Industry Evolution

From PPA to PPA+S

Security is now the 4th pillarof chip competitiveness.

With the EU CRA, IC design must evolve beyond Performance, Power, and Area. Chips without security will face major market access barriers.

S - Security: Unique and unforgeable hardware identity.
PQC - Agility: Ready for Post-Quantum Cryptography upgrades.

Multi-Vendor HSM Integration

Securosys

Swiss Quality HSM

Thales

Global Market Leader

Utimaco

German Compliance

nCipher

High Reliability Crypto

KMS provides a unified interface to manage multi-vendor hardware resources.

Security Concept

HSM is the "Vault", KMS is the "Manager"

HSM (Hardware Security Module)

Handles crypto-operations and key storage. Plaintext keys never leave hardware (FIPS 140-3 L3).

  • Tamper-resistant physical protection
  • TRNG provides high-quality entropy source
  • Supports RSA, ECC, AES, and PQC algorithms

KMS (Key Management System)

Governs key lifecycle. Defines "who" can access HSM "when," enforcing separation of duties.

  • Centralized Lifecycle: Create, Rotate, Retire, Destroy
  • Separation of Duties (SoD) & Multi-sig policies
  • Immutable audit logs for compliance
Feature Overview

Ciot KMS Feature Highlights

Ciot KMS provides an intuitive, automated hub to ensure keys are rigorously monitored and deployed throughout their lifecycle.

Secure Boot

Establishes a hardware Root of Trust (RoT) to prevent unauthorized firmware execution.

  • Firmware integrity checks
  • Automated signature verification
  • Defends against malware injection

Code Signing

Secures digital identities for software/firmware and bolsters CI/CD supply chain safety.

  • BIOS / OS firmware signing
  • CI/CD automated pipeline integration
  • Ensures legitimate OTA updates

Lifecycle Management

Enforces separation of duties (SoD) to minimize human risks in key management.

  • Generation, rotation, & destruction
  • CSR generation & CA management
  • Symmetric & Asymmetric standards

HSM & High Availability

Combines physical protection with load balancing for 24/7 uninterrupted service.

  • PKCS#11 (Thales, Utimaco, etc.)
  • Failover & Load Balance clusters
  • Hardware-accelerated cryptography

Signing & Encryption

Protect Confidentiality & Integrity.

  • PKCS#7 and W3C XML standards
  • ECC / RSA / AES algorithm support

PQC Readiness

Future-proof security with crypto-agility against quantum computing threats.

  • CNSA 2.0 (LMS/HSS/ML-DSA) compliance
  • Advanced Crypto-agility capabilities
  • Resilience to quantum attacks

Audit & Alerting

Tracks Who/When/How via audit trails to meet global compliance standards.

  • Web-based management UI
  • Tamper-proof audit logs
  • Real-time E-mail alert mechanism

API & SDK Support

Rich libraries for seamless integration of security functions into applications.

  • RESTful API / OpenSSL Engine / OpenSSL Provider / Microsoft Key Storage Provider (KSP) / Python
  • Supports connection filtering via IP Whitelisting
  • Enable KMS signing with minor codesign parameter tweaks; no major code changes required
  • Supports seamless CI/CD integration
Technical Specifications

Feature & Specification Details

Comprehensive technical specifications of Ciot KMS, covering algorithms, lifecycle management, compliance standards, and integration interfaces.

Supported Algorithms

  • Key Standards: Full support for Symmetric and Asymmetric key standards
  • Algorithms: Support for RSA, ECC, and AES
  • Post-Quantum Cryptography (PQC): Compatible with CNSA 2.0 (ML-DSA) standards with Crypto-agility to counter future quantum computing threats
RSA ECC AES ML-DSA CNSA 2.0

Key Lifecycle Management

  • Full Lifecycle: Supports Key Generation, Rotation, Deactivation, and Destruction (Crypto-shredding)
  • Certificate Management: Supports CSR (Certificate Signing Request) generation and CA (Certificate Authority) certificate import
Generation Rotation Deactivation Crypto-shredding CSR / CA

Code Signing

  • Digital Identity: Establishes digital identities for software/firmware to enhance CI/CD supply chain security
  • Firmware Support: Supports signing for BIOS, and OS firmware
  • Secure Updates: Integrates automated signing workflows to ensure the authenticity and integrity of OTA (Over-the-Air) updates
BIOS OS CI/CD OTA

Post-Quantum Cryptography (PQC)

  • Regulatory Compliance: Compatible with CNSA 2.0 (LMS/HSS/ML-DSA) standards
  • Crypto-agility: Ability to rapidly switch algorithms to address future quantum computing threats
LMS / HSS CNSA 2.0 Crypto-agility

Security & Compliance

  • Hardware Standards: Integrated with HSM to meet FIPS 140-3 Level 3 (including tamper-resistant physical protection)
  • International Protocols: Complies with industry security communication standards such as PKCS#11, PKCS#7, and W3C XML
  • EU Regulations: Assists enterprises in complying with the EU CRA (Cyber Resilience Act)
  • Random Number Generation: Supports TRNG (True Random Number Generator) to provide high-quality entropy sources
FIPS 140-3 L3 EU CRA PKCS#11 PKCS#7 W3C XML TRNG

Architecture & Integration

  • Multi-Vendor Compatibility: Supports integration with HSMs from Thales, Utimaco, Securosys, nCipher, etc.
  • Development Interfaces: Provides RESTful API, Python SDK, and OpenSSL Engine / Provider
  • System Integration: Supports Microsoft KSP (Key Storage Provider) and IP Whitelisting
RESTful API Python SDK OpenSSL Microsoft KSP IP Whitelist

Governance & Audit

  • Segregation of Duties (SoD): Robust SoD management and Multi-signature policies to reduce human error/risk
  • Audit Trails: Provides immutable Audit Logs that record Who, When, and How for every action
  • Alerting Mechanism: Features an E-mail notification system for abnormal activity alerts
SoD Multi-signature Audit Log E-mail Alert
Success Stories

Track Records

Ciot helps IC and device vendors establish a secure Root of Trust during production.

Automotive & IC

MCU Key Wrapping

Securely wrap and inject private keys into automotive MCUs to ensure identity and prevent theft at the factory.

Server Security

BIOS Code Signing

BIOS Code Signing

Integrate with CI/CD for firmware signing during server manufacturing to establish hardware-level Secure Boot.

Critical Infrastructure

AMI Meter OTA Security

Sign all OTA updates via KMS+HSM; meters only accept verified firmware, blocking MitM attacks.

Zero Trust Factory

OEM Production Control

Centralize signing keys and send "Key Bundles" to ATE, preventing unauthorized clones or over-production.

CRA Compliance

Ensuring EU CRA Compliance

Software Verification

CRA Annex I (2)(c): Use KMS+HSM for code signing to verify software update integrity and source.

Data & Key Protection

CRA Annex I (2)(e): Mandatory hardware protection for keys with secure rotation and crypto-shredding.

PQC Readiness

Future-proof security with Crypto-Agility, upgrading architecture against quantum threats.

Secure Your Device Fleet

Contact Ciot to build your product's Root of Trust with HSM & KMS solutions.