Embedded World Product Showcase: Infineon Technologies OPTIGA Trust M Express
June 14, 2022
Networked devices that connect to the cloud and each other are inherently susceptible to cyberattack. To ensure built-in defenses are robust as possible, these systems must be protected from the time of manufacture until their decommissioning. This includes the unique identities that allow IoT devices to authenticate over PKI infrastructure.
Infineon’s OPTIGA Trust M Express accomplishes, but probably in a different way than you think. Instead of injecting private keys into silicon during the manufacturing process, the cryptographic identity of the Common Criteria EAL 6+-certified OPTIGA™ Trust M Express devices is based on a trust anchor provisioned in secure, certified Infineon fabs, which streamlines production flows and time to market.
Other highlights of OPTIGA Trust M Express devices include:
- Support for ECC NIST curves P-256/P-384/P-521 and Brainpool r1 curves up to 512, ECDSA, ECDHE, SHA256, TLS v1.2 PRF and HKDF up to SHA512
- Algorithms include RSA 1024/2048 key generation, en/decryption, and sign/verify
- Symmetric algorithm support includes AES key up to 256, HMAC up to SHA-512 with chaining support
The devices also protect lifecycle and runtime states by securing data objects, keys, and relevant metadata in a protected data store.
To round out the solution, OPTIGA Trust M Express combines with the CIRRENT Cloud ID service that completely automates zero-touch certificate registration and provisioning with AWS and the Azure IoT Hub so that fleets of IoT devices can be deployed at scale.
And users can track of all on-premise or cloud-based device certificates Whitelist Cloud Service Pre-Registration Services.
The OPTIGA Trust M Express in Action
Of course, once an OPTIGA Trust M Express device is deployed in the field it must be able to communicate securely with the rest of the system in which it is deployed. This local communication is conducted over Infineon’s Proprietary Shielded Connection over I2C, which ensures a secure connection over that single wire.
Beyond the local system, a DTLS/TLS server/client toolbox is stacked with third-party libraries.
Engineers looking to evaluate the OPTIGA Trust M Express are encouraged to try out the IoT Security Development Kit of the same name, which includes an OPTIGA Trust M-based device and examples of how secure communications can be performed between AWS and the CIRRENT Cloud ID over MQTT. The kit continues to demonstrate how these components can be used to pre-provision X.509 certificates and deploy them in a zero-touch cloud provisioning workflow.
Delivered with an SDK that’s designed to help IoT device designers prototype secure applications, the entire kit consists of:
- An Arm Cortex-M4/M0+-based PSoC 6 microcontroller
- An AIROC CYW43012 dual-band 2.4 and 5.0 GHz Wi-Fi and low-power Bluetooth 5.0 combo chip
- ModusToolbox support
Getting Started with the Infineon OPTIGA Trust M Express
To get started with Infineon OPTIGA Trust M Express, interested parties can access the host library under an open-source MIT LICENSE from the company’s GitHub repository. Separately, they can access a virtual development kit for CIRRENT Cloud ID here.
And, of course, more about OPTIGA Trust M Express devices themselves, including pricing and ordering information, can be found at www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-m-express/?redirId=197207.
- OPTIGA Trust M Express product page: www.infineon.com/cms/en/product/security-smart-card-solutions/optiga-embedded-security-solutions/optiga-trust/optiga-trust-m-express/?redirId=197207
- CIRRENT Cloud ID solution page: www.infineon.com/cms/de/design-support/service/cloud/cirrent-cloud-id
- Infineon OPTIGA Trust M GitHub: https://github.com/Infineon/optiga-trust-m
- OPTIGA Trust M Express press release: www.infineon.com/cms/en/about-infineon/press/market-news/2022/INFCSS202206-090.html