NanoTAP
NanoTAP™ is the Trust Anchor Platform (TAP) component of TrustCore SDK. The NanoTAP module provides an extensible architecture that enables applications to establish hardware- or software-based trust anchors through a variety of Security Module Plugins (SMPs).
NanoTAP's trust abstraction layer gives developers user-friendly APIs that simplify integration with any form of secure element. NanoTAP also provides an abstraction layer for SMPs, which developers can use to leverage common SMP functionality without needing to know the details for any particular SMP. Additionally, NanoTAP allows other TrustCore SDK components – particularly NanoCrypto – to handle hardware keys and software keys in the same manner, making it easier to write applications for devices that may or may not use a secure element.
To reduce complexity, NanoTap does not provide a comprehensive interface for every supported SE. Instead, NanoTAP supports the most common and useful operations to enable hardware-based cryptographic operations and establish hardware-based trust anchors with minimal overhead.
Note
Using functionality specific to a secure element requires familiarity with the secure element's SMP.
Application developers using the advanced features of an SMP should refer to the documentation for that specific SMP.
SMP developers should refer to the NanoSMP documentation for an overview of the functionality that all SMPs must support.
Key features
NanoTAP provides a common API for all supported secure elements. Some of the advantages include:
Byte-efficient codebase that is smaller than open-source implementations
Speeds integration and testing of complex cryptographic functions for your product
Abstraction layer for portability across secure elements
Ability to select a secure element at runtime
Remote access service for Linux platforms (optional)
No reliance on the open-source community’s OpenSSL library
Easy transition for devices already integrated with TrustCore SDK
Simple APIs for C, C++, and Java applications
Integration with the Enrollment over Secure Transport (EST) protocol (RFC-7030)
OS- and platform-agnostic for easy portability
Guaranteed GPL-free code protects your intellectual property
NSA Suite B cryptographic algorithms
Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS). NanoTAP supports NSA Suite B cryptographic algorithms to provide a holistic approach for securing networked devices and services. This is ideally suited for high-traffic enterprise and federal environments where performance is critical.
Note
Where the underlying secure element provides support for Suite B algorithms, the APIs are available through the SMP for the secure element.
Custodian of passwords
NanoTAP does not store any passwords. The end-user or application must manage any passwords required to use the underlying security module. These passwords must be obtained from the system administrator or owner responsible for initialization of the security module. The custodian varies by customer organization and corporate policy.
System requirements
Memory requirements
NanoTAP has a minimum memory footprint[2] of 640KB[3].
Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.
Supported operating systems
NanoTAP is currently supported on the following operating systems:
Linux (Ubuntu, Debian, Raspbian, CentOS)
Microsoft® Windows
FreeRTOS
ThreadX
For other operating systems, DigiCert can provide a guide to assist the customer or partner with porting to another operating system or RTOS.
Supported operating platforms
NanoTAP is currently supported on the following operating platforms:
Intel® x86
ARM A/M Series
Hardware Acceleration — Intel AES-NI, Vendor Extensions via NanoCrypto Callbacks
Supported secure elements
TCG-compliant TPM 2.0/1.2 chipsets on Windows/Linux (requires NanoSMP for TPM 2.0/1.2 respectively)
NXP A71CH on FreeRTOS (requires NanoSMP for NXP-A71CH)
Renesas S5 on ThreadX (requires NanoSMP for Renesas-S5)
PKCS#11 SIM on Linux (requires NanoSMP for PKCS#11 SIM)
TEE ARM TrustZone