Download Databrief

STSAFE-A100
Authentication,
state-of-the-art security for peripherals and IoT devices
Data brief
SO8N
4 × 5 mm
– Elliptic curve digital signature algorithm
(ECDSA) with SHA-256 and SHA-384 for
digital signature generation and verification
– Elliptic curve Diffie-Hellman (ECDH) for key
establishment
UFDFPN8 (2 × 3 mm)
Features
 Authentication (of peripherals, IoT and USB
Type-C devices)
 Secure channel establishment with remote
host including transport layer security (TLS)
handshake
 Signature verification service (secure boot and
firmware upgrade)
 Usage monitoring with secure counters
 Pairing and secure channel with host
application processor
 Wrapping and unwrapping of local or remote
host envelopes
 On-chip key pair generation
Security features
 Latest generation of highly secure MCUs
– CC EAL5+ AVA_VAN5 Common Criteria
certified
– Active shield
– Monitoring of environmental parameters
– Protection mechanism against faults
– Unique serial number on each die
– Protection against side-channel attacks
 Advanced asymmetric cryptography
– Elliptic curve cryptography (ECC) with
NIST or Brainpool 256-bit and 384-bit
curves
February 2016
 Advanced symmetric cryptography
– Key wrapping and unwrapping using AES128/AES-256
– Secure channel protocols using AES-128
 Secure operating system
– Secure STSAFE-A100 kernel for
authentication and data management
– Protection against logical and physical
attacks
Hardware features
 Highly secure MCU platform
 6 Kbytes of configurable non-volatile memory
– Highly reliable CMOS EEPROM
technology
– 30 years’ data retention at 25 °C
– 500 000 erase/program cycles endurance
at 25 °C
– 1.62 V to 5.5 V continuous supply voltage

Operating temperature: -40 to 95 °C
Protocol
 I²C-bus slave interface
– Up to 400 Kbps transmission speed (Fast
mode) and true open-drain pads
– 7-bit addressing
Packages
 ECOPACK®-compliant SO8N 8-lead plastic
small outline and UFDFPN 8-lead ultra-thin
profile fine pitch dual flat packages
DocID028943 Rev 1
For further information contact your local STMicroelectronics sales office.
1/6
www.st.com
Description
1
STSAFE-A100
Description
The STSAFE-A100 is a highly secure solution that acts as a secure element providing
authentication and data management services to a local or remote host. It consists of a full
turnkey solution with a secure operating system running on the latest generation of secure
microcontrollers.
The STSAFE-A100 can be integrated in IoT (Internet of things) devices, smart-home, smartcity and industrial applications, consumer electronics devices, consumables and
accessories.
1.1
Key function overview
Figure 1. Authentication to a remote server (IoT device case)
,R7GHYLFH
5HPRWHGHYLFH
+RVW
5)RUKDUGZLUHGFRQQHFWLRQ
/RFDOKRVW
,&
676$)($
069
Figure 2. Authentication to a local host (accessory or consumable case)
3HULSKHUDO
/RFDOKRVW
,&
676$)($
069
The STSAFE-A100 can be mounted on:

a device that authenticates to a remote host (IoT device case), the local host being
used as a pass-through to the remote server.

a peripheral that authenticates to a local host, for example games, mobile accessories
or consumables.
The STSAFE-A100 secure element supports the following features:

Authentication
The STSAFE-A100’s authentication service provides proof to a remote or local host
that a certain peripheral or IoT is legitimate. An equipment manufacturer can thus
ensure that only authentic peripherals like accessories or consumables can be used in
conjunction with the original equipment. In the same way, a service provider can make
sure that its service is only provided to the appropriate IoT device.
The authentication service utilizes the ECC cryptographic scheme with NIST or
Brainpool 256-bit and 384-bit curves. It also uses the widely deployed ECDSA
signature scheme with SHA-256 and SHA-384 for generating digital signatures. In
addition, it is compatible with the USB Type-C authentication scheme.
2/6
DocID028943 Rev 1
STSAFE-A100







Description
Secure-channel key establishment (TLS)
The STSAFE-A100 helps encrypt communications between a device and a remote
host (such as a cloud server or gateway). The key establishment service uses the ECC
cryptographic scheme with NIST, or Brainpool 256-bit and 384-bit curves. Moreover, it
computes the shared secret with the widely recognized Diffie-Hellman schemes ECDH
and ECDHE.
Signature verification
The STSAFE-A100 can verify an ECDSA signature by using a public key provided by
the local host. This mechanism can offload a local application processor with limited
computing power and no elliptic curve cryptography accelerator. It is typically used for
the secure boot or secure firmware update of the local host.
Host authentication
With its public key slot, the STSAFE-A100 can authenticate a local or remote host.
Successful authentication by the STSAFE-A100 grants the local or remote host access
to some authorized commands or memory partitions.
Secure one-way counters (peripheral usage monitoring)
The manufacturer can limit the usage of disposable accessories or consumables to a
given value by presetting the secure one-way counters. These counters can only be
decremented.
Memory partitioning
The STSAFE-A100 comes with 6 Kbytes of non-volatile memory split into areas, whose
read and write access rights can be configured to free access, local host access or
remote host access.
Pairing and secure channel with the host
The STSAFE-A100 allows a secure channel to be set up with the local host based on
AES-128-bit keys for command authorization, command data encryption, response
data encryption and response authentication. Typically, this secure channel prevents
eavesdropping of sensitive information on the I²C line.
Wrapping & unwrapping local or remote host envelopes
The STSAFE-A100 can be used to encrypt or decrypt data between the remote host
and the local host. The local host may also use the STSAFE-A100’s
encryption/decryption services to store sensitive data to a local, external storage like
Fash memory.
DocID028943 Rev 1
3/6
6
Description
1.2
STSAFE-A100
STSAFE-A100’s environment
The STSAFE-A100 comes with a host library that can be ported to a wide range of generalpurpose microcontrollers or microprocessors. This library includes a command wrapper as
well as generic use cases.
STMicroelectronics also offers key provisioning services for storage of customer credentials
in a secure, certified environment.
1.3
Pin descriptions
Figure 3. SO8N pinout - Top view
5(6(7
9&&
1&
1&
*1'
6&/
1&
6'$
069
Figure 4. UFDFPN8 pinout - Top view
1&
5(6(7
9&&
6&/
1&
1&
*1'
6'$
069
Table 1. Pin description
Pin name
RESET
Reset
VCC
Power supply
GND
Ground supply
SCL
Serial clock
SDA
Serial data
NC
4/6
Description
Not connected
DocID028943 Rev 1
STSAFE-A100
2
Revision history
Revision history
Table 2. Document revision history
Date
Revision
03-Feb-2016
1
Changes
Initial release.
DocID028943 Rev 1
5/6
6
STSAFE-A100
IMPORTANT NOTICE – PLEASE READ CAREFULLY
STMicroelectronics NV and its subsidiaries (“ST”) reserve the right to make changes, corrections, enhancements, modifications, and
improvements to ST products and/or to this document at any time without notice. Purchasers should obtain the latest relevant information on
ST products before placing orders. ST products are sold pursuant to ST’s terms and conditions of sale in place at the time of order
acknowledgment.
Purchasers are solely responsible for the choice, selection, and use of ST products and ST assumes no liability for application assistance or
the design of Purchasers’ products.
No license, express or implied, to any intellectual property right is granted by ST herein.
Resale of ST products with provisions different from the information set forth herein shall void any warranty granted by ST for such product.
ST and the ST logo are trademarks of ST. All other product or service names are the property of their respective owners.
Information in this document supersedes and replaces information previously supplied in any prior versions of this document.
© 2016 STMicroelectronics – All rights reserved
6/6
DocID028943 Rev 1
Similar pages