While we've covered strong security and making security software easier to implement, we'll go into a bit more detail on third-party authentication and provisioning.

Third-party certification

Regardless of the security function used, the security processing behavior (output relative to input) will be the same, although there may be differences in processing speed. However, the security strength (tamper resistance, etc.) will differ depending on the security function implementation.
Furthermore, even among products that are called the same secure element, the actual software/hardware implementation varies depending on the company.

Security must also be considered in semiconductor suppliers' organizational structures and handling processes such as product development, manufacturing, and operation.

The differences in security performance and processes of these semiconductor products from each company make it extremely difficult for users to compare them based on specifications or benchmarks.

One way to solve these problems is to use third-party certification.

Third-party certifications for ICs with security functions include SESIP, PSA, Common Criteria, and FIPS.

A third-party organization evaluates the security implementation and operation of the security features declared by device manufacturers on a unified scale, verifying and certifying that they have been implemented correctly.

In addition, we can provide documented evidence for products that have received third-party certification. This document allows customers to confirm how NXP products meet the requirements of cybersecurity standards, which is expected to reduce the effort required to ensure that end products incorporating NXP products comply with cybersecurity standards.

NXP calls products that have received third-party certification under its EdgeLock ® Assurance program "Certified EdgeLock Assurance Products."

• A list of Certified EdgeLock Assurance products can be found here.

You can also find product and certification evidence in the standards body's certified product lists.

• SESIP Certification List
• PSA Certification List
• Common Criteria (CC) Certified List

The fact that components such as ICs/devices have already received third-party certification is expected to reduce the risk of non-compliance even when manufacturers obtain third-party certification for cybersecurity standards for their final products.

For example, under the CRA (EU Cyber Resilience Act), products categorized as Default and Class 1 can be self-declared as well as third-party certified, but end users may still request third-party certification.

About Secure Provisioning Service (EdgeLock 2GO)

Products with security features require users to provision the confidential information they will use in their applications before they can actually be used. Provisioning must be done in a secure environment, and setting up a new secure environment on a user's production line requires a great deal of effort and expense.

Additionally, if a user has multiple manufacturing bases, support will be required for each one.
Furthermore, if manufacturing is outsourced, problems may arise such as it being difficult to exercise such control, or there being only a limited number of outsourcees that can exercise such control.

NXP's secure elements/authenticators come pre-programmed with some identifying information at the NXP factory, and for simple use cases can be used without any provisioning during manufacturing.

For complex use cases that cannot be covered by the identity information pre-programmed into the secure element/authenticator, or for MCU/MPU products with an integrated EdgeLock secure enclave that does not have pre-programmed identity information, NXP offers a cloud service ( EdgeLock 2GO ) that can be used in combination with NXP ICs.

EdgeLock 2GO provides a means for secure provisioning during manufacturing and in the field by providing the ability to generate unique identities (key pairs and certificates) for each device and end-to-end encryption between EdgeLock 2GO and the device.

In addition, EdgeLock 2GO's certificate authority is approved as a certificate authority that can issue certificates required by standards such as Matter and Qi. You can use it with confidence as a certificate authority that meets the requirements of these standards, not only when compliance with these standards is required, but also when it is not.

In a separate article, we will take a closer look at the potential threats faced when handling confidential information on your production line and how EdgeLock 2GO addresses them.

Software support for working with EdgeLock Secure Enclaves/Secure Elements

We have mentioned that security can be strengthened by using products with security features.

However, there are no set standards for APIs for using hardware security features, and each company has its own unique specifications. Doesn't this make it difficult to develop applications using these APIs?

NXP provides middleware for host applications that not only provide device-specific APIs but also plugins for popular cryptographic libraries such as OpenSSL, PKCS#11, and Mbed-TLS.

For example, by using a plugin for OpenSSL, applications that rely on OpenSSL (e.g., Eclipse Mosquitto ™ ) can use key protection using secure elements without any modifications.

We will introduce practical use cases in a separate article.

=========================​

We are currently unable to respond to comments in the " Comment " section of this post .
We apologize for the inconvenience, but when making inquiries, please refer to " How to contact NXP with technical questions ( Japanese blog ) " .
(If you are already an NXP distributor or have a relationship with NXP , you may ask the person in charge directly.)