TrustFLEX for Accessory Authentication

Last modified by Microchip on 2023/11/10 11:18

Please note this page is for Trust Platform Design Suite v1. Training for Trust Platform Design Suite v2 can be found here.

Contents

Getting Started with TrustFLEX for Accessory Authentication

Getting Started with TrustFLEX for Accessory Authentication

This page shows you how to use TrustFLEX to verify if the accessories for your product are genuine. You will use Jupyter® Notebook to configure the TrustFLEX device, then use an example project (from the Trust Platform DesignSuite) to authenticate the accessory.

TrustFLEX is one of three secure element families in the Trust Platform. It's pre-configured and partially pre-provisioned to support many different security use cases. It also comes with an overwritable generic certificate for TLS-based authentication to a cloud platform.

Trust Flex

The CryptoAuth Trust Platform development kit includes three secure elements: Trust&GO, TrustFLEX, and TrustCUSTOM. This board comes pre-programmed with firmware allowing it to communicate with the Jupyter Notebook application running on your computer. The Trust Platform Python scripts running on Jupyter Notebook take care of the complex provisioning process allowing you to focus your efforts on your end application.

CryptoAuth Trust Platform Development Kit

Reference Materials

MPLAB X IDE v3.35 has a bug that prevents it from connecting to the CryptoAuth Trust Platform board. Please use a previous or later version of the IDE.

1. Device Customization Process

There are five steps involved in customizing the TrustFLEX device:

Select a Pre-defined Use Case(s) from the TrustFLEX use case library.
Generate the development keys and certificates using the Jupyter Notebook resource generator.
Prototype the Use Case(s) in the Jupyter Notebook.
Test the Use Case(s) on an embedded platform using the MPLAB^® X IDE projects provided in the suite.
Generate the secret exchange for production.

2. Open Jupyter Notebook

Click the Start Jupyter button to open Jupyter Notebook in your web browser.

Start Jupyter Dialog

This is used to provision a secure element on the CryptoAuth Trust Platform board. See the user guides (in the docs folder) for detailed instructions on running Jupyter Notebook for each use case.

Jupyter Notebook is an open-source web application that allows you to create documents that contain code and narrative text that can be executed in place. It provides Graphical User Interface (GUI) elements, the ability to add images, and gives the interactive look that is absent in normal code files.

The cells of the Jupyter Notebook can be used to write code or text using markdown. The code cells contain executable code and the text cells contain the explanation of the code's functionality.

assets folder:

CryptoAuth Trust Platform board firmware.
WINC1500 board firmware.

docs folder:

Data sheets.
CryptoAuth Trust Platform board user's guide.
Detailed use-case guides.

TrustFLEX folder:

Jupyter notebook packages
C-based projects

TrustnGO folder:

Jupyter notebook packages
C-based projects

Jupyter Notebook

3. TrustFLEX Resource Generator:

The Resource Generator Notebook supports the development of Cryptographic Keys, Custom Root, and Signer Keys to issue device certificates and prototype the TrustFLEX devices with development keys and certificates.

TrustFLEX devices come with pre-programmed certificates in slots 10, 11, and 12. Slots zero through four have pre-generated private keys, other than these mentioned slots all the other slots have no data in them.

The Resource Generator Notebook will create development keys and certificates for all slots that can be further customized. Keys and certificate chains are stored in the PC filesystem and not generated in a secure environment.

Note: This tool is used for development purposes only and not for mass production. The keys and certificate chains are not generated in a secure environment.

3.1 Setting up the Hardware:

Plug-in the CryptoAuth Trust Platform to the PC using the USB cable.
The Design Suite is set up such that it communicates with the TrustFLEX device only.

3.2 Using the Trust Platform Suite for TrustFLEX:

Open Jupyter Notebook, navigate to the TrustFLEX resource generator notebook, and click to open it.
- Trust Platform repository folder: TrustFLEX\00_resource_generation\
- File: TFLXTLS_resource_generator.ipynb

TrustFLEX resource generator

Crypto Resource Generator

Execute each cell by clicking Cell > Run Cell, and observe the output to ensure each cell is executed successfully.
If the Notebook has already been executed before, then restart the kernel by selecting Kernel > Restart and Clear Output.

Some cells take a bit of time to execute. The circle in the images below indicates if the kernel is still working on a cell (full circle) or idle (empty circle).

Crypto Resource Generator

Restart and Clear Output

This is a brief guide for the Jupyter interface.

Once all the cells are executed, you are asked to select the certificate type you need.
- Select MCHP Cert to use the standard Microchip certificate.
- Select Custom Cert to use a custom certificate. If using a custom certificate, you will need to enter the organization name to include in the custom certificates being generated.

For this example, select Custom Cert.
- A prompt will open asking you to enter the Organization Name. If you don't know the organization name you can make one up but make sure the name does not exceed 24 characters.

Custom Certificate Dialog

TrustFLEX devices only use custom certificates for the custom PKI use cases. For all other TrustFLEX use cases, this selection is irrelevant because they don't use certificates.

Once the organization name has been entered, certificate data will be outputed and a manifest file to be uploaded into the public cloud of your choice (Google GCP, AWS IoT, and Microsoft® Azure®) will be generated.

4. Use Case Prototyping:

This hands-on lab is intended to demonstrate the usage of the host to authenticate the accessory device. It uses symmetric authentication where both host and accessory devices share a common secret key.

This process uses a challenge-response model. In this model, the host authenticates the accessory device based on a Message Authentication Code (MAC) response. MAC is calculated on the accessory device to prove that it holds the secret key that is shared by the host. Then, the calculated MAC will be verified by the host to authenticate the accessory.

MAC calculation on accessory includes the device serial number, nonce (number used once), and a shared secret key. By including the serial number and nonce, the host can get unique MAC from each accessory every time, thereby avoiding the replay attacks.

This lab is developed by simulating the TrustFLEX device as an Accessory and host to authenticate the accessory. In TrustFLEX, both Slot5 and the host have the same shared secret key.

The resource generation for the TrustFLEX device will load a prototyping symmetric key to Slot5 of the TrustFLEX device.

The following sections provide detailed steps to execute the use case both on Jupyter Notebook and on the embedded project.

4.1 Running Accessory-Authentication example on Jupyter Notebook:

In Jupyter Notebook, open the following folder in the Trust Platform repository to open the TFLXTLS_accessory_authentication package:
- TrustFLEX\01_accessory_authentication\notebook

Running Accessory-Authentication

Run all cells by selecting Kernel > Restart & Run All

Remember to wait for the kernel to complete processing all cells. Note if an error occurs the kernel will stop processing immediately.

Kernal Busy Indicator

Review the output of each code cell to verify it executed without errors.
- When a kernel starts processing a cell, an asterisk is shown in the brackets of the input cell. When the kernel completes processing the cell (with or without error), it will replace the asterisk with a number indicating how many cells have been processed.

Execution Verification Dialog

4.1.1 Generate MAC from Accessory (TrustFLEX)

The code block of this step generates a random challenge and expects the accessory to provide the MAC for this challenge. The accessory calculates the MAC value by including its serial number, shared secret, and the challenge received from the host.

Calculate Nonce
- To calculate the MAC, a nonce is used. The nonce is calculated based on the challenge, which is initiated by the host. Then the calculated nonce will be stored in the tempkey on TrustFLEX and on the host.
Calculate MAC on the accessory device
- The MAC is calculated on the accessory device to prove that the accessory device has access and holds the secret key, which is shared by the host. The accessory device MAC is calculated with the accessory device serial number, calculated nonce, and secret key.
The calculated MAC will be sent to the host to authenticate the accessory device.
The following screenshot shows the accessory device MAC.

Accessory device MAC

4.1.2 Verify the MAC with the host device (TrustFLEX)

The code block of this step generates the Verify MAC button. Clicking the button performs a checkmac operation to verify if the MAC received from the accessory matches the host challenge, accessory serial number, and shared secret key. If any of these don't match, the checkmac operation fails indicating the accessory is not authentic.

Verify the MAC

4.2 Running Accessory-Authentication on Embedded platform

This use case can also be executed on an embedded platform. Once the resources are generated, both Atmel Studio 7 and MPLAB® X IDE projects provided can be used to run the application on the CryptoAuth Trust Platform.

Remember to provision the TrustFLEX device before using these projects:

Program the CryptoAuth Trust Platform with the factory firmware.
Execute the TrustFLEX Resource Generator notebook (see the previous step).

MPLAB X IDE

Open the example project in the IDE.
Start the MPLAB X IDE and open the Accessory Authentication project.

Select File > Open Project.
Look in the TrustFLEX\01_accessory_authentication\c\mplab folder.
Select the accessory_auth.X file.
Click the Open Project button.

Open Project in MPLAB X Dialog

The application source file accessory_auth.c is found in this folder:
TrustFLEX\01_accessory_authentication\c

Application source file in folder

Program the CryptoAuth Trust Platform.
Click the Make and Program Device icon and wait for the "Programming complete” message to be displayed in the Output window.

Make and Program Device

Once the programming is done, the firmware will perform the Accessory-Authentication operation. Depending on the Accessory-Authentication operation’s output, the Cryptoauth Trust Platform board’s status LED will blink at different rates.

Success: LED blinks once every second.
Fail: LED blinks five times every second.

It is also possible to view the console messages by using a terminal emulation program (i.e., TeraTerm). Open the application with the COM port related to CryptoAuth TrustPlatform with 115200-8-N-1 settings.

Tera Term Output Window

Studio 7

Open the example project in the IDE.
Open the Accessory Authentication project by double-clicking on it. You will find it here:
TrustFLEX\01_accessory_authentication\c\studio\accessory_auth.atsln.

Open the Accessory Authentication project

The application source file accessory_auth.c is found in this folder:
TrustFLEX\01_accessory_authentication\c.

Program the CryptoAuth Trust Platform.
Select Debug > Start Without Debugging.

Select Debug and then Start Without Debugging

Success: LED blinks once every second.
Fail: LED blinks five times every second.