Introduction to Secure Elements and Hardware Authentication

Learn how to add a secure element to your design to enable device-to-cloud authentication, firmware protection, and custom PKIs with the Microchip CryptoAuthentication series.

Training starting at


with one of our subscriptions



This is an introductory course to the Microchip CryptoAuthentication ecosystem, focusing on the ATECC608. The ATECC608 is a secure element IC that performs ECDSA, ECDH, AES, and supports various embedded security use cases. This class will cover the major use-cases of this part including local and cloud applications.

Topics Covered in this course :

  • Asymmetric and Symmetric Authentication
  • The inner workings of Transport Layer Security
  • Microchip ATECC608 and the TrustPlatform Design Suite
  • The cryptoauthlib library and Python bindings
  • Design considerations for various secure use cases including anti-counterfeiting, device authentication, and firmware protection
  • Azure, AWS, and Google Cloud IoT registration

Day 1 - Introduction to TrustPlatform

  • Overview of the ATECC608
  • TrustFlex vs Trust&Go vs TrustCustom
  • How to use TrustPlatform to validate and prep your designs
  • Tour of CryptoAuthLib
Assignment 1: Trust&Go
  • Students will familiarize themselves with TrustPlatform
  • Using the pre-configured Trust&Go they will send commands in python to the part
  • Students will exercise different ATECC commands like ecdsa_sig and understand how the python interfaces with the C library
Assignment 2:Firmware Validation
  • Students will configure their ATECC608 to support the secure boot flow
  • Using TrustPlatform, students will execute the secure boot commands
  • We will discuss design tradeoffs of using the secure boot features on the ATECC608 vs other MCUs/MPU secure boot features.
Assignment 3:Public Key Rotation
  • Students will create a test PKI with a parent and sub-public/private key pair.
  • They will configure the ATECC608 to support this rotation
  • Students will then, send a message to the part to rotate (update) the trusted public key
Assignment 4: IP / Firmware Protection
  • We will motivate the use-case with examples of when to use IP protection to pair MCUs to the ATECC
  • We will configure the part to support a symmetric key authentication flow
  • Students will send the appropriate commands to the part to verify a simulated firmware
Assignment 5: Accessory Authentication
  • In this scenario, we will focus on the use case of a product wanting to authenticate an accessory
  • Students will understand the trade offs between symmetric and asymmetric authentication flows
  • Using TrustPlatform, we will configure, demonstrate, and execute the flows.

Day 2 - Device to Cloud Flows

  • Overview of the Azure and AWS IoT systems
  • PKI overview for the ATECC
  • Embedded TLS options
  • Registration and Provisioning
Assignment 6: Custom PKI in the ATECC608
  • We will discuss how the PKI is created and configured for TrustFlex and TrustCustom
  • Students will create a test PKI and associate it with the part
  • Students will execute the commands to load, configure and execute over the python TrustPlatform to validate their setup
Assignment 7: Azure Device Registration
  • We will discuss the options for Azure Device Provisioning
  • Students will familiarize themselves with the Azure command tools
  • Students will use the Proof-of-Possession flow to register a CA
Assignment 8: AWS IoT Registration
  • Similar to Azure we will repeat all the steps for AWS
  • Students will understand the different device registration flow
  • Students will perform JIT registration with AWS tools
Assignment 9: Google Connect
  • Introduction to JWT authentication and how it differs from x.509
  • Students will use various python tools to build and interact with JWT
  • We will demonstrate and students will perform the Google registration process.
Assignment 10: Demos
  • Demo of cryptoauthlib running on a SAML11 using the c cryptoauthlib
  • Demo of cryptoauthlib running on an embedded Linux platform on a SAMA5D2
  • Demo of the Cryptotronix Quartermaster, a provisioning tool that also supports the Cryptoauth product line
  • Demo of the Cryptotronix Strongheld solution, which does low power wireless to cloud authentication.
Training by Josh Datko

Josh Datko is an embedded systems engineer, security researcher and former submarine officer. Josh is best known for his part in the NSA Playset, as well as his research into cryptocurrency wallets.

Can't attend? All of our trainings are also available as a private classes for your company.

Access all of our classes and profesionally edited recordings.
All of our courses are also available as private trainings.
Courses are offered multiple times in different timezones.