Skip to main content

NanoTAP

NanoTAP™ is the Trust Anchor Platform (TAP) component of TrustCore SDK. The NanoTAP module provides an extensible architecture that enables applications to establish hardware- or software-based trust anchors through a variety of Security Module Plugins (SMPs).

NanoTAP's trust abstraction layer gives developers user-friendly APIs that simplify integration with any form of secure element. NanoTAP also provides an abstraction layer for SMPs, which developers can use to leverage common SMP functionality without needing to know the details for any particular SMP. Additionally, NanoTAP allows other TrustCore SDK components – particularly NanoCrypto – to handle hardware keys and software keys in the same manner, making it easier to write applications for devices that may or may not use a secure element.

To reduce complexity, NanoTap does not provide a comprehensive interface for every supported SE. Instead, NanoTAP supports the most common and useful operations to enable hardware-based cryptographic operations and establish hardware-based trust anchors with minimal overhead.

Note

Using functionality specific to a secure element requires familiarity with the secure element's SMP.

  • Application developers using the advanced features of an SMP should refer to the documentation for that specific SMP.

  • SMP developers should refer to the NanoSMP documentation for an overview of the functionality that all SMPs must support.

Key features

NanoTAP provides a common API for all supported secure elements. Some of the advantages include:

  • Byte-efficient codebase that is smaller than open-source implementations

  • Speeds integration and testing of complex cryptographic functions for your product

  • Abstraction layer for portability across secure elements

  • Ability to select a secure element at runtime

  • Remote access service for Linux platforms (optional)

  • No reliance on the open-source community’s OpenSSL library

  • Easy transition for devices already integrated with TrustCore SDK

  • Simple APIs for C, C++, and Java applications

  • Integration with the Enrollment over Secure Transport (EST) protocol (RFC-7030)

  • OS- and platform-agnostic for easy portability

  • Guaranteed GPL-free code protects your intellectual property

NSA Suite B cryptographic algorithms

Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS). NanoTAP supports NSA Suite B cryptographic algorithms to provide a holistic approach for securing networked devices and services. This is ideally suited for high-traffic enterprise and federal environments where performance is critical.

Note

Where the underlying secure element provides support for Suite B algorithms, the APIs are available through the SMP for the secure element.

Custodian of passwords

NanoTAP does not store any passwords. The end-user or application must manage any passwords required to use the underlying security module. These passwords must be obtained from the system administrator or owner responsible for initialization of the security module. The custodian varies by customer organization and corporate policy.

System requirements

Memory requirements

NanoTAP has a minimum memory footprint[2] of 640KB[3].

Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.

Supported operating systems

NanoTAP is currently supported on the following operating systems:

  • Linux (Ubuntu, Debian, Raspbian, CentOS)

  • Microsoft® Windows

  • FreeRTOS

  • ThreadX

For other operating systems, DigiCert can provide a guide to assist the customer or partner with porting to another operating system or RTOS.

Supported operating platforms

NanoTAP is currently supported on the following operating platforms:

  • Intel® x86

  • ARM A/M Series

  • Hardware Acceleration — Intel AES-NI, Vendor Extensions via NanoCrypto Callbacks

Supported secure elements

  • TCG-compliant TPM 2.0/1.2 chipsets on Windows/Linux (requires NanoSMP for TPM 2.0/1.2 respectively)

  • NXP A71CH on FreeRTOS (requires NanoSMP for NXP-A71CH)

  • Renesas S5 on ThreadX (requires NanoSMP for Renesas-S5)

  • PKCS#11 SIM on Linux (requires NanoSMP for PKCS#11 SIM)

  • TEE ARM TrustZone


[2] Estimate based on Intel x86 builds.

[3] Includes NanoCrypto and NanoSSL.

In this section: