Secure Software for the Internet of Things
Internet Software for Embedded Devices
Today, the Internet connects billions of users worldwide and is an integral part of how people work, play, and communicate. Research shows that billions of “smart” devices are active members of the networked world busily collecting, securely distributing and acting upon all forms of data. As the premier provider of Internet and Security software for embedded applications, Allegro services OEM manufacturers creating “smart“ and secure devices with easy to use, feature-rich Internet enabling software toolkits.
The Allegro AE Product Suite delivers powerful Internet and device security technology specifically engineered for the rigors of embedded computing to OEM design engineering teams. The Allegro AE suite offers IPv4 and IPv6 operation enabling OEM manufactures to build secure embedded device management architectures that perform seamlessly in IPv4 and IPV6 networking environments alike. The Allegro AE product suite is pre-integrated with the ACE™ (Allegro Cryptography Engine) FIPS 140-2 level 2 validated cryptography module, enabling manufacturers to add standards-based cryptography to resource-sensitive embedded systems quickly, easily, and reliably while decreasing time to market. The family of Allegro AE product toolkits deliver field-proven standards-based protocol components to securely serve Web pages, images or applets, securely retrieve files from resources on the Web, quickly create a secure and robust Command Line Interface (CLI), and exchange XML and SOAP messaging with enterprise or cloud-based computing and storage resources.
Shipping inside over 200 million products with over 300 design wins worldwide, Allegro is a leading OEM supplier of embedded networking technology. The entire product family is delivered as ANSI-C source and has been ported to all major processor and RTOS platforms. All products utilize a field-proven software abstraction layer to provide an interface to any RTOS, TCP/IP protocol stack and file system environment. Delivered as stand-alone products or as a pre-integrated suite, Allegro’s toolkits offer unprecedented design flexibility and scalable Internet networking solutions for your design needs.
The RomWebClient AE toolkit is a full-featured HTTP 1.0/1.1 Web client that retrieves and stores objects from any remote Web server using HTTP over IPv4 or IPv6. Objects can be in any format and are stored in memory or in an optional file system. The toolkit also supports caching, cookies, HTTP pipelining capabilities, and advanced HTTP streaming.
RomSTL is a small, resource sensitive TLS client and server solution specifically engineered for embedded systems. RomSTL is pre-integrated with the full suite of RomPager AE products making it easy to envoke TLS as needed. RomSTL supports the latest RFC standards for TLS 1.0, TLS 1.1, and TLS 1.2 secure server and client sessions. The toolkit is hardware and software platform agnostic and written from the ground up for efficiency. The encryption protocols interoperate with any secure browser or server and include FIPS 140-2 validated RSA, RC4, DES, 3DES, SHA, AES, and Suite B algorithms.
RomXML AE and RomXOAP AE
The RomXML AE toolkit is a small eXtensible Markup Language (XML) implementation that enables your embedded device to send (frame) and receive (parse) XML documents. Using XML in your embedded designs provides for free-format interchange of data and is widely accepted in the device management, remote sensing, and enterprise IT communities. Allegro’s RomXML AE has been designed from the ground up for use in embedded devices that often have limited resources. Written in ANSI-C, the toolkit offers built-in capabilities to convert internal data between C language structures and XML documents. The RomXOAP AE toolkit builds upon the capabilities of RomXML AE and offers design engineers a comprehensive solution for creating connectivity between embedded designs and enterprise IT environments utilizing standards-based SOAP technology. Available as stand-alone toolkits or tightly integrated with the other RomPager AE suite of products, RomXML AE and RomXOAP AE provide the foundation for enabling embedded devices with XML, SOAP, XML-RPC, REST, and Web Services capabilities.
The RomCLI AE toolkit is used to build Command Line Interfaces (CLI) similar to Cisco IOS-based products. The RomCLI AE toolkit includes the CliBuilder offline compiler for preparing command definitions along with RomTelnet, a Telnet server, and RomConsole supporting serial communications. A unique variable access structure allows your embedded development team to use the same access functions for RomPager AE, RomCLI AE, and SNMP. Because security is always a concern when connecting embedded devices to a network, RomCLI AE is often used in conjunction with RomSShell AE to provide a Secure Shell interface for device management.
RomSShell is an embedded Secure Shell version 2 (SSH) toolkit. SSH provides encrypted communications between hosts over an insecure network. RomSShell offers a range of client authentication options in addition to X.509 public-key certificates. RomSShell can also be used for port forwarding (sometimes called SSH tunneling), allowing you to arbitrarily tunnel secure TCP connections. RomSShell AE also supports the latest RFCs for implementing Suite B with Secure Shell.
RomCert is a platform-independent implementation of the Online Certificate Status Protocol (OCSP) and the Simple Certificate Enrollment Protocol (SCEP) and makes embedding security certificate management into resource sensitive embedded systems and consumer electronics fast, easy, and reliable while decreasing time to market.
ACE – Allegro Cryptography Engine
Allegro’s suite of Embedded Device Security toolkits makes embedding standards-based security protocols into resource sensitive embedded systems and consumer electronics fast, easy and reliable. The ACE (Allegro Cryptography Engine) toolkit is a cryptographic library module specifically engineered to meet the critical needs of embedded computing systems in addition to fulfilling the requirements needed for FIPS 140-2 level 2 validation. The module provides embedded systems developers with a common software interface to enable bulk encryption and decryption, message digests, digital signature creation and validation, and key generation and exchange. Suite B is an advanced standard for cryptography that defines algorithms and strengths for encryption, hashing, calculating digital signatures, and key exchange. ACE includes a platform independent, government validated implementation of the NSA Suite B defined suite of cryptographic algorithms.
Embedded FIPS 140-2 Cryptography
The Allegro Cryptography Engine (ACE) is a
Embedded systems are appearing in virtually all industries with the capability to communicate independently. The rapid adoption and deployment of modern communication technologies have enabled new applications in healthcare, military applications, energy management, consumer devices
ACE is a cryptographic library module for embedded computing systems that
Securing Data In Motion
Many IoT applications often collect and correlate valuable sensitive information at the edge of the Internet and routinely transmit it to servers in the cloud securely. TLS and DTLS are the “defacto” standards for keeping data secure when communicating with servers in the cloud. Allegro’s RomSTL, embedded TLS, and DTLS toolkit, tightly integrates FIPS validated cryptography with a standards-based, embedded implementation of TLS/DTLS to keep your data secure while in motion. RomTLS is additionally integrated to make use of ACE’s support of Suite B algorithms (RFC 6460).
Securing Data At Rest
Allegro’s secure data-at-rest solution is tightly integrated with ACE validated FIPS 140-2 cryptography. Before offloading data to cloud-based applications, any sensitive information stored by IoT devices faces numerous threats and risks of unintentional exposure. Adding data encryption to the transmission process has been the traditional method for reducing this risk. However, simply encrypting data transmissions doesn’t fully address many of the threats aimed at recovering small segments of data or potentially the entire collection. Allegro's Secure IoT Suite provides IoT design engineers the ability to proactively address the threat surface created when storing sensitive data on persistent media. Rather than encrypting data at a volume or drive level where exposing a single set of keys potentially compromises a significant amount of sensitive data, Allegro’s secure data-at-rest solution encrypts information at the file level.
ACE can be used stand-alone or pre-integrated with Allegro’s Secure IoT Suite.
TM: A Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments
ACE - FIPS Mode
Digital Signature Algorithms
- RSA (FIPS 186-4) Key lengths: 2048, 3072
- Padding Modes: ANSI X9.31, PKCS #1v1.5, PSS
- DSA (FIPS 186-4) Key lengths: 2048, 3072
- ECDSA (FIPS 186-4) Curves: NIST P-224, P-256, P-384, P-521
- AES Key lengths: 128, 192, 256
- Modes: ECB, CBC, CTR, CFB1, CFB8, CFB128, OFB, CCM
- AES-GCM Key lengths: 128, 192, 256
- AES-XTS Key lengths: 128, 256
- Modes: ECB, CBC, CFB1, CFB8, CFB64, OFB
- AES-GMAC Keylengths: 128, 192, 256
- AES-CMAC Keylengths: 128, 192, 256
- DH (NIST SP 800-56A)
- ECDH Curves: NIST P-224, P-256, P-384, P-521
- Password-Based Key Derivation Function 2 (PBKDF2)
- TLS Key Derivation Functions
Random Number Generator
- DRBG (NIST SP 800-90B)
ACE - Non-FIPS Mode
All of the above in addition to the following:
Digital Signature Algorithms
- RSA: arbitrary key lengths 1024, 2048, 3072
- DSA: arbitrary key lengths 1024, 2048, 3072
Small code footprint
More resources available for application features
ANSI C Source Code Distribution
Broad processor architecture support, eases porting and support
Processor, RTOS and TCP/IP stack agnostic
Allegro's products will work with new or existing hardware and software designs
Flexible Security and External Security support
Use software encryption or if available make use of hardware cryptography acceleration
Compilation switches for size, feature and speed trade-offs
Allows the development team to optimize for system resources
- FIPS PUB 140-2, Security Requirements for Cryptographic Modules
- FIPS PUB 180-3, Secure Hash Standard
- FIPS PUB 186-3 Digital Signature Standard (DSS)
- FIPS PUB 197, Specification for the ADVANCED ENCRYPTION STANDARD (AES)
- FIPS PUB 198, The Keyed-Hash Message Authentication Code (HMAC)
- Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
- Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
- Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
- Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Application
- DRBG NIST Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, section 10.1.1 Hash_DRBG.
- RFC2898 - PBKDF PKCS #5: Password-Based Cryptography Specification, Version 2.0
- PKCS #7: Cryptographic Message Syntax Standard
- PKCS #8: Private-Key Information Syntax Standard
- The Advanced Encryption Standard Algorithm Validation Suite (AESAVS)
- The FIPS 186-3 Digital Signature Algorithm Validation System (DSA2VS)
- The FIPS 186-3 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS)
- The 186-3 RSA Validation System (RSA2VS)
- The Secure Hash Algorithm Validation System (SHAVS)
- The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS)
- The Key Agreement Schemes Validation System (KASVS)
- The CMAC Validation System (CMACVS)
- The CCM Validation System (CCMVS)
- The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS)
- The Keyed-Hash Message Authentication Code Validation System (HMACVS)
- Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS):
- NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
- Processor Architecture - Works with any 16-bit, 32-bit or 64-bit processor
- Operating System(OS) - Works with any OS vendor and will function without an OS if needed
- Compiler - ANSI C
NIST CVMP Validation Reference
Validated FIPS FIPS 140-2 Cryptographic Modules
|Certificate Number||Status||NIST Link|
CAVP Validation References
ECC Component Validations
KDF TLS Validation
KAS FFC Validation
KAS ECC Validation
HMAC SHA2 Validation