Building Trust Through Certification Of Security Solutions

Ensuring components of an IC meet security standards before integration.


Certification is all around us in our daily lives. When it comes to making decisions, we look for certain labels, stamps, and symbols indicating that products and services have been assessed or tested. If you are buying a new car, you may review NCAP (New Car Assessment Program) test results. If you are getting electrical work done at your home, you will choose a certified professional. And if you are looking for toys for your kids that are safe for them to play with, you will look out for a specific safety label.

As more of our daily activities are now conducted online using IoT (Internet of Things) devices that collect and exchange our most valuable personal data, we rely on products meeting high security standards. We need to know the phone we use for banking, the device we use to monitor our health, and the security system we use for our home cannot be hacked. A certificate may prove this by providing evidence that a product meets or has achieved compliance with specific standards developed, reviewed, and maintained by industry experts.

Security testing and certification is not new, but there are still only a few recognized security schemes. Testing of smartcards has been around since the early 1990s in Europe and evolved to use the Common Criteria or CC scheme that we have today. CC is also known as ISO 15408. FIPS 140 started in the mid 1990s under the auspices of NIST (National Institute for Standards and Technology) in the USA. The Cryptographic Module Validation Program (CMVP) within FIPS 140 is operated jointly by NIST and the Canadian Communications Security Establishment (CSE).

Recently, some new schemes have emerged called SESIP (Security Evaluation Standard for IoT Platforms) and PSA Certified (Platform Security Architecture). These schemes were developed to enable lighter, more agile security certification schemes for IoT devices where the expense and documentation required by Common Criteria certification would be too onerous given the speed at which these products are developed and brought to market.

A security evaluation process is normally performed on the final product. This makes sense given that the implementation, synthesis of the design, and place and route on the silicon chip are all elements where errors can occur. But this also comes with risk. What happens if you get to the end of the design and manufacturing process only to find out that something is not compliant?

Complex ICs consist of many individual components or IP blocks; these components may implement critical security features such as a Root of Trust or perform cryptographic algorithm acceleration. Testing components of the IC can provide confidence that the component satisfies the required standard or performs a specific security function correctly before integration. Of course, the final product still needs to be tested, but the overall risk of expensive and lengthy delays in time-to-market is reduced.

In summary, more products, particularly in a connected world, now need to be secure, and we are seeing a movement towards security being treated like safety; that is, a fundamental part of the product. Consumers are reassured when products are evaluated against a recognized standard and certification can be a key brand differentiator for companies. As the leading provider of security IP, Rambus invests time and effort in certifying many of its embedded security designs to various security standards. Tests are performed by independent test laboratories to show customers that these products comply with relevant standards, that they have passed the cryptographic algorithm and module validation, and that they are secure by design.

Additional Resources:

Leave a Reply

(Note: This name will be displayed publicly)