Secure Attestation

The True You.

Many IoT Devices have unique identities (UID's) but the UID is public and can be copied. Copies are a problem for an account and product authenticity which can threaten a business model and the security of a user account. Silicon Labs products have unique device certificates generated during IC production. The device certificate includes a public key that is signed by a Silicon Labs private key which is a secret that never leaves the secure key storage on the chip.

The secure element uses an attestation command that allows it to prove itself to a cloud by validation against the Silicon Labs certificate chain. Developers of Silicon Labs products can create their own device certificates during their production.

In any IoT system deployed today, it is very difficult to determine if a rouge or counterfeit device has joined your network. These fake products can erode your revenue stream and your brand, or, they can be used for even more malicious purposes like launching pivot attacks into your information databases. Therefore, it is imperative to be able to attest the authenticity with absolute certainty any device that joins your IoT network.

Secure Attestation, which is a Secure Vault feature, begins with a secure identity that is created during manufacture at Silicon Labs. The chip itself creates a public/private key pair on the die during final testing. That private key is securely stored locally and never leaves the chip and is not even known by Silicon Labs. The corresponding public key is then inserted into a device certificate which is inserted back into the chip. Each Secure Vault enabled chip leaving our factory contains a secret private key and a birth certificate of manufacture protected by Secure Vault features.

This secure identity is the key to being able to perform a secure attestation. Once a product is manufactured with a Secure Vault part with its secure identity from Silicon Labs, it can be authenticated at any time in the life of that product. The production certification chain can be requested remotely from the product and the Silicon Labs Certificate Authority website. Once that chain is retrieved, it can be used to verify that the device was produced by Silicon Labs validating the authenticity of the device. In addition to the verification of the birth certificate chain, the die itself can be validated by sending a challenge to the chip and having it sign the challenge with the secret private key that never left the chip. That signature can then be checked by the device public key in the retrieved device certificate, if it matches, then you can be absolutely sure that this is the same die that left our factory.