“Original equipment manufacturers (OEMs) developing edge connectivity technologies need to consider their software intellectual property and their reputation as security product providers. Cost-effective production is often in direct conflict with protecting intellectual property and device certifications used in the cloud. NXP believes that security can never be compromised and offers a solution with a new Smart Card Trust Provisioning feature.
Author: Stella Or
Original equipment manufacturers (OEMs) developing edge connectivity technologies need to consider their software intellectual property and their reputation as security product providers. Cost-effective production is often in direct conflict with protecting intellectual property and device certifications used in the cloud. NXP believes that security can never be compromised and offers a solution with a new Smart Card Trust Provisioning feature.
Security is at the heart of NXP. Not only do we want every element of our device or software to be safe, we want to make every customer-made product safe. Even if the manufacturing site itself does not provide strong security, with highly secure technology, the manufacturing process should be safe. With the new smart card trusted provisioning solution, NXP has introduced a variety of features to support OEMs in protecting their intellectual property and their revenue. This solution leverages our smart cards and MCUXpresso Secure Provisioning Tool (SEC) to provide customers a way to manage the root of trust in their manufacturing processes. In addition, this solution guarantees that customers’ confidential information (keys and credentials) used to identify OEM products and their software intellectual property are protected. It is a cost-effective, secure and reliable solution for customers of all sizes, and leverages NXP’s highly secure SmartMX microcontrollers (MCUs) to implement the smart cards themselves, a technology that has been the backbone of high security for many years App provides support.
Get it right away. Learn how the smart card trusted provisioning solution works.
Many customers spend months or years developing software for their final products, including certifications and intellectual property, which are their most valuable assets. The Smart Card Trusted Provisioning solution supports the deployment of secure authentication and intellectual property from customer premises to commissioned factories. Our MCUs have secure boot built into ROM to ensure that only signed images are run. The MCU also includes secure flash memory and device-unique key generation based on Physical Unclonable Function (PUF) technology. Customer certifications and intellectual property are signed and encrypted using the MCUXpresso SEC tool at their trusted development site, and can only be verified and decrypted by genuine NXP devices.
Authentication, such as keys used in client applications, can be securely stored on the smart card before being sealed to prevent tampering. In this way, the smart card becomes the basic element of security like a hardware security module (HSM). These certifications can then be securely transferred to the target device inside the customer’s end product without being exposed to the contract manufacturer (CM) factory. Using the SEC tool, only genuine devices with the appropriate built-in NXP certificate can be equipped with the customer’s key and programmed with customer-signed software. Even at the final step from the host running the SEC tool to the customer’s target system, the secure link between that computer and the NXP MCU is protected during provisioning and programming.
Overproduction in CM factories can also be a concern for many OEMs. The smart card trusted configuration solution provides basic production management functions (ie production limit control) to solve this problem. Customers get SEC tools to personalize smart cards and limit production quantities, while creating production packages for their CMs to use in manufacturing their products. Once at the factory, the SEC tool that performs device configuration communicates with the smart card to securely count the number of manufactured products and prevent any attempts to exceed preset limits. The SEC tool generates a factory audit log at the end of the production process for the CM to return to the customer site for audit.
Smart Card Trusted Configuration Flowchart
In every secure edge connectivity application, each device requires a unique identity for cloud registration. NXP builds the configuration process from designing the microcontroller and injects encryption keys and digital certificates into these devices at the factory during the manufacturing process for use in the customer’s manufacturing process. Our customers can generate their own device-unique certificates and replace (or revoke) the default NXP device certificates using SEC tools to generate certificates and secure them with smart cards. This way, they can take ownership of the device during factory assignment and use the audit log generated by the SEC tool to obtain the resulting device certificate. These device certificates can then be used to upload to the service provider for use in device registration.
Smart card provisioning solutions replace traditional, more expensive HSMs and third-party device programming services. We enable our customers to take advantage of the advanced security features of NXP MCUs to protect their valuable assets. By purchasing cost-effective smart cards and using the free MCUXpresso SEC tool, our customers can prepare secure images to protect their intellectual property, manage keys and perform device assignments. With no minimum order quantities and full control over production quantities, smart card configuration solutions make secure manufacturing affordable for all.
Senior Product Manager, Ecosystem Security, Edge Processing Business Unit, NXP Semiconductors
Stella Or holds a Master of Science degree in Software Technology from the Hong Kong Polytechnic University. With over 20 years of experience in the semiconductor industry, Stella has been focusing on embedded security solutions for IoT and financial applications in various roles including product definition and business development. Currently, Stella is responsible for market strategy and roadmap planning for NXP’s ecosystem of security solutions, including security configuration, remote device management and runtime security for MCUs and MPUs.