A7101CGUS

Secure authentication microcontroller


Direct downloads

All documents (1)

Overview

The A710x family is a tamper resistant secure Micro Controller Unit (MCU) family using a dedicated security hardened MX51CPU. NXP Semiconductors has a long track record in security MCUs. NXP ICs had been used in all kind of security applications like bank cards, health insurance cards, electronic passports, pay-tv cards or as embedded secure element in mobile phones. The A710x family features a significantly enhanced secure microcontroller architecture. Extended instructions for Java and C code, linear addressing and high speed at low power are among many other improvements added to the classic 80C51 core architecture.

The A710x family supports the following features:

  • Dedicated MX51 security CPU
  • 400 kbit/s I²C Fast-mode interface
  • Four wire 2 Mbit SPI interface
  • 111 kbit/s One-Wire Interface (A7103)
  • -40 °C to +90 °C operational ambient temperature (A7102)
  • Optional on-chip operating system firmware: JCOP 2.4.2 (A710xC)
  • Optional X.509 certificate-based client authentication application pre-installed
  • Optional on-chip cryptographic library
  • NXP glue logic
  • NXP secure fetch technology
  • Active shielding technology
  • Asynchronous self-timed Handshake Technology
  • 20 kB EEPROM for application-code and data
  • 40 μA typical sleep mode current with I²C pads in tristate mode
  • 10 μA max deep sleep mode current with I²C pads in tristate mode
  • High-performance secured Public Key Infrastructure (PKI) coprocessor (RSA up to 4096-bit keys, ECC over GF(p) up to 544-bikeys)
  • Secured 2-key/3-key triple-DES coprocessor
  • Secured AES coprocessor (128-, 192- and 256-bit keys)
  • EEPROM with min 500,000 cycles endurance and min 25 years retention time
  • Four general-purpose IO ports (partly multiplexed with the I²C and SPI interface)
  • Broad range of tiny package types, i.e. WLCSP

The A710x family key benefits:

  • Complete security platform enabling customized solutions
  • Field and silicon proven solutions- deployed in numerous devices and environments
  • Ensures trust to drive applications in open and closed systems where high level of security is needed
  • Full solution, ease to integrate, ensuring lower total cost of ownership
  • Robust cryptographic core, countermeasures and protection of device assets
  • Powerful cryptographic coprocessors for public and secret key encryption within a low-power, performance optimized design based on NXP Semiconductors' handshaking technology

For more detailed information refer to following documentation:

  • Hardware Data Sheet A710x family, Secure authentication microcontroller, Document Number DocID 2164xx

The hardware data sheet explains the details of the A710x family product from a hardware point of view. It outlines figures like pinning diagram and power consumption but also provides all information needed to develop firmware running on the chip (ROM code).

Cryptographic hardware coprocessors

PKI coprocessor

The approved and modular PKI coprocessor architecture supports the trend of increasing RSA keys with faster execution speeds as well as Elliptic Curve Cryptography (ECC) based on GF(p) or GF(2n) at best performance. The PKI coprocessor supports RSA with an operand length of up to 8-kbit (up to 4-kbit with intermediate storage in RAM only).

The PKI coprocessor supports 192-bit ECC key length that offers the same level of security as 2048-bit RSA. An ECC GF(2n) based signature, using a 163-bit key can be executed in less than 30 ms providing a security level comparable to 1024-bit RSA. The operand size for ECC is only limited by the 2.5 KB size of the Crypto-RAM. The PKI coprocessor is easy to use and the flexible interface provides programmers with the flexibility to implement their own cryptography solutions.

Triple-DES coprocessor

The DES widely used for symmetric encryption is supported by a dedicated, high performance, highly attack-resistant hardware coprocessor. Single DES and triple-DES, based on two or three DES keys, can be executed within less than 40 μs. Relevant standards (ISO/IEC, ANSI, FIPS) and Message Authentication Code (MAC) are fully supported.

AES coprocessor

The A710x family secure microcontroller platform provides a dedicated high performance 128-bit parallel processing coprocessor to support secure AES. The implementation is based on FIPS197 as standardized by the National Institute for Standards and Technology (NIST), and supports key lengths of 128-bit, 192-bit, and 256-bit with performance levels comparable to DES. AES is the next generation for symmetric data encryption and recommended successor of DES providing a significantly improved security level.

I²C interface

The A710x family has an I²C interface supporting data rates up to 400 kbit/s operating in Fast-Mode (FM). Both operating modes, Master and Slave are supported. The I²C address is configurable by the embedded firmware.

SPI interface

The A710x family has a four wire SPI slave interface supporting data rates up to 2 Mbit for full-duplex and synchronous data transfer.

Universal Asynchronous Receiver/Transmitter (UART)

The A7103 uses a built-in Universal Asynchronous Receiver/Transmitter (UART) to support a Smart Card OneWire (SC1W) Protocol. The Protocol is using a one-wire based physical interface, a UART-based data link layer, an SMBus based network layer as well as a mapping layer to convey ISO/IEC 7816-4 based communication. The UART is software configurable to use any of the four IO ports.

General-Purpose IO ports

The A710x family has four general-purpose IO ports (partly multiplexed with the UART, I²C and SPI interface) which can be used for any purpose.

Optional on-chip cryptographic library

A secure crypto library providing a broad range of required functions will be available for all A710x devices in order to support customers implementing cryptographic solutions:

  • Various algorithms
    • AES encryption and decryption using the AES coprocessor
    • DES and Triple-DES encryption and decryption using the DES coprocessor
    • RSA encryption and decryption, signature generation and verification for straightforward and CRT keys up to 4096-bit
    • RSA key generation
    • ECC over GF(p) signature generation and verification (ECDSA) and Diffie-Hellman key exchange for keys up to 544 bits
    • ECC over GF(p) key generation
    • ECC over GF(2n) signature generation and verification (ECDSA) and Diffie-Hellman key exchange for keys up to 544-bit
    • ECC over GF(2n) key generation
    • SHA-1, SHA-224 and SHA-256 hash algorithm
    • Pseudo-Random Number Generator (PRNG)
  • Easy to use API for all algorithms
  • Latest built-in security features to avoid power (SPA/DPA), timing and fault attacks (DFA)

Optional on-chip operating system firmware: JCOP 2.4.2 (A710xC)

The A710x family can execute program code from its internal memories. The ROM is used to host program code and data either owned by NXP Semiconductors or provided by third-parties (custom ROM masked product).

NXP Semiconductors offers a Java Card Open Platform operating system called JCOP based on independent, third-party specifications, i.e. by Oracle, the Global Platform consortium, the International Organization for Standards (ISO), EMV (Europay, MasterCard and VISA) and others. The Java Card and GlobalPlatform industry standards together ensure ease of application development and application interoperability for developers. JCOP 2.4.2 compliant to Java Card specification V3.0.1 classic ; JCOP 2.4.2 compliant to Global Platform specification.

JCOP provides extended support for several industry-specific requirements. This support is given with the JCOPX API that comprises following functionality:

  • Extended cryptography support (several algorithms and methods not specified in Java Card v3.0.1 classic
  • A710xC (JCOP 2.4.2 R1): Support of IO Config and Control API, implementing methods to reconfigure the default I²C slave address, to configure the GPIO pin as either input or output pin and the read, set or clear the pin

For more detailed information refer to following documentation:

  • User manual JCOP 2.4.2 Revision 1.0, JCOP V2.4.2 Revision 1.0 secure A7 MCU operating system, Document Number 2318xx

    The User manual describes JCOP for the applet developer. It outlines the features available through the Java Card API. Also it explains any additional functionality at the Java layer. Also, this User manual contains the information on how to order A710x family products.

  • Administrator manual JCOP 2.4.2 Revision 1.0, JCOP V2.4.2 Revision 1.0 secure A7 MCU operating system, Document Number 2319xx. The Administrator manual describes JCOP for the administrator of a JCOP operating system. This means it explains the pre-personalization process and its specific commands.
  • Hardware Data sheet, A710x family, secure authentication microcontroller, Document Number 2164xx

    The Full data sheet explains the details of the A710x family product from a hardware point of view. It outlines figures like pinning diagram and power consumption.

  • A710x family with JCOP 2.4.1R1, secure authentication microcontroller, Document Number 2366xx

    The data sheet explains the details of the A710x family product embedding a JCOP 2.4.2 R1 operating system from a hardware point of view. It outlines figures like pinning diagram and power consumption.

Optional X509 certificate-based client authentication

In addition to the A710x family secure MCU and the Java Card Open Platform operating system, the total solution includes an X.509 certificate-based client authentication application.

For more detailed information refer to following documentation:

  • Application note, Device Authentication APDU Specification, Document Number 2118xx

    The applet user manual contains a detailed description of the authentication application on the A710x family product. It outlines the interface description including the APDU description and a description how to use the applet.

Trust provisioning service

The A710x family is delivered with pre-programmed, die-specific keys and certificates which are being generated and programmed in a certified (Common Criteria) secure NXP Semiconductors internal environment with master keys securely stored in HSMs (Hardware Secure Modules). Additional authentication software for the host (host-MCU or remote server) can also be included as part of the solution.

NXP Semiconductors offers a pre-personalizations service where customer specific initialization data can be preprogrammed. This data can be die individual card manager keys, symmetric DES-or AES keys, random data, X509 certificates, RSA signing keys or any other constant data like application code.

A710x family naming conventions

The following table explains the naming conventionsof the commercial product name of the A710x family products. Every A710x family product gets assigned such a commercial name, which includes also customer and application-specific data.

The A710x family commercial names have the following format.

A710xagpp(p)/mvsrrff

The ’A710’ is a constant, all other letters are variables, which are explained in the following:

Table 1. A710x commercial name format

Variable

Meaning

Values

Description

x

IC hardware specification code

1

standard operational ambient temperature: -25 °C to +90 °C I²C and SPI interface supported

2

standard operational ambient temperature: -40 °C to +90 °C I²C and SPI interface supported

3

standard operational ambient temperature: -25 °C to +90 °C. I²C and UART interface supported

a

embedded operating system code

A

JCOP V2.4.2 R0.95

C

JCOP V2.4.2 R1

Z

Custom ROM coded product

g

embedded application firmware (applet) code

G

Generic, no application layer firmware (i.e. JCOP applets) pre-installed

C

Customized, customer Applet pre-installed in ROM or EEPROM

A

Application firmware implementing generic X509 based client authentication

pp(p)

package type code

   

m

Manufacturing Site Code

T

 

v

Silicon Version Code

0

 

s

Silicon Version Subcode

B

 

rr

ROM Code ID

   

ff

FabKey ID

   

Security features

The A710x family security concept is combining a comprehensive portfolio of NXP Semiconductors security measures which is protecting the chip against all types of attacks. All in all there are more than 100 security features in an NXP Semiconductors security chip to protect against attacks from outside. NXP Semiconductors apply their extensive knowledge of chip security to harden the chip against any kinds of attacks.

The counter measures against reverse engineering attacks i.e. the dedicated security CPU designed in asynchronous handshaking circuit technology, the very dense sub-micron 5-metal-layer 0.14 μm technology, the NXP glue logic and active shielding technology are providing highest level of attack resilience which is unique in the market.

Secure Fetch Technology will significantly enhance the chip hardware security for a certain class of light and laser attacks to the chip hardware. More specifically, Secure Fetch offers increased protection against attacks with higher spatial resolution and against both those with shorter and with longer light pulses; both with single and with multiple pulses. It protects both the device memory and code fetching operations from ROM, RAM and EEPROM, greatly increasing the probability that fault injection attacks are detected. This unique security technology offers increased protection against future attack scenarios with light and laser sources, facilitating the development of highly secure software applications for customers.

The A710x family security concept includes dedicated HW measures to protect against any kind of leakage attacks. The Triple-DES coprocessor provides a high level of leak-resistance to 1st order DPA, thus equally well resilient against all kinds of leakage attacks.

The A710x family incorporates inherent and OS controlled security features:

  • Secure Fetch Technology, protecting code fetches from ROM, RAM and EEPROM
  • Dedicated security CPU designed in asynchronous handshaking circuit technology
  • High dense sub-micron 5-metal-layer 0.14 μm CMOS technology,
  • NXP glue logic
  • Active Shielding
  • Enhanced security sensors
    • Low and high temperature sensor (for A7101 and A7103 only)
    • Low and high supply voltage sensor
    • Single Fault Injection (SFI) attack detection
    • Light sensors (incl. integrated memory light sensor functionality)

Security licensing

NXP Semiconductors has obtained a patent license for SPA and DPA countermeasures from Cryptography Research Incorporated (CRI). This license covers both hardware and software countermeasures. It is important to customers that countermeasures within the operation system are covered under this license agreement with CRI. Further details can be obtained on request.

Features and benefits

Standard family features

  • High reliable EEPROM for both data storage and program execution: 20 kB
    • Data retention time: 25 years minimum
    • Endurance: 500,000 cycles minimum
  • Dedicated Secure_MX51 MCU (Memory eXtended/enhanced 80C51)
  • Public Key Cryptography (PKC) coprocessor supporting RSA, Elgamal, DSS, Diffie-Hellman, Guillou-Quisquater, Fiat-Shamir and Elliptic Curves
    • RSA support for the key lengths up to 4096-bit
    • Elliptic Curve over GF(p) Cryptography with key lengths up to 544-bit
  • Single DES (56-bit) and Triple DES with 2 or 3 Keys (112-bit- or 168-bit), encryption and decryption in ECB, CBC and CBC-MAC mode
  • High-speed AES coprocessor (128-bit parallel processing AES engine)
  • Low-power True-Random Number Generator (TRNG) in hardware, AIS-31 compliant
  • SHA1, SHA-224 and SHA-256
  • On-Chip Key generation
  • CRC calculations
  • Low-power design using NXP Semiconductors’ handshaking technology
  • Wake-up from SLEEP mode by any I²C communication request
  • 40 μA typical sleep mode current with I²C pads operated in tristate mode, don’t obstructing the bus lines
  • 10 μA maximal deep sleep mode current with I²C pads operated in tristate mode, don’t obstructing the bus lines
  • Internally generated CPU clock (typical 31 MHz)
  • 1.62 V to 3.6 V operating voltage range
  • Broad spectrum of delivery types
    • Wafers
    • WL-CSP package
    • SMD packages

Product-specific features

  • A7101
    • -25 °C to +90 °C operational ambient temperature
    • 400 kbit/s I²C Fast-mode interface (Master and Slave)
    • 2 Mbit four wire SPI interface (Slave)
  • A7102
    • -40 °C to +90 °C operational ambient temperature
    • 400 kbit/s I²C Fast-mode interface (Master and Slave)
    • 2 Mbit four wire SPI interface (Slave)
  • A7103
    • -25 °C to +90 °C operational ambient temperature
    • 111 kbit/s One-Wire Interface
    • 400 kbit/s I²C Fast-mode interface (Master and Slave)

Applications

The A710x family is a complete embedded security platform for mobile phones, portable devices, computing and consumer electronic devices, and embedded systems where a strong security infrastructure is required. The A710x family provides an outstanding level of security, while overcoming the challenges of performance, power consumption and solution footprint. Its flexible architecture offers brand owners and device manufacturers a robust solution that can be tailored to meet today’s demanding embedded security requirements. The A710x family can be used in various host platforms and host operating systems to secure a broad range of applications.

The A710x family is offered as a turnkey solution that provides customers easy integration of authentication solutions into their end products. Minimal impact on the performance of end-products is achieved through high-speed, low power consumption ICs that feature the industry standard I²C, SPI and UART interfaces.

The flexibility of the A710x family solution allows for fast and convenient customization of specific solutions or implementations.

Application areas

  • Embedded Security
  • Counterfeit protection of hardware and software
    • Anti-cloning
    • Brand integrity of original goods
  • Profile of service
    • Conditional access to software, content and features
    • Secure access to online services
  • Device identity
    • Signing transactions
    • Secure machine to machine (M2M) communication
All information on this product information page is subject to the subsequent disclaimers:

Documentation for this product

File nameTitleTypeFormatDate
A710X_FAM_SDSSecure authentication microcontrollerShort data sheetpdf2013-11-01

Technical support

Do you want to ask technical questions to an NXP expert?
Please select one of the following options:

How to search?

Already registered to MyNXP? or Register

Feedback

Restricted Document

You are accessing a password protected document.
Please choose an option below

Fill in your name, company and e-mail address and you will receive an e-mail with a username and password for this restricted document.

First name*

Last name*

Company*

E-mail*

Comments

* required.

Print password request form:

Before we can grant you access to our confidential documents you are required to fill in, print and sign the password request form by which you comply with the NXP Non-disclosure agreement (NDA). Please email or fax the signed form to the email-address or fax-number specified on the form. After approval you will receive username and password via email. In case you already signed an NDA with NXP and already have username and password, you can skip this step.

Open document:

If you have received the username and password, you can open the document by clicking on the "open document" link. You will be prompted for username and password. After you fill in the username and password the download will start.

Forgot your password:

In case you forgot your password you can click on the "forgot your password" link to retrieve your password. Please complete the small form with your personal details and your request will be sent to NXP. You will receive an answer with your password shortly.

Request secure documentation

Fill in your name, company and e-mail address and you will receive an e-mail with a username and password for this secure document.

First name*

Last name*

Company*

E-mail*

Comments

* required.

Datasheet confidential

Fill in your details and you will be contacted

First name*

Last name*

Company*

Country*

Telephone number*

E-mail*

* required.

Your e-mail address will only be used to send the datasheet and will not be used for any other purposes.

No full datasheet available

Fill in your details to receive notification when the datasheet becomes available

First name*

Last name*

Company*

E-mail*

* required.

Your email address will only be used to send the datasheet and will not be used for any other purposes.