Comparing the DS28S60, MAXQ1061 and the MAXQ1065 Functionality

Abstract

This application note discusses the main features of the DS28S60, MAXQ1061, and MAXQ1065. It compares the features between the devices and then provides the user with some relevant advice on how and when each device can be deployed. The Appendix provides some specific device features and performance comparisons.

Introduction

This application note compares the functionality of three different security coprocessors available from Analog Devices, Inc. They are the DS28S60, MAXQ1061, and MAXQ1065.

The DS28S60 is a DeepCover Cryptographic Coprocessor with ChipDNA. It provides the user with the most affordable and simplest solution when it comes to Internet of Things (IoT) security. It deploys simple personalization, strong mutual authentication, key exchange, and end-to-end data encryption.

The MAXQ1061 is a DeepCover Cryptographic Coprocessor for Embedded Devices with configurable security policies and dynamic memory allocation. It provides a comprehensive IoT solution with various cryptographic features including TLS 1.2 and x.509 support. It also provides a large user memory for application-specific needs.

The MAXQ1065 is an Ultra-Low-Power Cryptographic Controller with ChipDNA Physical Unclonable Function Technology for Embedded Devices. It also provides configurable security policies, dynamic memory allocation as well as TLS 1.2 and x.509 certificates for a complete IoT solutions package in one single device. Due to a more current generation design, it is also a more cost-effective solution as compared to the MAXQ1061. However, the MAXQ1065 offers a reduced crypto suite.

In this application note, first the device features are summarized, then the user is given a clear outline as to when and where each of these devices can be deployed.

Device Selection Process

Now that some basic idea about the device features has been provided, let us talk about how the user selects the device for an application. There are no right or wrong selections here. All the devices are very capable, and the goal is to select the device that matches the user's end application goals.

Following are some of the questions the user needs to ask before deciding on the selection of the device depending on the requirement.

  • Do I need security for my connected/IoT device?
  • Do I need Hardware TLS support?
  • How much user memory do I need?
  • What kind of hardware cryptographic support do I need?
  • Do I need remote firmware upgrade?
  • What kind of power and time budget do I have?

There are many other questions that can be asked but in the following pages few most common scenarios are shown that can arise during the selection process. These scenarios can be used to conclude on which device to pursue.

Figure 1. Decision based on TLS and memory requirements.

Figure 1. Decision based on TLS and memory requirements.

Figure 2. Decision based on Certificate and ECDSA requirements.

Figure 2. Decision based on Certificate and ECDSA requirements.

Figure 3. Decision based on the need for a decrement counter.

Figure 3. Decision based on the need for a decrement counter.

Summary

The application note covers the differences between the DS28S60, MAXQ1061, and MAXQ1065. It gives the user an overall picture of the device functionalities and then a way to choose between the devices based on the user's needs. The following table summarizes the differences between the three devices.

Beyond product features, and on top of cost, choice can also be guided by availability and lead times which could be different from product to product. Please contact your Analog Devices sales representative or authorized distributor for more information about lead times.

Table 1. Device Primary Electrical Characteristics Comparison
DS28S60 MAXQ1065 MAXQ1061
  • The simplest, most affordable solution when it comes to IoT security
  • Simple personalization
  • Strong mutual authentication, key exchange, end-to-end data encryption
  • A low-power, more comprehensive solution than DS28S60 with configurable security policies and dynamic memory allocation, TLS 1.2 and x.509 certificates
  • Very close to MAXQ1065
  • Offers larger ECDSA key sizes than MAXQ1065 and larger memory.
  • It has a separate AES engine for higher performance stream encryption.
Supports Encryption for messages up to 256 bytes Supports Encryption of infinite length Supports Encryption of infinite length up to 20 Mbps

Appendix: Device Feature Comparison Tables

The following tables compare the common and unique features of the three devices. These are not meant to be an exhaustive list but rather an overview so that the user can quickly reach a decision. For more detailed information, refer to the data sheets and user guides of the respective devices.

Table 2. Device Security Feature Comparison
Device Features DS28S60 MAXQ1061 MAXQ1065
Operating Temperature -40°C to 105°C -40°C to 109°C -40°C to 105°C
Host Interface SPI SPI or I2C (User selectable) SPI (I2C in development)
Supply Voltage 1.62V to 3.63V 2.81V to 3.4V 1.62V to 3.63V
Maximum Active Current 3mA 26mA 3mA
Typical Idle Current (25°C) 0.4mA 0.026mA 0.4mA
Power Down Current (25°C) 100nA N/A 100nA
Table 3. Device Memory Comparison
Device Features DS28S60 MAXQ1061 MAXQ1065
Unique Identification 64-bit ROMID UID UID
Non-Volatile Storage 4KB 32KB 8KB
Secure Storage Static Allocation:
4 Key Pairs
4 Root/Authority public keys
4 Secret keys
4 Optional Import Public Keys 		Dynamically Allocated and reclaimed on an as-needed basis.
Stores any number of key pairs, public keys, x.509 certificates as permitted by the available memory. 		Same as the MAXQ1061.
Write/Erase Cycles 10k cycles 500k cycles 10k cycles
Data Retention (85°C) 10 years 25 years 10 years
Table 4. Device Cryptographic Feature Comparison
Device Features DS28S60 MAXQ1061 MAXQ1065
FIPS186-4 ECDSA (Asymmetric Key) P256 P256, 384, 512 P256
MAC (Symmetric Key) HMAC-SHA256 CBC-MAC, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, ECIES CBC-MAC, HMAC-SHA256, AES-CMAC, GMAC
On-Chip Key Generation Yes Yes Yes
AES (Symmetric Key) GCM-128 ECB, CBC, CCM -- 128/256 ECB, CBC, CCM, GCM – 128/256
Bulk Encryption Support Yes Yes Yes
Key Exchange Support ECDH Through TLS only ECDH
Secure Hash SHA2-256 SHA2-256 to 512 SHA2-256
True RNG NIST SP800-90A/B (under evaluation) Yes NIST SP800-90A/B (under evaluation)
Key Establishment SP800-56A
ECDHE-P256, Ephemeral and Static		 Through TLS only SP800-56A
ECDHE-P256 Static
Table 5. Device Command Performance Comparison (between MAXQ1061 and MAXQ1065)
Device Commands MAXQ1061 MAXQ1065
CREATE OBJECT - 2x faster
DELETE OBJECT - 1.2x faster
READ OBJECT 14x faster -
WRITE OBJECT - 3x faster
UPDATE COUNTER - 2.4x faster
COMPUTE MESSAGE DIGEST - 2x faster
ENCRYPT DATA - 50 to 150x faster
DECRYPT DATA - 50 to 150x faster
PERFORM KEY EXCHANGE - 1.5x faster
COMPUTE DIGITAL SIGNATURE - 7x faster
VERIFY DIGITAL SIGNATURE - 4 to 8x faster
VERIFY BOOT - 3 to 4x faster
IMPORT KEY - 3 to 5x faster
GENERATE KEY - 3 to 6x faster
IMPORT ROOT CERTIFICATE - 3 to 5x faster
IMPORT CHILD CERTIFICATE - 2 to 4x faster
MANAGE SECURE CHANNEL same same
ADMIN AUTHENTICATE - 5 to 10x faster
GET RANDOM 2x faster -
SLEEP 7x faster -
GET STATUS same same
SET LIFE CYCLE STATE - 2.5x faster
SET CONFIG - 5x faster

The DS28S60 has a very different command set and implementation philosophy, hence those commands are not covered in Table 5. Thus, Table 5 only highlights the performance differences between the MAXQ1061 and MAXQ1065.