Secure Software for the Internet of Things

Allegro Cryptography Engine – ACE™

Embedded FIPS 140-2 Cryptography

FIPS 140-2 Level 2 Logo

The Allegro Cryptography Engine (ACE) is a platform independent, high performance, resource sensitive, embedded  FIPS 140-2 Validated cryptography engine specifically engineered for the rigors of embedded computing. ACE enables OEM manufacturers to add sophisticated FIPS approved encryption technology to their designs and dramatically speed the development cycle. The ACE cryptography library is designed to meet the requirements needed for FIPS 140-2 validation.

ACE

Embedded systems are appearing in virtually all industries with the capability to communicate independently. The rapid adoption and deployment of modern communication technologies have enabled new applications in healthcare, military applications, energy management, consumer devices and many other areas. With these capabilities, comes the need for embedded device security. Any network-enabled device must be considered as a potential target for malicious intent. Encryption of sensitive data while in motion or at rest is a key component to thwarting malicious attacks and reducing risk.

ACE is a cryptographic library module for embedded computing systems that provides validated software implementations of FIPS-approved algorithms for the calculation of message digests, digital signature creation and verification, bulk encryption and decryption, key generation and key exchange. Used stand-alone or pre-integrated with other Allegro toolkits, ACE provides CAVP validated implementations of sophisticated FIPS approved encryption algorithms for use in embedded systems. In 2005, the National Security Agency (NSA) defined a set of cryptographic algorithms that when used together, are the preferred method for assuring the security and integrity of information passed over public networks such as the Internet. Today, Suite B is globally recognized as an advanced standard for cryptography that defines algorithms and strengths for encryption, hashing, calculating digital signatures and key exchange. ACE includes a platform independent, CAVP validated implementation of the NSA Suite B defined suite of cryptographic algorithms. ACE is delivered as ANSI C source.

Securing Data In Motion

Many IoT applications often collect and correlate valuable sensitive information at the edge of the Internet and routinely transmit it to servers in the cloud securely. TLS and DTLS are the “defacto” standards for keeping data secure when communicating with servers in the cloud. Allegro’s RomSTL, embedded TLS, and DTLS toolkit, tightly integrates FIPS validated cryptography with a standards-based, embedded implementation of TLS/DTLS to keep your data secure while in motion. RomTLS is additionally integrated to make use of ACE’s support of Suite B algorithms (RFC 6460).

Securing Data At Rest

Allegro’s secure data-at-rest solution is tightly integrated with ACE validated FIPS 140-2 cryptography. Before offloading data to cloud-based applications, any sensitive information stored by IoT devices faces numerous threats and risks of unintentional exposure. Adding data encryption to the transmission process has been the traditional method for reducing this risk. However, simply encrypting data transmissions doesn’t fully address many of the threats aimed at recovering small segments of data or potentially the entire collection. The Allegro AE and Allegro Cryptography Engine (ACE) product suite provides IoT design engineers the ability to proactively address the threat surface created when storing sensitive data on persistent media. Rather than encrypting data at a volume or drive level where exposing a single set of keys potentially compromises a significant amount of sensitive data, Allegro’s secure data-at-rest solution encrypts information at the file level.

ACE can be used stand-alone or pre-integrated with Allegro’s suite of embedded device security protocols such as TLS and SSH in addition to the full RomPager suite of Internet software for embedded devices that include Web services using HTTP, XML, and SOAP.

TM: A Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments

ACE – FIPS Mode

Digital Signature Algorithms

  • RSA (FIPS 186-4) Key lengths: 2048, 3072
    • Padding Modes: ANSI X9.31, PKCS #1v1.5, PSS
  • DSA (FIPS 186-4) Key lengths: 2048, 3072
  • ECDSA (FIPS 186-4) Curves: NIST P-224, P-256, P-384, P-521

Symmetric Keys

  • AES Key lengths: 128, 192, 256
    • Modes: ECB, CBC, CTR, CFB1, CFB8, CFB128, OFB, CCM
  • AES-GCM Key lengths: 128, 192, 256
  • AES-XTS Key lengths: 128, 256
  • TripleDES
    • Modes: ECB, CBC, CFB1, CFB8, CFB64, OFB

Hash Functions

  • SHA-1
  • SHA-224
  • SHA-256
  • SHA-384
  • SHA-512
  • SHA3-224
  • SHA3-256
  • SHA3-384
  • SHA3-512

Message Authentication

  • HMAC-SHA-1
  • HMAC-SHA-224
  • HMAC-SHA-256
  • HMAC-SHA-384
  • HMAC-SHA-512
  • AES-GMAC Keylengths: 128, 192, 256
  • AES-CMAC Keylengths: 128, 192, 256

Key Agreement

  • DH (NIST SP 800-56A)
  • ECDH Curves: NIST P-224, P-256, P-384, P-521

Key Derivation

  • Password-Based Key Derivation Function 2 (PBKDF2)
  • TLS Key Derivation Functions

Random Number Generator

  • DRBG (NIST SP 800-90B)

ACE – Non-FIPS Mode

All of the above in addition to the following:

Digital Signature Algorithms

  • RSA: arbitrary key lengths 1024, 2048, 3072
  • DSA: arbitrary key lengths 1024, 2048, 3072

Symmetric Keys

  • DES
  • RC4

Hash Functions

  • MD2
  • MD4
  • MD5

Message Authentication

  • HMAC-MD5

CAVP Validation References

AES Validation

http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html#2671

DSA Validation

https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Validation/Validation-List/DSA#810

RSA Validation

http://csrc.nist.gov/groups/STM/cavp/documents/dss/rsaval.html#1197

ECDSA Validation

http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsanewval.html#465 http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsanewval.html#379 http://csrc.nist.gov/groups/STM/cavp/documents/dss/ecdsanewval.html#367

Triple-DES

http://csrc.nist.gov/groups/STM/cavp/documents/des/tripledesval.html#1459

SHA Validation

http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm#1997

HMAC Validation

http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html#1430

ECC Component Validations

http://csrc.nist.gov/groups/STM/cavp/documents/components/componentnewval.html#148 http://csrc.nist.gov/groups/STM/cavp/documents/components/componentnewval.html#50 http://csrc.nist.gov/groups/STM/cavp/documents/components/componentnewval.html#43

DRBG Validation

http://csrc.nist.gov/groups/STM/cavp/documents/drbg/drbgval.html#286

NIST CVMP Validation Reference

FIPS 140-2 Level 2 Logo

Validated FIPS FIPS 140-2 Cryptographic Modules

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm

 

Features

Benefits

Small code footprint

More resources available for application features

ANSI C Source Code Distribution

Broad processor architecture support, eases porting and support

Processor, RTOS and TCP/IP stack agnostic

Allegro’s products will work with new or existing hardware and software designs

Flexible Security and External Security support

Use software encryption or if available make use of hardware cryptography acceleration

Compilation switches for size, feature and speed trade-offs

Allows the development team to optimize for system resources

Supported RFCs

System Requirements

  • Processor Architecture – Works with any 16-bit, 32-bit or 64-bit processor
  • Operating System(OS) – Works with any OS vendor and will function without an OS if needed
  • Compiler – ANSI C

Allegro Software
1740 Massachusetts Avenue
Boxborough, MA 01719

Home | Resources | News/Events | Company | Contact | Legal

Copyright © 2018, Allegro Software Development Corporation
All Rights Reserved