A710x family: Secure authentication microcontroller

The A710x family is a tamper resistant secure Micro Controller Unit (MCU) family using a dedicated security hardened MX51CPU. NXP® Semiconductors has a long track record in security MCUs. NXP ICs had been used in all kind of security applications like bank cards, health insurance cards, electronic passports, pay-tv cards or as embedded secure element in mobile phones. The A710x family features a significantly enhanced secure microcontroller architecture. Extended instructions for Java and C code, linear addressing and high speed at low power are among many other improvements added to the classic 80C51 core architecture.

The A710x family supports the following features:

The A710x family key benefits:

For more detailed information refer to following documentation:

The hardware data sheet explains the details of the A710x family product from a hardware point of view. It outlines figures like pinning diagram and power consumption but also provides all information needed to develop firmware running on the chip (ROM code).

The approved and modular PKI coprocessor architecture supports the trend of increasing RSA keys with faster execution speeds as well as Elliptic Curve Cryptography (ECC) based on GF(p) or GF(2n) at best performance. The PKI coprocessor supports RSA with an operand length of up to 8-kbit (up to 4-kbit with intermediate storage in RAM only).

The PKI coprocessor supports 192-bit ECC key length that offers the same level of security as 2048-bit RSA. An ECC GF(2n) based signature, using a 163-bit key can be executed in less than 30 ms providing a security level comparable to 1024-bit RSA. The operand size for ECC is only limited by the 2.5 KB size of the Crypto-RAM. The PKI coprocessor is easy to use and the flexible interface provides programmers with the flexibility to implement their own cryptography solutions.

Triple-DES coprocessor

The DES widely used for symmetric encryption is supported by a dedicated, high performance, highly attack-resistant hardware coprocessor. Single DES and triple-DES, based on two or three DES keys, can be executed within less than 40 μs. Relevant standards (ISO/IEC, ANSI, FIPS) and Message Authentication Code (MAC) are fully supported.

AES coprocessor

The A710x family secure microcontroller platform provides a dedicated high performance 128-bit parallel processing coprocessor to support secure AES. The implementation is based on FIPS197 as standardized by the National Institute for Standards and Technology (NIST), and supports key lengths of 128-bit, 192-bit, and 256-bit with performance levels comparable to DES. AES is the next generation for symmetric data encryption and recommended successor of DES providing a significantly improved security level.

I²C interface

The A710x family has an I²C interface supporting data rates up to 400 kbit/s operating in Fast-Mode (FM). Both operating modes, Master and Slave are supported. The I²C address is configurable by the embedded firmware.

SPI interface

The A710x family has a four wire SPI slave interface supporting data rates up to 2 Mbit for full-duplex and synchronous data transfer.

Universal Asynchronous Receiver/Transmitter (UART)

The A7103 uses a built-in Universal Asynchronous Receiver/Transmitter (UART) to support a Smart Card OneWire (SC1W) Protocol. The Protocol is using a one-wire based physical interface, a UART-based data link layer, an SMBus based network layer as well as a mapping layer to convey ISO/IEC 7816-4 based communication. The UART is software configurable to use any of the four IO ports.

General-Purpose IO ports

The A710x family has four general-purpose IO ports (partly multiplexed with the UART, I²C and SPI interface) which can be used for any purpose.

Optional on-chip cryptographic library

A secure crypto library providing a broad range of required functions will be available for all A710x devices in order to support customers implementing cryptographic solutions:

Optional on-chip operating system firmware: JCOP 2.4.2 (A710xC)

The A710x family can execute program code from its internal memories. The ROM is used to host program code and data either owned by NXP Semiconductors or provided by third-parties (custom ROM masked product).

NXP Semiconductors offers a Java Card Open Platform operating system called JCOP based on independent, third-party specifications, i.e. by Oracle, the Global Platform consortium, the International Organization for Standards (ISO), EMV (Europay, MasterCard and VISA) and others. The Java Card and GlobalPlatform industry standards together ensure ease of application development and application interoperability for developers. JCOP 2.4.2 compliant to Java Card specification V3.0.1 classic ; JCOP 2.4.2 compliant to Global Platform specification.

JCOP provides extended support for several industry-specific requirements. This support is given with the JCOPX API that comprises following functionality:

For more detailed information refer to following documentation:

User manual JCOP 2.4.2 Revision 1.0, JCOP V2.4.2 Revision 1.0 secure A7 MCU operating system, Document Number 2318xx

The User manual describes JCOP for the applet developer. It outlines the features available through the Java Card API. Also it explains any additional functionality at the Java layer. Also, this User manual contains the information on how to order A710x family products.

Hardware Data sheet, A710x family, secure authentication microcontroller, Document Number 2164xx

The Full data sheet explains the details of the A710x family product from a hardware point of view. It outlines figures like pinning diagram and power consumption.

A710x family with JCOP 2.4.1R1, secure authentication microcontroller, Document Number 2366xx

The data sheet explains the details of the A710x family product embedding a JCOP 2.4.2 R1 operating system from a hardware point of view. It outlines figures like pinning diagram and power consumption.

Optional X509 certificate-based client authentication

In addition to the A710x family secure MCU and the Java Card Open Platform operating system, the total solution includes an X.509 certificate-based client authentication application.

For more detailed information refer to following documentation:

Application note, Device Authentication APDU Specification, Document Number 2118xx

The applet user manual contains a detailed description of the authentication application on the A710x family product. It outlines the interface description including the APDU description and a description how to use the applet.

Trust provisioning service

The A710x family is delivered with pre-programmed, die-specific keys and certificates which are being generated and programmed in a certified (Common Criteria) secure NXP Semiconductors internal environment with master keys securely stored in HSMs (Hardware Secure Modules). Additional authentication software for the host (host-MCU or remote server) can also be included as part of the solution.

NXP Semiconductors offers a pre-personalizations service where customer specific initialization data can be preprogrammed. This data can be die individual card manager keys, symmetric DES-or AES keys, random data, X509 certificates, RSA signing keys or any other constant data like application code.

A710x family naming conventions

The following table explains the naming conventionsof the commercial product name of the A710x family products. Every A710x family product gets assigned such a commercial name, which includes also customer and application-specific data.

The A710x family commercial names have the following format.

A710xagpp(p)/mvsrrff

The ’A710’ is a constant, all other letters are variables, which are explained in the following:

Variable

Meaning

Values

Description

x

IC hardware specification code

1

standard operational ambient temperature: -25 °C to +90 °C I²C and SPI interface supported

2

standard operational ambient temperature: -40 °C to +90 °C I²C and SPI interface supported

3

standard operational ambient temperature: -25 °C to +90 °C. I²C and UART interface supported

a

embedded operating system code

A

JCOP V2.4.2 R0.95

C

JCOP V2.4.2 R1

Z

Custom ROM coded product

g

embedded application firmware (applet) code

G

Generic, no application layer firmware (i.e. JCOP applets) pre-installed

C

Customized, customer Applet pre-installed in ROM or EEPROM

A

Application firmware implementing generic X509 based client authentication

pp(p)

package type code

m

Manufacturing Site Code

T

v

Silicon Version Code

0

s

Silicon Version Subcode

B

rr

ROM Code ID

ff

FabKey ID

Security features

The A710x family security concept is combining a comprehensive portfolio of NXP Semiconductors security measures which is protecting the chip against all types of attacks. All in all there are more than 100 security features in an NXP Semiconductors security chip to protect against attacks from outside. NXP Semiconductors apply their extensive knowledge of chip security to harden the chip against any kinds of attacks.

The counter measures against reverse engineering attacks i.e. the dedicated security CPU designed in asynchronous handshaking circuit technology, the very dense sub-micron 5-metal-layer 0.14 μm technology, the NXP glue logic and active shielding technology are providing highest level of attack resilience which is unique in the market.

Secure Fetch Technology will significantly enhance the chip hardware security for a certain class of light and laser attacks to the chip hardware. More specifically, Secure Fetch offers increased protection against attacks with higher spatial resolution and against both those with shorter and with longer light pulses; both with single and with multiple pulses. It protects both the device memory and code fetching operations from ROM, RAM and EEPROM, greatly increasing the probability that fault injection attacks are detected. This unique security technology offers increased protection against future attack scenarios with light and laser sources, facilitating the development of highly secure software applications for customers.

The A710x family security concept includes dedicated HW measures to protect against any kind of leakage attacks. The Triple-DES coprocessor provides a high level of leak-resistance to 1st order DPA, thus equally well resilient against all kinds of leakage attacks.

The A710x family incorporates inherent and OS controlled security features:

Security licensing

NXP Semiconductors has obtained a patent license for SPA and DPA countermeasures from Cryptography Research Incorporated (CRI). This license covers both hardware and software countermeasures. It is important to customers that countermeasures within the operation system are covered under this license agreement with CRI. Further details can be obtained on request.

Outline 3d SOT617-3

The A710x family is a complete embedded security platform for mobile phones, portable devices, computing and consumer electronic devices, and embedded systems where a strong security infrastructure is required. The A710x family provides an outstanding level of security, while overcoming the challenges of performance, power consumption and solution footprint. Its flexible architecture offers brand owners and device manufacturers a robust solution that can be tailored to meet today’s demanding embedded security requirements. The A710x family can be used in various host platforms and host operating systems to secure a broad range of applications.

The A710x family is offered as a turnkey solution that provides customers easy integration of authentication solutions into their end products. Minimal impact on the performance of end-products is achieved through high-speed, low power consumption ICs that feature the industry standard I²C, SPI and UART interfaces.

The flexibility of the A710x family solution allows for fast and convenient customization of specific solutions or implementations.

Data Sheets (1)
Name/DescriptionModified Date
Secure authentication microcontroller (REV 3.5) PDF (320.0 kB) A710X_FAM_SDS01 Nov 2013
Package Information (4)
Name/DescriptionModified Date
DFN5050-32: plastic thermal enhanced very thin quad flat package; no leads; 32 terminals; body 5 x 5 x 0.85 mm (REV 1.1) PDF (219.0 kB) SOT617-308 Jun 2016
plastic thermal enhanced very thin small outline package; no leads; 8 terminals; body 4 x 4 x 0.85 mm (REV 1.0) PDF (191.0 kB) SOT909-108 Feb 2016
plastic thermal enhanced very thin quad flat package; no leads; 20 terminals (REV 1.0) PDF (173.0 kB) SOT917-108 Feb 2016
plastic small outline package; 8 leads; body width 3.9 mm (REV 1.0) PDF (244.0 kB) SOT96-108 Feb 2016
Supporting Information (3)
Name/DescriptionModified Date
Wave Soldering Profile (REV 1.0) PDF (20.0 kB) WAVE_SOLDERING_PROFILE30 Sep 2013
Footprint for reflow soldering (REV 1.0) PDF (9.0 kB) SO-SOJ-REFLOW08 Oct 2009
Footprint for wave soldering (REV 1.0) PDF (8.0 kB) SO-SOJ-WAVE08 Oct 2009
Secure authentication microcontroller a710x_family
SO8; Reel pack; SMD, 13" Q1/T1 Standard product orientation Orderable part number ending, 518 or Y Ordering... TJA1020
SO8; Reel dry pack; SMD, 7" Q1/T1 Standard product orientation Orderable part number ending, 515 or... PCF85063A
Footprint for reflow soldering NPIC6C596A_Q100
Footprint for wave soldering NPIC6C596A_Q100
plastic small outline package; 8 leads; body width 3.9 mm SA612A
SO8; Reel pack; SMD, 13" Q1/T1 Standard product orientation Orderable part number ending ,118 or J Ordering... CBT3306_Q100
Tape reel SMD; standard product orientation 12NC ending 115 PBSS5350SS
Reflow_Soldering_Profile Wave_Soldering_Profile LPC1112FD20
Footprint for reflow soldering SOT909-1 PCF8523
HVSON8; Reel pack; SMD, 13" Q1/T1 Standard product orientation Orderable part number ending ,118 or... PCF8523
HVSON8; reel pack; standard product orientation;12NC ending 115 PCF8523
plastic thermal enhanced very thin small outline package; no leads; 8 terminals; body 4 x 4 x 0.85 mm PCF8523
HVQFN20; Reel dry pack; SMD, 7" Q1/T1 Standard product orientation Orderable part number ending ,515 or... cbtl03sb212bs
plastic thermal enhanced very thin quad flat package; no leads; 20 terminals SA636
HVQFN32; Reel dry pack, SMD, 13" Q2/T3 turn product orientation Orderable part number ending, 528 or MP Ordering code... PTN3366BS
Reel 13" Q1/T1 in Drypack LPC11U35FHI33
Footprint for reflow soldering SOT617-3 OL2381AHN
plastic thermal enhanced very thin quad flat package; no leads; 32 terminals; body 5 x 5 x 0.85 mm OL2381AHN
HVQFN32; Reel pack; SMD, 13" Q1/T1 Standard product orientation Orderable part number ending ,118 or J Ordering code... pca8561_automotive