Proprietary interfaces for cryptographic elements add integration and support costs for both developers and vendors. Developers need interoperable standards for the trusted hardware and software to work together. PSA Certified Crypto APIs benefit from being widely deployed by chip vendors as they have open-source reference implementations for MCU (TF-M) and MPU (Trusted Services). This enables the software community to adopt them with confidence.
Benefits for OEMs and Software Platforms Using the PSA Certified Crypto API
Adopting the PSA Certified Crypto API minimizes development costs and establishes interoperability, helping make security pervasive throughout the industry. Software platforms can more easily make use of hardware-based security features using a widely deployed API. OEMs benefit from improved device security that is built on the foundation of a hardware Root of Trust.
Benefits for Chip Vendors and IP Providers Using the PSA Certified Crypto API
Vendors offering standardized secure service implementations provide industry compatibility ensuring security features are used and correctly deployed. Since most secure features are based on cryptographic primitives, PSA Certified offers a way for crypto vendors to demonstrate their compliance with the PSA Certified Crypto API. Vendors can focus on differentiating their products based on their characteristics such as speed, size, cost, agility, or tamper resistance.
Who Can Use the PSA Certified Crypto API?
PSA Certified Crypto API Compliance is intended for vendors of cryptographic solutions, software libraries, crypto accelerators, secure elements and any software or hardware that provides at least one of the PSA Certified Crypto API main functional domains:
- Message Authentication Codes (MAC)
- Unauthenticated ciphers
- Authenticated encryption with associated data (AEAD)
- Key derivation
- Asymmetric signature
- Asymmetric encryption
- Key agreement
- Random number generation
Implementations of the PSA Certified Crypto API must be able to run stand-alone and implement the consistent set of functions required for a given functional domain such as setup/update/finish for hash or sign/verify for signature. Implementations need to support at least one algorithm specified by PSA. Special case for RNG.
Examples for SHA2-256, EdDSA on EC25519
Partial implementations like: single-part but not multi-part, sign but not sign-hash can be considered PSA-compliant, provided they are consistent for end-users.
For services requiring key material, a PSA-compliant key management service must be able to properly handle opaque keys.
Certifiable implementations may optionally include:
- Hash computation accelerators
- Crypto accelerator sub-systems or chips
- Secure Elements (SE/eSE) for asymmetric signature and/or verification
- Optimized assembler routines available through the Crypto API
How Can I Get a Certificate for Using the PSA Certified Crypto API Correctly?
Getting a certificate for PSA Certified API Compliance requires running the PSA Certified Crypto API compliance suite against your crypto solution, gathering the logs, and sending them to Arm for validation. Compliant solutions, achieving the PSA Certified Crypto API logo, will be displayed on the PSA Certified web site and may be used in your marketing.
Continuous Development and Improvement of the PSA Certified Crypto API
If you would like to make improvements to the PSA Certified Crypto API the project is open for contributions on GitHub. While Arm retains authoring rights to the specification, anybody is welcome to open issues, send pull requests, and suggest changes or additions.