PSA Certified Crypto API Compliance for IoT and Embedded Security

Standardizing Access to Crypto Functions with Open Source APIs for IoT Security

Skip to content

Benefits for OEMs and Software Platforms Using the PSA Certified Crypto API

Adopting the PSA Certified Crypto API minimizes development costs and establishes interoperability, helping make security pervasive throughout the industry. Software platforms can more easily make use of hardware-based security features using a widely deployed API. OEMs benefit from improved device security that is built on the foundation of a hardware Root of Trust.

Benefits for Chip Vendors and IP Providers Using the PSA Certified Crypto API

Vendors offering standardized secure service implementations provide industry compatibility ensuring security features are used and correctly deployed. Since most secure features are based on cryptographic primitives, PSA Certified offers a way for crypto vendors to demonstrate their compliance with the PSA Certified Crypto API. Vendors can focus on differentiating their products based on their characteristics such as speed, size, cost, agility, or tamper resistance.

Who Can Use the PSA Certified Crypto API?

PSA Certified Crypto API Compliance is intended for vendors of cryptographic solutions, software libraries, crypto accelerators, secure elements and any software or hardware that provides at least one of the PSA Certified Crypto API main functional domains:

Implementations of the PSA Certified Crypto API must be able to run stand-alone and implement the consistent set of functions required for a given functional domain such as setup/update/finish for hash or sign/verify for signature. Implementations need to support at least one algorithm specified by PSA. Special case for RNG.

Examples for SHA2-256, EdDSA on EC25519

Partial implementations like: single-part but not multi-part, sign but not sign-hash can be considered PSA-compliant, provided they are consistent for end-users.

For services requiring key material, a PSA-compliant key management service must be able to properly handle opaque keys.

Certifiable implementations may optionally include:

How Can I Get a Certificate for Using the PSA Certified Crypto API Correctly?

Getting a certificate for PSA Certified API Compliance requires running the PSA Certified Crypto API compliance suite against your crypto solution, gathering the logs, and sending them to Arm for validation. Compliant solutions, achieving the PSA Certified Crypto API logo, will be displayed on the PSA Certified web site and may be used in your marketing.

Continuous Development and Improvement of the PSA Certified Crypto API

If you would like to make improvements to the PSA Certified Crypto API the project is open for contributions on GitHub. While Arm retains authoring rights to the specification, anybody is welcome to open issues, send pull requests, and suggest changes or additions.

Contribute Here