenter size-full wp-image-34018″ src=”https://3s81si1s5ygj3mzby34dq6qf-wpengine.netdna-ssl.com/wp-content/uploads/2017/02/Picture3.png” alt=”” width=”975″ height=”437″ />
<strong>Figure 3. Key Inventory Thresholds set by the System Operator</strong>
The CryptoManager solution has been designed specifically for mission-critical manufacturing applications, as the platform offers manufacturers assurances that production will not be disrupted in the event of a component failure. The CryptoManager platform is also scalable and expandable to handle additional loading due to new key provisioning requirements or increased demand.
Perhaps most importantly, the CryptoManager solution helps mitigate the risks and liabilities commonly associated with data breaches. Additionally, new key provisioning requirements may be easily handled in manufacturing without disruption, providing a rapid time to market. Lastly, operations can be streamlined by provisioning keys at the appropriate stage of manufacturing, reducing the overall costs for key provisioning services.
Interested in learning more about the CryptoManager platform? You can check out our CryptoManager product page on Rambus.com <a href=”https://www.rambus.com/security/cryptomanager-platform/”>here</a>.