Allegro Cryptography Engine – ACE™
Security and Connectivity for the IoT Edge
Embedded FIPS Cryptography
The Allegro Cryptography Engine (ACE) is a
ACE
Embedded systems are appearing in virtually all industries with the capability to communicate independently. The rapid adoption and deployment of modern communication technologies have enabled new applications in healthcare, military applications, energy management, consumer devices
ACE is a cryptographic library module for embedded computing systems that
Securing Data In Motion
Many IoT applications often collect and correlate valuable sensitive information at the edge of the Internet and routinely transmit it to servers in the cloud securely. TLS and DTLS are the “defacto” standards for keeping data secure when communicating with servers in the cloud. Allegro’s RomSTL, embedded TLS, and DTLS toolkit, tightly integrates FIPS validated cryptography with a standards-based, embedded implementation of TLS/DTLS to keep your data secure while in motion. RomTLS is additionally integrated to make use of ACE’s support of Suite B algorithms (RFC 6460).
Securing Data At Rest
Allegro’s secure data-at-rest solution is tightly integrated with ACE validated FIPS cryptography. Before offloading data to cloud-based applications, any sensitive information stored by IoT devices faces numerous threats and risks of unintentional exposure. Adding data encryption to the transmission process has been the traditional method for reducing this risk. However, simply encrypting data transmissions doesn’t fully address many of the threats aimed at recovering small segments of data or potentially the entire collection. Allegro’s Secure IoT Suite provides IoT design engineers the ability to proactively address the threat surface created when storing sensitive data on persistent media. Rather than encrypting data at a volume or drive level where exposing a single set of keys potentially compromises a significant amount of sensitive data, Allegro’s secure data-at-rest solution encrypts information at the file level.
ACE can be used stand-alone or pre-integrated with Allegro’s Secure IoT Suite.
TM: A Certification Mark of NIST, which does not imply product endorsement by NIST, the U.S. or Canadian Governments
ACE – FIPS Mode
Digital Signature Algorithms
- RSA (FIPS 186-4) Key lengths: 2048, 3072
- Padding Modes: ANSI X9.31, PKCS #1v1.5, PSS
- DSA (FIPS 186-4) Key lengths: 2048, 3072
- ECDSA (FIPS 186-4) Curves: NIST P-224, P-256, P-384, P-521
Symmetric Keys
- AES Key lengths: 128, 192, 256
- Modes: ECB, CBC, CTR, CFB1, CFB8, CFB128, OFB, CCM
- AES-GCM Key lengths: 128, 192, 256
- AES-XTS Key lengths: 128, 256
- TripleDES
- Modes: ECB, CBC, CFB1, CFB8, CFB64, OFB
Hash Functions
- SHA-1
- SHA-224
- SHA-256
- SHA-384
- SHA-512
- SHA3-224
- SHA3-256
- SHA3-384
- SHA3-512
Message Authentication
- HMAC-SHA-1
- HMAC-SHA-224
- HMAC-SHA-256
- HMAC-SHA-384
- HMAC-SHA-512
- AES-GMAC Keylengths: 128, 192, 256
- AES-CMAC Keylengths: 128, 192, 256
Key Agreement
- DH (NIST SP 800-56A)
- ECDH Curves: NIST P-224, P-256, P-384, P-521
Key Derivation
- Password-Based Key Derivation Function 2 (PBKDF2)
- TLS Key Derivation Functions
Random Number Generator
- DRBG (NIST SP 800-90B)
ACE – Non-FIPS Mode
All of the above in addition to the following:
Digital Signature Algorithms
- RSA: arbitrary key lengths 1024, 2048, 3072
- DSA: arbitrary key lengths 1024, 2048, 3072
Symmetric Keys
- DES
- RC4
Hash Functions
- MD2
- MD4
- MD5
Message Authentication
- HMAC-MD5
Features |
Benefits |
---|---|
Small code footprint |
More resources available for application features |
ANSI C Source Code Distribution |
Broad processor architecture support, eases porting and support |
Processor, RTOS and TCP/IP stack agnostic |
Allegro’s products will work with new or existing hardware and software designs |
Flexible Security and External Security support |
Use software encryption or if available make use of hardware cryptography acceleration |
Compilation switches for size, feature and speed trade-offs |
Allows the development team to optimize for system resources |
Supported RFCs
- FIPS PUB 140-2, Security Requirements for Cryptographic Modules
- FIPS PUB 180-3, Secure Hash Standard
- FIPS PUB 186-3 Digital Signature Standard (DSS)
- FIPS PUB 197, Specification for the ADVANCED ENCRYPTION STANDARD (AES)
- FIPS PUB 198, The Keyed-Hash Message Authentication Code (HMAC)
- Special Publication 800-38B, Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication
- Special Publication 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
- Special Publication 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography
- Special Publication 800-89, Recommendation for Obtaining Assurances for Digital Signature Application
- DRBG NIST Special Publication 800-90A, Recommendation for Random Number Generation Using Deterministic Random Bit Generators, section 10.1.1 Hash_DRBG.
- RFC2898 – PBKDF PKCS #5: Password-Based Cryptography Specification, Version 2.0
- PKCS #7: Cryptographic Message Syntax Standard
- PKCS #8: Private-Key Information Syntax Standard
- The Advanced Encryption Standard Algorithm Validation Suite (AESAVS)
- The FIPS 186-3 Digital Signature Algorithm Validation System (DSA2VS)
- The FIPS 186-3 Elliptic Curve Digital Signature Algorithm Validation System (ECDSA2VS)
- The 186-3 RSA Validation System (RSA2VS)
- The Secure Hash Algorithm Validation System (SHAVS)
- The NIST SP 800-90A Deterministic Random Bit Generator Validation System (DRBGVS)
- The Key Agreement Schemes Validation System (KASVS)
- The CMAC Validation System (CMACVS)
- The CCM Validation System (CCMVS)
- The Galois/Counter Mode (GCM) and GMAC Validation System (GCMVS)
- The Keyed-Hash Message Authentication Code Validation System (HMACVS)
- Modes of Operation Validation System for the Triple Data Encryption Algorithm (TMOVS):
- NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
System Requirements
- Processor Architecture – Works with any 16-bit, 32-bit or 64-bit processor
- Operating System(OS) – Works with any OS vendor and will function without an OS if needed
- Compiler – ANSI C
NIST CVMP Validation Reference
Validated FIPS Cryptographic Modules
Certificate Number | Status | Date |
3432 | Active | 4/11/2019 |
2966 | Active | 7/20/2017 |
2048 | Historical | 2/20/2014 |
CAVP Validation References
AES Validation
Validation Number | Date |
AES 5574 | 7/27/2018 |
AES 5573 | 7/27/2018 |
AES 4121 | 10/14/2016 |
AES 2671 | 11/8/2013 |
AES 2314 | 1/18/2013 |
AES 2271 | 11/15/2012 |
DSA Validation
Validation Number | Date |
DSA 1116 | 10/14/2016 |
DSA 810 | 11/8/2013 |
DSA 728 | 1/18/2013 |
DSA 708 | 11/15/2012 |
RSA Validation
Validation Number | Date |
RSA 3000 | 7/27/2018 |
RSA 2999 | 7/27/2018 |
RSA 2227 | 10/14/2016 |
RSA 1374 | 11/8/2013 |
RSA 1197 | 1/8/2013 |
RSA 1164 | 11/15/2012 |
ECDSA Validation
Validation Number | Date |
ECDSA 1505 | 7/27/2018 |
ECDSA 1504 | 7/27/2018 |
ECDSA 936 | 10/14/2016 |
ECDSA 465 | 11/8/2013 |
ECDSA 379 | 1/18/2013 |
ECDSA 367 | 11/15/2012 |
Triple-DES
Validation Number | Date |
TDES 2251 | 10/14/2016 |
TDES 1602 | 11/8/2013 |
TDES 1459 | 1/18/2013 |
TDES 1418 | 11/15/2012 |
SHA Validation
Validation Number | Date |
SHS 4478 | 7/27/2018 |
SHS 4477 | 7/27/2018 |
SHS 3390 | 10/14/2016 |
SHS 2243 | 11/8/2013 |
SHS 1997 | 1/8/2013 |
SHS 1952 | 11/15/2012 |
SHA-3 Validation
Validation Number | Date |
SHA-3 8 | 7/27/2018 |
SHAKE Validation
Validation Number | Date |
SHA-3 8 | 7/27/2018 |
DRBG Validation
Validation Number | Date |
DRBG 2224 | 7/27/2018 |
DRBG 2223 | 7/27/2018 |
DRBG 1241 | 10/14/2016 |
DRBG 430 | 11/8/2013 |
DRBG 286 | 1/8/2013 |
DRBG 279 | 11/15/2012 |
Component Validations
KDF-TLS Validations
Validation Number | Date |
Component 2062 | 9/7/2018 |
Component 2061 | 9/7/2018 |
Component 1074 | 1/27/2017 |
KAS-FFC Validations
Validation Number | Date |
Component 927 | 10/14/2016 |
Component 148 | 11/8/2013 |
Component 43 | 11/15/2012 |
KAS-ECC Validations
Validation Number | Date |
Component 2005 | 7/27/2018 |
Component 2004 | 7/27/2018 |
Component 927 | 10/14/2016 |
Component 148 | 11/8/2013 |
Component 50 | 1/8/2013 |
Component 43 | 11/15/2012 |
HMAC-SHA2 Validations
Validation Number | Date |
HMAC 3715 | 7/27/2018 |
HMAC 3714 | 7/27/2018 |
HMAC 2692 | 10/14/2016 |
HMAC 1661 | 11/8/2013 |
HMAC 1430 | 1/8/2013 |
HMAC 1390 | 11/15/2012 |
WHITEPAPERS
ARTICLES