G-Shield Programmer (GPW-01)

GlobalSign announced a technology partnership with the startup Big Good Intelligent Systems , which launched a product called G-Shield . This is a registration server plus chip programmer for physically writing digital certificates on chips: Big Good calls such chips “cryptochips” ( HVCA Module / ECDH Crypto Chip ).

The idea is that the manufacturer physically protects the device from the moment it appeared, that is, right at the production stage.

GPW-01 chip programmer

The G-Shield platform includes a registration server (Enroll Server) and GPW-01 chip programmer. It works automatically, fulfilling tasks incoming server.
')

Specifications

• Parallel operation of multiple interconnect programmers.
  
• Size: 310 × 115 × 35 mm
  
• LCD screen: 3.5 inches, resolution 320 × 480 pixels
  
• Processor and memory: ARM V8 quad-core Cortex A53 1.2 GHz, 1 GB SDRAM
  
• Power supply: AC 100 V - 240 V 50/60 Hz
  
• OS: Linux 3.x
  
• Ports: four I2C ports
  
• Chip connectors: four

For service of certificates the GlobalSign IoT Identity Platform platform with program interfaces RESTful API is used. It is a flexible and scalable public key infrastructure (PKI) platform capable of handling requests from billions of IoT devices.



The physical integration of certificates is particularly relevant for IoT devices. Big Good is going to introduce these cryptographs into its own devices for the smart home, but also offers cryptochips to other manufacturers.

The first to implement the system in its production cycle Realtek Semiconductor - a well-known manufacturer of chips for telecommunications equipment, computer peripherals and multimedia applications. Realtek chips are used in many computers, laptops and tablets: these are network controllers, PHY chips, network access controllers, multimedia gateway controllers, wireless LANs, as well as High Definition Audio codecs, card readers controllers, LCD controllers.

Realtek Semiconductor, along with Big Good and GlobalSign, are now exploring how best to integrate technology into a pipeline.

IoT Device Security

Physical implementation of digital certificates at the production stage is a logical solution for protecting IoT devices in conditions where an attacker is able not only to intercept and replace traffic, but also to gain physical access to these devices.

Poor IoT protection is one of the biggest problems in the industry. Just watch the news:

• "Thrown in the trash smart lights - a valuable source of personal information"
  
• "The casino was hacked through a thermostat in an aquarium"
  
• “Vulnerabilities allow hacking the Diqee 360 ​​robot vacuum cleaner and spying on its owners”
  
• “Efficient reverse engineering techniques for IoT devices” (scientific article, protection analysis of 16 popular IoT devices)

All this could have been avoided due to the proper implementation of encryption, including programming a cryptochip with a digital certificate at the production stage.


Big Good cryptographic module HVCA with built-in digital certificate

Characteristics of the IoT crypto module

• PKI Algorithms: ECDSA (FIPS186-3), ECDH (FIPS SP800-56A)
  
• NIST P-256 Elliptic Curve Standard
  
• SHA-256 Hash Algorithm with HMAC Option
  
• Key length 256 bits
  
• Store up to 16 keys
  
• Unique 72-bit serial number
  
• Built-in random number generator
  
• 10 KB EEPROM for storing keys, certificates and data
  
• Journaling options, protection from external interference
  
• One pin GPIO
  
• Standard I2C 1 MHz interface
  
• Power supply from 2.0V to 5.5V Supply Voltage Range
  
• Power consumption in sleep mode is less than 150 nA

Obviously, not only smart home appliances, but also medical implants, industrial devices and other IoT devices need protection.

The GlobalSign digital certificates management platform with Big Good hardware cryptochip support supports the full life cycle of device identification, from initial certificate preparation (stitched during production or locally when deployed) to certificate lifecycle management with final termination, including decommissioning or transfer property rights.

If each device or endpoint has a unique identifier, then when they access the Internet they are authenticated, and then throughout their life they prove their integrity and can communicate securely with other devices, services, and users.

The IoT Edge Enroll service provides a flexible and scalable way to deploy this system and maintain it with additional features such as the Registration Authority (RA) and advanced protocol support. GlobalSign issues certificates at a speed of more than 3000 per second, which is a record among registration centers.

Safety design

Design security is the principle of software development, which from the very beginning is designed to ensure maximum security. This principle can be extended to the development of equipment.

Thus, today, digital certificates are used not only to protect websites and sign computer programs, but also to ensure the authenticity of physical devices. The firmware is performed directly on the conveyor of the chip manufacturer.

“As IoT technology evolves, it’s important that safety is part of the design from the very beginning,” said Roger Wu, CEO of Big Good Intelligent Systems. “Security must begin at the component (chip) level and be supported by a strong, stable, and secure PKI infrastructure at the device, gateway, and cloud levels.”