The SimpleLink Wi-Fi CC3235MODx and CC3235MODAx internet-on-a chip module enhances the security capabilities available for development of IoT devices, while completely offloading these activities from the MCU to the networking subsystem. The security capabilities include the following key features:
Wi-Fi and Internet Security:
- Personal and enterprise Wi-Fi security
- Personal standards
- AES (WPA2-PSK)
- TKIP (WPA-PSK)
- WEP
- Enterprise standards
- EAP Fast
- EAP PEAPv0/1
- EAP PEAPv0 TLS
- EAP PEAPv1 TLS EAP LS
- EAP TLS
- EAP TTLS TLS
- EAP TTLS MSCHAPv2
- Secure sockets
- Protocol versions: SSL v3, TLS 1.0, TLS 1.1, TLS 1.2
- Powerful crypto engine for fast, secure Wi-Fi and internet connections with 256-bit AES encryption for TLS and SSL connections
- Ciphers suites
- SL_SEC_MASK_SSL_RSA_WITH_RC4_128_SHA
- SL_SEC_MASK_SSL_RSA_WITH_RC4_128_MD5
- SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA
- SL_SEC_MASK_TLS_DHE_RSA_WITH_AES_256_CBC_SHA
- SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- SL_SEC_MASK_TLS_ECDHE_RSA_WITH_RC4_128_SHA
- SL_SEC_MASK_TLS_RSA_WITH_AES_128_CBC_SHA256
- SL_SEC_MASK_TLS_RSA_WITH_AES_256_CBC_SHA256
- SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- SL_SEC_MASK_TLS_RSA_WITH_AES_128_GCM_SHA256
- SL_SEC_MASK_TLS_RSA_WITH_AES_256_GCM_SHA384
- SL_SEC_MASK_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- SL_SEC_MASK_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- SL_SEC_MASK_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- SL_SEC_MASK_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
- SL_SEC_MASK_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- SL_SEC_MASK_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- Server authentication
- Client authentication
- Domain name verification
- Runtime socket upgrade to secure socket – STARTTLS
- Secure HTTP server (HTTPS)
- Trusted root-certificate catalog – Verifies that the CA used by the application is trusted and known secure content delivery
- TI root-of-trust public key – Hardware-based mechanism that allows authenticating TI as the genuine origin of a given content using asymmetric keys
- Secure content delivery – Allows encrypted file transfer to the system using asymmetric keys created by the device
Code and Data Security:
- Network passwords and certificates are encrypted and signed
- Cloning protection – Application and data files are encrypted by a unique key per device
- Access control – Access to application and data files only by using a token provided in file creation time. If an unauthorized access is detected, a tamper protection lockdown mechanism takes effect
- Encrypted and authenticated file system
- Secured boot – Authentication of the application image on every boot
- Code and data encryption – User application and data files are encrypted in sFlash
- Code and data authentication – User Application and data files are authenticated with a public key certificate
- Offloaded crypto library for asymmetric keys, including the ability to create key-pair, sign and verify data buffer
- Recovery mechanism
Device Security:
- Separate execution environments – Application processor and network processor run on separate Arm cores
- Initial secure programming – Allows for keeping the content confidential on the production line
- Debug security
- JTAG lock
- Debug ports lock
- True random number generator
Figure 8-2 shows the high-level structure of the CC3235S and CC3235SF devices that are contained within the CC3235MODS and CC3235MODSF modules, respectively. The application image, user data, and network information files (passwords, certificates) are encrypted using a device-specific key.