The new Matter protocol, which lets smart home devices from different manufacturers communicate with each other, is an important
step forward in the industry because it combines interoperability with reliability and security.
Matter uses the Internet Protocol (IP) as its basis, which makes it possible for smart home devices to work together, right out
of the box. That means less frustration and a better experience when setting up the initial network or adding devices down the
At the same time, Matter uses strong, thoroughly tested security mechanisms to keep information private, prevent unauthorized
access and help to ensure that every communication is protected. For example, Matter devices have unique identities, go through
a screening process before joining a network and encrypt data to protect confidentiality and privacy. Device operation is also
restricted by detailed access-control policies, so devices only do what they’re supposed to do.
A fundamental part of Matter security is the use of device attestation, a process for screening devices prior to letting them
share information. Before a Matter device can share information with the network or another device, it must first use device
attestation to confirm its authenticity, demonstrate its trustworthiness and establish a validated, authenticated connection.
Device attestation is a little bit like using a passport. To receive a passport, we must apply to a government agency, which is
a trusted organization. This organization, having confirmed our identity, then issues an official document that serves as proof
of identity. The passport tells anyone who asks (a border agent, a bank clerk, a lawyer) that we are who we say we are. It
confirms that we’re trustworthy and provides the basis for granting access to what we want.
In similar fashion, device attestation involves using an official certificate, issued by a trusted organization, to confirm
device identity and then grant access.
In the case of Matter, device attestation is based on public key infrastructure (PKI) and uses X.509 certificates to
authenticate Matter products and device vendors. PKI and X.509 certificates have been used to manage identity and security
across the internet for decades. These certificates are also part of several offline applications, including the electronic signatures used
to authenticate legal and financial transactions.
Matter uses X.509 certificate-based device attestation to ensure only compliant products from legitimate device vendors can join
the Matter home network.
The seamless and interoperable smart home is powered by Matter.
What Matter Requires
All Matter devices are required to use an attestation keypair and an X.509 certificate signed by a Trusted Certificate Authority (CA) or a Product Attestation Authority (PAA), to use the language of the Connectivity Standards Alliance (CSA)—the organization that defines the Matter specification and certifies Matter devices.
Proper use of device attestation is a central part of Matter compliance. For developers, that means the first step in obtaining
Matter compliance—and shipping Matter-certified devices—is to obtain a Matter-trusted device attestation certificate for each
Obtaining Matter-Trusted Certificates
There are two ways to get Matter device attestation certificates for your devices. You can apply to become a trusted PAA and
issue your own certificates, or you can partner with someone who can issue the certificates for your products.
Becoming a trusted PAA is no small task. Before being authorized to issue device-unique attestation certificates, an
organization must first meet specific CSA requirements, and then, must apply and maintain a strict
security process during device manufacture. Creating and managing the necessary in-house processes to meet these requirements
for security and confidentiality is a major undertaking that not every organization can afford to pursue. In addition to the
technical security requirements that need to be met, there are also operational controls, facility and physical controls and
auditing requirements that need to be established, tracked and maintained. In many cases, partnering with an established
manufacturer—with a certified-secure process for certificate issuance—is the better way to go.
NXP Is a PAA
NXP is one of a few semiconductor companies that helped define the Matter specification, and is one of the first to offer
Matter-certified and compliant development platforms and products. We are also one of the first semiconductor manufacturers to
have been granted trusted PAA status by the CSA, so we’re able to issue Matter device attestation
certificates for our customers' products.
What makes us special, as a PAA, is that we can inject credentials into silicon. As one of the leading suppliers to the Internet
of Things (IoT), we have been issuing and maintaining device credentials for quite a while and have strong expertise in trust
provisioning. Our EdgeLock 2GO service is a flexible, fully turnkey platform for securely provisioning IoT devices. Through the
EdgeLock 2GO service, we can inject credentials directly into silicon (with pre-injection on embedded Secure Elements and
authenticators) or deliver the credentials securely over-the-air (OTA).
Using our in-depth knowledge, as a contributor to the Matter specification, we’ve updated our EdgeLock 2GO service to meet the
Matter requirements and can now offer this service to our customers to help them more effectively and efficiently design and
deploy their Matter devices.
EdgeLock 2GO for Matter
The EdgeLock 2GO service is a flexible, cost-effective security platform that leverages our well-established security
infrastructure and our extensive capabilities in hardware security.
NXP Security Expertise
EdgeLock 2GO leverages the NXP security infrastructure and know-how to offer a Matter-compliant PKI service to NXP customers.
We develop our security products by following strict security processes and have had a long-time presence in various areas
such as identity, banking and payment. We have extended this expertise into the IoT and smart home segments.
The EdgeLock 2GO service for Matter is designed to leverage the security capabilities of various NXP products to offer an
optimal level of trust. Examples of such products are the
EdgeLock SE05x Secure Element
EdgeLock A5000 secure authenticator
i.MX 8M Mini
—and the recently announced
Designed for Flexibility
As a complement to our hardware security offerings, the EdgeLock 2GO service for Matter is a fully turnkey offering that
includes everything from credential generation and device attestation certificate issuance to secure key injection. EdgeLock
2GO is operating a Product Attestation Authority (PAA) and can create Product Attestation Intermediate (PAI) certificates for
each OEM project. A PAI certificate is then used to issue the Device Attestation Certificates (DAC) for the OEM individual
devices. In addition, EdgeLock 2GO supports many other use cases for credential management, such as secure cloud connectivity,
over-the-air (OTA) firmware updates and more.
The CSA has approved NXP as a Product Attestation Authority (PAA), using using EdgeLock 2GO for Matter
With EdgeLock 2GO for Matter, there’s no need to establish an in-house process for issuing and managing PKI certificates, and
the development process gains the flexibility of being able to customize configurations, manage OTA updates, and scale to
accommodate changes in demand.
Take the Next Step with EdgeLock 2GO for Matter
We’re strong supporters of Matter because we believe consumers want a better way to create smart homes. And, by the same token,
we want to give developers a better way to deliver Matter devices. That’s why we’ve moved quickly to achieve CSA trusted PAA
status and have expanded our industry-proven EdgeLock 2GO service to include Matter-trusted certificates.
Explore further the capabilities of EdgeLock 2GO when paired with Matter
by inquiring through our dedicated dedicated EdgeLock 2GO form.