topic Re: Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050 in Smart Cards and Secure Element

Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050

anna_geber — Thu, 15 Feb 2024 07:46:22 GMT

I am currently using an NXP ls1021A processor and I am trying to develop a network component with Security Level 3 (SL 3). Is it possible to achieve SL3 in terms of hardware security if I use the NXP ls1021A in conjunction with an NXP SE 050?

@EdgeLock SE050 | Enhanced IoT Security | NXP Semiconductors

Re: Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050

Ronaldmack — Fri, 16 Feb 2024 04:26:30 GMT

Hello,

the NXP ls1021A processor is a dual-core processor with LCD controller that offers advanced security features and supports DDR3L/4 memory. The NXP SE 050 is a secure element product family that offers enhanced Common Criteria EAL 6+ and FIPS 140-2 certified security, for strong protection against the latest attack scenarios. The SE 050 supports a broad range of IoT security use cases such as TLS connection, cloud onboarding, device-to-device authentication, device integrity protection, attestation, sensor data protection, and more.

Security Level 3 (SL 3) is defined by IEC 62443-4-2 (Be Ball Players) as a protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge and moderate motivation. To achieve SL 3, a component or system must include the capability to carry out the security functions required for capability security level 3, as specified by IEC 62443-3-3 (for systems) and IEC 62443-4-2 (for components).

Based on this information, it seems possible to achieve SL 3 in terms of hardware security if you use the NXP ls1021A in conjunction with an NXP SE 050, as both products offer high levels of security and support various security functions. However, you may also need to consider other factors such as the system design, the software implementation, the network configuration, and the operational procedures to ensure a comprehensive and effective security solution. I hope this helps.

Re: Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050

anna_geber — Thu, 15 Feb 2024 14:26:43 GMT

Thank you for your reply. Can you also tell me if the advanced security features of the ls1021A are enough to achieve SL3?

Re: Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050

Ronaldmack — Fri, 16 Feb 2024 04:17:35 GMT

Hello,

Yes sure, The ls1021A is a dual-core processor with an integrated security engine and ECC protection on both L1 and L2 caches. It supports AES-128 based secure messaging, which is one of the requirements for SL3. SL3 is the security level that offers protection against intentional misuse by sophisticated means with moderate resources, IACS-specific knowledge and moderate motivation.

However, SL3 also involves other security requirements and enhancements, such as identification and authentication control, use control, system integrity, data confidentiality, restricted data flow, timely response to events, and resource availability.

Therefore, the ls1021A alone may not be enough to achieve SL3, unless it is combined with other security measures and solutions that address the remaining aspects of SL3.

I hope this information may helps you.

Re: Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050

anna_geber — Fri, 16 Feb 2024 07:58:27 GMT

Thank you for the answer. However, one question remains unanswered. In IEC 62443-4-2, explicit hardware security is required under "CR 1.5 - Authenticator management" with RE 1 "Hardware security for authenticators", CR 1.9 - Strength of public key-based authentication" with RE 1 "Hardware security for public key-based authentication" and under "CR 1.14 - Strength of symmetric key-based authentication" with RE 1 "Hardware security for symmetric key-based authentication". In IEC 62443-4-2, CR 1.5 describes the use of a TPM to implement hardware security ("Enhanced protection can be achieved by using hardware mechanisms such as hardware security modules like trusted platform modules (TPMs)."). My specific question is: Are the hardware security mechanisms offered by the ls1021A sufficient to fulfill the required hardware security in CR 1.5 RE 1, CR 1.9 RE 1 and CR 1.14 RE 1?

Re: Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050

Kan_Li — Mon, 19 Feb 2024 08:14:18 GMT

Hi @anna_geber ,

Yes, we recommend using a Secure Element such as EdgeLock SE05x with its pre-integrated security features to ease the compliance with ISA/IEC 62443 component requirements, and we provide an app note on this topic, please kindly refer to https://www.nxp.com/docs/en/application-note/AN12660.pdf for more details, especially section 4.1 regarding your concerns.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: Achieving SL 3 according to IEC 62443-4-2 with the NXP SE050

anna_geber — Mon, 19 Feb 2024 08:43:44 GMT

Thanks for your response. I was already aware of this app note. However, I would like to do without an additional component such as an SE050. Therefore, I would like to know if the hardware security features of the LS1021A are sufficient to fulfill CR 1.5 RE 1, CR 1.9 RE 1 and CR 1.14 RE 1.