-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update crypto API to use a Microship secure element such as ATECC608A #236
base: main
Are you sure you want to change the base?
Conversation
* @warning Slot ID must be different from ecdhe_slot_id. | ||
*/ | ||
extern uint8_t ecc_slot_id; | ||
#endif |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As short term work around, maybe.
But I guess, if a peer executes 2 handshakes simultaneously, that will fail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CryptoAuthLib offers a mutex implementation. However, I suspect that if the handshake takes too long, a connection might fail due to timeout?
I still haven't been able to spend time into digging deeper. Other stuff, as Eclipse/Californium has consumed my free time and so I wasn't able to spend it into this. Therefore just some rough ideas:
That should do the job on the client side. On the server that may cause pretty fast a DoS when all slots are used doing simultaneously handshakes with a couple of peers. Therefore I think, the ECDHE keys would be required to be exported to RAM and imported on usage. Not sure if that is possible. |
|
|
About 3. |
…or ecdhe key generation
I am working on boards that embed an ATECC608A (Microchip secure element), and I would like to perform all ECC/ECDH operations using it. This approach offers the benefit of enhanced security, as private keys are not directly manipulated.
Initially, I am working with RIOT. When I started looking for solutions to secure RF communication, I came across tinydtls and was convinced by its implementation of DTLS. I noticed some issues on my board (reported here Issue 224), and a PR to replace ecc with micro-ecc is now open (PR 229).
Micro-ecc works on my boards and significantly accelerates the handshake process. However, as mentioned earlier, I have an ATECC608A on my boards, so I would like to add a feature allowing users to choose whether to use it or not.
Since not all boards embed a secure element, I have added an environment variable (DTLS_ATECC608A) to give users the choice to use it or not. The CryptoAuth library is used to control the secure element (CryptoAuthLib).
This PR is still a work in progress, but I have opened it so that we can discuss and improve my work.