Hardware security, from

concept to production
A Leading Provider of Smart, Connected and Secure Embedded Control Solutions

Dinu Varta
May, 2024
Corporate Overview

Leading Total Systems Solutions Provider:

• High-performance standard and specialized Mixed • Clock and Timing solutions
Signal Microcontroller, Digital Signal Controller and • Wireless and Wired Connectivity solutions
Microprocessor solutions • FPGA solutions
• Mixed-Signal, Analog, Interface and Security • Non-volatile EEPROM and Flash Memory solutions
solutions • Flash IP solutions

$8.4 Billion Revenue Headquartered near >22,500

in FY2023 Phoenix in Chandler, AZ Employees

2
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Providing System Solutions
Portfolio of Hardware, Software and Services
Power Management
RFICs
MMICs DC-DC Converters
Encryption
Supervisors & Ref.
& High Voltage
Precision LDOs, Battery Mgt.
Digital Security I/Os
Voltage Discretes & Modules
Potentiometer
Reference

Motor
Sensors
Drivers
Amplifiers Filters A/D
Voice &
Audio
Power
Processing
Drivers
Touch Sensing
Timing
Memory Microcontrollers
• Oscillators
• Proximity/3D • EEPROM Microprocessors
• Clock Generators
• Buttons/Slider • Serial Flash
• Clock Buffers
• Touch Screen
• Network Sync
• Serial SRAM FPGA/ SoCs D/A

LED
Drivers

Ethernet
USB Auto/Industrial Wireless Smoke Detector
Storage • Switches
• PCIe® Switches • Smart Hubs Communication • Wi-Fi® & Piezoelectric
Optical • Controllers
• Adapters • Switches • MOST® • Bluetooth® Horn Drivers
Networking • EtherCAT ®
• Controllers • Transceivers • RS232/485 • LoRa®
• PHYs
• Bridges • CAN/LIN • ZigBee® /MiWi
• PoE

3 Microchip Corporate Presentation Overview Rev 31-2 August 2022

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 European Security Function Group
A Team of 14 Engineers
Rob Graham
Ian Pearson Iiro Valkonen Alex Hahn (AUTO)
UK Finland Reiner Zieglmeier
Anton Brauchle (CAE)
Stefan Petzold *
* New Members
Julien Mongin
Julien * *
Mongin Germany
Mylene Martinez
Mylene(Geo Leader)
Martinez
France
France
Ronny Tittoto
Ronny Tittoto (Geo Leader)
Michael Glozman
Michael * *
Glozman
Italy
Israel
Israel

Dinu Varta
Austria

Matei Botoghina (CAE)

Romania

Miguel Idiago (A&D)

Spain
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Complete SEC Solution from Microchip
• EN 303645 / UK • ATECC608
Secure by Design / • TA100
NISTIR 8259… • ECC204 …, SHA, TA,
• IEC 62443 (Industrial) RNG
• WPC

Legislation Silicon

Service Software

• Provisioning : Trust • CAL (CryptoAuthLib)

Platform (Low MOQ / • Trust Platform Design
High volume Flow) Suite - Use Case and
• Secure Lifecycle Configurator
management • C code example

5
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Security across the product lifecycle
Microchip Total System Solution

Concept Prototyping Development Production Utilization Support Retirement

•Cybersecurity requirements •Hardware integration •Key and Certificate •End user activation •Software update •Sensitive data management
•Cost & Time constraints •Software integration provisioning •Operation •Vulnerability management •Device recovery &
(Iron Triangle) •Cloud integration •Distribution and logistics •Sensitive data handling repurpose
•Threat Analysis

Hardware products
Development tools and examples
Provisioning services

Team of Security experts CVD procedure and dedicated PSIRT

www.microchip.com/PSIRT

6
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Europe Driving CyberSecurity Regulation Change
Cybersecurity
Regulations
are evolving
and Europe
drives the
change

Reference: LEVY-BENCHETON, Cédric. Panorama of IoT Cyber Security Regulations Across the World. cetome. https://cetome.com/panorama

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
European Cybersecurity Coming Directives and Acts
https://digital-strategy.ec.europa.eu/en/policies/cybersecurity-policies

• RED 3.3 (Radio Equipment Directive)

• applicable to all radio based devices and mandatory starting August 2024
• Articles 3(3)(d), (e) and (f) to increase the level of cybersecurity, personal data protection
and privacy
• Cyber Resilience Act (CRA)
• Mandatory cybersecurity requirements for hardware and software products
• Activated 36 months after entry to force (2024) still Work in Progress targeting 2027

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Is Your Security Rating Sustainable over Time?
• How can you sustain proven security over
time?
• Hardware gets hacked on a daily basis
• One of the most significant security risks
in IoT is vulnerabilities in the code
• Supply chain attacks are a growing
concern

• What shall You do?

• Implement defense in depth in your
design
• Leverage state-of-the-art technologies to
reduce risks, save costs and development
time

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
IoT Module Real Example SOLUTION
Add pre-provisioned secure element reducing exposure
IoT module based on to future hardware, software flaws and provisioning
process risks

Design modular solutions, vulnerabilities of one

Hardware vulnerability hardware component are mitigated by the HSM (Defense
in depth)

Demand all cryptographic operation to hardware,

Software stack vulnerability removing any software dependency and known or
potential vulnerability

Handle vulnerability management as per Regulations

Reduce development costs to simplify secure provisioning, FOTA and device management

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Market Segments
IoT Automotive Industrial Defense

• EMEA, India, Korea, Australia, • Infotainment, ADAS

USA consumer standards • IEC62443 • Random Number Generator
• EV Battery authentication • IP address • FIPS 140 certification
• Anything with an IP address • BMS • Crypto-key related use cases

E-mobility Datacenter Medical 5G

• EV charging car/station • Open Compute Project

• eBike • IoT • IP address
• BCM
• Battery Swapping • Disposables/Consumables • Crypto-key related use cases
• Power Supplies
• Battery authentication • FIP140 certification
11
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 WHY a Secure Element ?
Unique identity Secure Element
Unique Serial Number

Protected Private KEY for a lifetime HW protection

Secure Key Storage

Cryptographic acceleration MCU Agnostic

Random Number Generator

Scrambled and encrypted information

Monotonic counters

Safe provisioning with secured HSM

12
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Rate the Way You Protect Keys
Common Criteria JIL Rating

14
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Microchip Security solutions
Secure Elements System-on-Module System-in-Package

TA100 TA010
dsPIC33CK51 PIC32C
• CAN message 2MPT608 (Ariel) SAMA5
•
Automotive authentication
EV Battery
Authentication • dsPIC33 DSC • CortexM4F
• CortexA5
• Cloud authentication • TA100
• Ecosystem Control • TA100 • TA100
• (TLS based)
• Secure Boot
• OTA Verify SAMA5 Wireless SOM
• IP Protection • Linux MPU
• Secure Data Storage • ATECC608 Trust&GO
ECC608B • Wifi/BLE
IoT
• Cloud authentication WFI32E01PC PIC32CM LS60
• (TLS based) • High perf 32 bit MCU
• Secure Boot • Wifi CortexM23
• OTA Verify • ATECC608 Trust&GO ATECC608
• IP Protection
• Secure Data Storage
• Ecosystem Control ECC206/206
• Accessory
Accessory SHA204A Authentication
• Low-Cost Accessory
& Disposable
• Low-Cost SHA104/105/106 Authentication
Accessory & • Battery
Authentication
Disposable Disposable
Authentication
SHA206A •
Low-Cost Accessory &
Disposable
• Ecosystem Control
• PCB-less option • WPC Qi 1.3
Authentication
• PCB-less Disposable • Battery
Authentication Authentication
15
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 CryptoAuthenticationTM Portfolio Expands
Existing TA100
TA010
• Battery authentication
New solutions • Qi 1.3
Automotive •
•
Secure boot
Message encryption • Car accessory authentication
• Field upgrade
• CAN message
authentication
• TLS authentication
CEC173x •
Datacenter • Secure boot for Linux
systems
•
Cloud authentication
Firmware upgrade
• Transfer of ownership
• Real-time system bus • In-field device claiming
protection • Custom PKI
ATECC608 • SPI flash image • WPC 1.3
verification • User access privilege
IoT •
•
Cloud authentication
Secure boot
• Real time Root of
Trust
• HDCP
• Firmware upgrade ECC204
• Accessory
authentication • Accessory authentication
• Public key attestation • Disposable authentication
SHA204A • Transfer of ownership • Qi 1.3
• In-field device
Accessories • Accessory
authentication •
claiming
Custom PKI
• Disposable • WPC 1.3
authentication • User access privilege
SHA104/SHA105 SHA106 ECC206
SHA206A
Disposables • Disposable
• Symmetric accessory
authentication
• Disposable symmetric
authentication with no PCB
• Disposable asymmetric
authentication with no PCB
• Disposable authentication
authentication

16
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Form Factors

Client SHA256 MAC

3-pin, Single Wire

25 18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Introduction of a NEW service
-Trust Manager

26
Trust Platform : provisioning services

Pre-configured YES YES YES NO

Provisioning Zero touch Zero touch Custom Custom

(at Microchip) (In-field) (at Microchip) (at Microchip)
Complexity Lowest Lowest Lower Custom
Secrets Static by Microchip Managed SaaS Static by Customer Custom
Low MOQ Flow 100 units 2000 units 2000 units 4000 units
High Volume Flow Starting 30ku Starting 30ku Starting 30ku Starting 30ku
Use cases Any Cloud TLS Root CA services Any Cloud TLS Any custom use case(s)
LoRaWAN Any Cloud TLS Firmware Verification
Crypto Mining – Helium FOTA Key rotation
Key rotation Wireless charging
Data Secure Boot
Local authentication
Devices ATECC608 for TLS ECC608 ATECC608 TLS ECC608
ATECC608 for LoRa ECC608 WPC ATSHA204A
SAMA5 Wireless SOM PIC32CM (MCU+SE) TA100
WFI32E01PC – ECC204 AUTH dsPIC33CK (MCU+SE)
Wifi+MCU+ECC608 TA010 AUTH CEC1736
ECC608 for Helium ECC204 WPC TA101 (Beta-Nov’23)
TA010 WPC
SHA104 AUTH
CEC1736
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Trust Platform : provisioning services

Pre-configured YES YES YES NO

Provisioning Zero touch Zero touch Custom Custom

(at Microchip) (In-field) (at Microchip) (at Microchip)
Complexity Lowest Lowest Lower Custom
Secrets Static by Microchip Managed SaaS Static by Customer Custom
Low MOQ Flow 100 units 2000 units 2000 units 4000 units
High Volume Flow Starting 30ku Starting 30ku Starting 30ku Starting 30ku
Use cases Any Cloud TLS Root CA services Any Cloud TLS Any custom use case(s)
LoRaWAN Any Cloud TLS Firmware Verification
Crypto Mining – Helium FOTA Key rotation
Key rotation Wireless charging
Data Secure Boot
Local authentication
Devices ATECC608 for TLS ECC608 ATECC608 TLS ECC608
ATECC608 for LoRa ECC608 WPC ATSHA204A
SAMA5 Wireless SOM PIC32CM (MCU+SE) TA100
WFI32E01PC – ECC204 AUTH dsPIC33CK (MCU+SE)
Wifi+MCU+ECC608 TA010 AUTH CEC1736
ECC608 for Helium ECC204 WPC TA101 (Beta-Nov’23)
TA010 WPC
SHA104 AUTH
CEC1736
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Security IC Journey : lots of steps
• Device Customization happens BEFORE manufacturing

Contact your Define the

Threat Identify the expert or transaction Define the
Model use case(s) Security diagram configuration
Partner

Provisioning Secret Test

Prototype and process Exchange provisioned Customer
Code starts before samples Production
manufacturing

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Logistic Challenges of Cryptographic Keys

Development Working with keys from prototyping to production

Supply Chain Paying for unused device customization

Scaling Deploying keys in your fleets globally

Availability Keeping up with security updates at anytime

Business Monetizing via subscription models

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 How to ?
• Remove the hurdle of Secure Exchange / factory provisioning ?

• Remove the hurdle of Custom Part Number per project ?

• Ease the logistic flow / customer inventory management ?

• Comply to new regulations ?

• Create new business models ?

31 18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 A simplified onboarding process for sales and
customers
• Remove the salesforces ticket steps

• No interaction with MCHP for secret exchange, it happens in the

field

• One part number for all

• Capability to onboard without manifest

32 Microchip Propietary and Confidential
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Security IC NEW Journey
• Device Customization happens AFTER manufacturing

Contact your
Threat Identify the expert or
Model use case(s) Security
Partner

Customer
Production

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Trust Platform : provisioning services

Pre-configured YES YES YES NO

Provisioning Zero touch Zero touch Custom Custom

(at Microchip) (In-field) (at Microchip) (at Microchip)
Complexity Lowest Lowest Lower Custom
Secrets Static by Microchip Managed SaaS Static by Customer Custom
Low MOQ Flow 100 units 2000 units 2000 units 4000 units
High Volume Flow Starting 30ku Starting 30ku Starting 30ku Starting 30ku
Use cases Any Cloud TLS Root CA services Any Cloud TLS Any custom use case(s)
LoRaWAN Any Cloud TLS Firmware Verification
Crypto Mining – Helium FOTA Key rotation
Key rotation Wireless charging
Data Secure Boot
Local authentication
Devices ATECC608 for TLS ECC608 ATECC608 TLS ECC608
ATECC608 for LoRa ECC608 WPC ATSHA204A
SAMA5 Wireless SOM PIC32CM (MCU+SE) TA100
WFI32E01PC – ECC204 AUTH dsPIC33CK (MCU+SE)
Wifi+MCU+ECC608 TA010 AUTH CEC1736
ECC608 for Helium ECC204 WPC TA101 (Beta-Nov’23)
TA010 WPC
SHA104 AUTH
CEC1736
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 TrustMANAGER ECC608
Offer Self-Serve Root CA with certificate management
and in-field provisioning
 Trust Manager offering
• Root CA service and associated PKI creation

• Service Maintenance & Availability guarantee

• In-field provisioning of Credentials (Custom PKI / Certificates, Public

Keys, Symmetric Keys, Data)

• Lifecycle management of Credentials

• Transfer of Ownership

• Code Signing Services

36 Microchip Propietary and Confidential

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 What is the solution about ?
Current Services (launch 4/2)

• Self service custom rootCA with complete PKI in seconds

• Certificate expiration date management
• Certificate rotation
• Private Key rotation
• Transfer of ownership

• Upcoming Services (H2’24)

• Code signing service

• Infield-provisioning + management of
• Public Key (OTA verification)
• Symmetric key
• Data
37 18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Benefit to the customer
• Maintenance of your Security
• In EU legislation (commit in min amount of years (5 years in EU) to patch vulnerability) – will
become our customer sales argument

• Cost efficient and robust end-to-end security

• Pay as you use

• Activation (in-field provisioning fee) is charged only if the device connects

• Self service

• Insurance policy for the upcoming changes – gives flexibility

• Ease of implementation during development

• No need to worry about certificate/key customization during development – it’s automated
and happens in-field

38 Microchip Propietary and Confidential

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Market Segments Building
IoT EV Charging Telematics
Access

• Security standards requires to • Short Term Rental (Airbnb)

• EV charging stations • Inventory management
keep your security up to date • Long Term rental
• ISO15118 standard • Lease model
• Hotel, Universities, • Pay as you go, Buy now par later
• OCPP standard
Corporate buildings …
• Warranty/return

Equipment Industrial Medical Inventory

crew management

• Governed by IEC62443 • Car parking lot

• Connected equipment • Connected Medical devices
• Fleet and Asset management • Power tools, lockers, …
and their identities
• Connected Coffee machine
40
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
keySTREAM SaaS secured by Kudelski

ECC608

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 In-Field Provisioning and Extra Services
Microchip provision a unique Root of Trust in each compatible Secure Element. keySTREAM authenticates the Secure Elements
using this identity and enables in-field provisioning of new credentials and manage the cryptographic keys lifecycle.

Customer
Root CA

Customer Issuing
e.g. registered
Cas (CQ2’24)

FOTA

MCHP Root CA
e.g. ECC608B, … keySTREAM in-field
Provisioning

• Custom PKI
MCHP birth Certificates
Customer Device • Certificate expiration management
Certificates
• Certificate rotation
• Private Key rotation
• Transfer of ownership
ATECC608 ATECC608 • Public Key rotation
ECC608-TMGNTLS
Trust&GO Managed ECC608-TMGNTLS
Trust&GO Managed
• Symmetric key management
• Data provisioning
MCHP Production Site In Field

42 Microchip Propietary and Confidential

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
keySTREAM SaaS : secure device manager

• HSM-as-a-Service

• Self Service PKI w/ root CA creation

• Key management SaaS

• In field device provisioning

• Automated device onboarding

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Functionalities
Provide a unique device identity in the field to each of your device – an identity that is trusted for the whole
product life. Lower the device management cost & complexity

Root CA creation Rapid onboarding In-field provisioning Certificates management

+ associated PKI

Network security Autoclaim workflow • Pay as you activate • Keep security up to date
• Custom root CA+ PKI removes the need for devices
protected In Kudelski manifest* • Manage and scale your
HSM w/ backup • No key exposure in fleet
manufacturing
• Instant creation of • Secure/monitored
custom root CA w/ your * Manifest option still available as management by
alternative
company name keySTREAM
Device Security Distribution enablement • Deploy certificates in the • Expiration date
field programmatic renewal
• ECC608 protect device • No handling of the
private key manifest (w/ Autoclaim) • No secret exchange with • Revocation
a factory • Rotation/Renewal
• Regular fulfillment • Private Key management
Microchip Propietary and Confidential
18 May
© 2024 Microchip Technology Inc. and its subsidiaries
In-field Delivery of Credentials
The flow
 Delivery Process of Credentials : High Level Flow
CUSTOMER Account

1. Configure a 5. Onboarding & 6. Remote

device profile Provisioning Management

2. MICROCHIP DIRECT ORDERING

Order ECC608 Trust Manager in
Microchip Direct. Support
different flows:
- Direct Customer.
- Contract Manufacturer. Customer
- Distributor.

3. Integrate KTA in
device firmware

4. Get chips FOTA

Device production Provisioning

48 Microchip Propietary and Confidential

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Delivery of keys
• Packet (the keys, certificate) are encrypted in keySTREAM and
pushed through the network into the ECC608 TrustMANAGER

• The ECC608 attest the encrypted packets, decrypt the content

and load the content (keys, certificates) on the ECC608 secure
memory.

• Anything between keySTREAM and the ECC608 is a passthrough.

49 Microchip Propietary and Confidential

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
ECC608 TrustMANAGER & keySTREAM

• Device Management
• Managed TLS keys
• Transfer of ownership
• User privilege

• H2’24
• Managed OTA verification
• Code Signing
• Enable your subscription model
• Version control

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
ECC608 TrustMANAGER: functions
• Dynamic key management
• Public & private key rotation
• Certificate rotation
• Internal key attestation

• H2’24
• OTA keys
• Symmetric keys
• Dynamic secret data storage

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
Hardware Development Kits
Kits Roadmap
CQ4’24
CQ2’24 CQ3’24
Now
EV10E69A

• SAMD21 • SG41 (M4) • SG41 (M4)

• WINC1500 click • Rio0 Wifi • SAMA5D29
• Ethernet
• Ethernet Gigabyte

Microchip Propietary and Confidential

18 May
© 2024 Microchip Technology Inc. and its subsidiaries
 Takeaways

Easier onboarding with Quick development with Secure Manufacturing

predefined use cases simple toolsets Provisioning services

Fitted for Mass Market with low Architecture Agnostic with any
MoQ including provisioning and cloud, any PKI*, any controller,
Microchip certificates any connectivity
55 *PKI : public key infrastructure 18 May
© 2024 Microchip Technology Inc. and its subsidiaries