Getting Started with TrustFLEX for Accessory Authentication

This page shows you how to use TrustFLEX to verify if the accessories for your product are genuine. You will use Jupyter Notebook to configure the TrustFLEX device, then use an example project (from the Trust Platform DesignSuite) to authenticate the accessory.

TrustFLEX is a pre-configured and partially pre-provisioned secure element to ensure that a product with the consumables it uses, firmware it runs, accessories that support it, and the network nodes it connects to are not cloned, counterfeited, or tampered. It is one of the three ATECC608A sub-families (including Trust&GO and TrustCUSTOM) found on the CryptoAuth Trust Platform development kit.

trustflex_logo.png

The CryptoAuth Trust Platform includes hardware prototyping tools along with a unique design suite to accelerate the prototyping of commonly implemented use cases (e.g., IoT authentication, firmware validation (Secure Boot), IP protection, custom public key infrastructure, etc.). The presence of three sub-families allows for a wide variety of flexibility for implementation, based on the complexity of the application.

cryptoauth_trust_platform1.png

 Materials

Hardware Tools

Tool About Purchase
board-50px.png
CryptoAuth Trust Platform
Evaluation Kit

The CryptoAuth Trust Platform evaluation kit includes an on-board Embedded Debugger (EDBG).

Software Tools

Tool About Installers
Installation
Instructions
Windows Linux Mac OSX
MPLAB® X
Integrated Development Environment
MPLAB® XC32
C/C++ Compiler
swtool-28px.png
Trust Platform DesignSuite
Includes Anaconda Navigator & Jupyter Notebook

The Trust Platform Design Suite also includes example projects for the Atmel Studio 7 IDE.

1. TrustFLEX Devices

TrustFLEX devices (part number ATECC608A-TFLXTLS) are pre-configured and partially pre-provisioned Secure Element.

1.1 Features:

  • Cloud Platform Support: Google Cloud, AWS IoT, AWS GreenGrass, and Microsoft Azure
  • Secure Boot Firmware validation
  • Secure Over The Air (OTA) upgrade
  • Custom Public Key Infrastructure (PKI)
  • IP/Firmware protection
  • Accessory and Disposable authentication

1.2 Device Customization Process:

There are five steps involved in customizing the TrustFLEX device:

  1. Select a Pre-defined Use Case(s) from the TrustFLEX use case library.
  2. Generate the development keys and certificates using the Jupyter Notebook resource generator.
  3. Prototype the Use Case(s) in the Jupyter Notebook.
  4. Test the Use Case(s) on an embedded platform using the MPLAB® projects provided in the suite.
  5. Generate the secret exchange for production.

2. Open Jupyter Notebook

Jupyter Notebook is an application packaged along with other packages in the Anaconda Distribution. Jupyter Notebook is an open-source web application that allows you to create documents that contain code and narrative text that can be executed in place. It provides Graphical User Interface (GUI) elements, the ability to add images, and provides an interactive look that is absent in normal code files.

The cells of the Notebook can be used to write code or text using markdown. The code cells contain executable code and the text cells contain the explanation of the code's functionality.

Choose your operating system from the tabs below:

1

Select the Windows Start icon.

2

Select Notebook (trust_platform) in the recently added group.

  • If you don't see it, type "Notebook" in the search bar.
start_jupyter.png


The Jupyter Notebook emulates the folder structure of the host computer.

If you are using macOS, Jupyter Notebook will default to your HOME directory. You will need to navigate to trust_platform/DesignTools to reach the folder structure shown below.

assets folder:

  • CryptoAuth Trust Platform board factory reset project.

Docs folder:

  • TrustFLEX data sheets.
  • CryptoAuth Trust Platform board users guide.
  • Detailed TrustFLEX use-case guides.

TrustFLEX folder:

  • Jupyter notebooks and c-based projects for TrustFLEX.

TrustnGO folder:

  • Jupyter notebooks and c-based projects for TrustnGO.
trust_platform5.png
Click image to enlarge.

start_here.html file:

  • Local webpage filled with lots of useful Trust Platform info including:
    • Trust Platform family selection guide.
    • Step-by-step use-case guide for application developers.
      • Use-case transaction diagrams including Application Programming Interfaces (APIs) with links to their implementation in example code.
      • Secure element provisioning description.
      • Secure element slot configuration and descriptions.

3. TrustFLEX Resource Generator:

The Resource Generator Notebook supports the development of Cryptographic Keys, Custom Root, and Signer Keys to issue device certificates and prototype the TrustFLEX devices with development keys and certificates.

TrustFLEX devices come with pre-programmed certificates in slots 10, 11, and 12. Slots zero-four have pre-generated private keys, other than these mentioned slots all the other slots have no data in them.

The Resource Generator Notebook will create development keys and certificates for all slots that can be further customized. Keys and certificate chains are stored in the PC filesystem and not generated in a secure environment.

Note: This tool is used for development purposes only and not for mass production. The keys and certificate chains are not generated in a secure environment.

3.1 Setting up the Hardware:

  • Plug-in the CryptoAuth Trust Platform to the PC using the USB cable.
  • The Design Suite is set up such that it communicates with the TrustFLEX device only.

3.2 Using the Trust Platform Suite for TrustFLEX:

  • Open Jupyter Notebook, navigate to the TrustFLEX resource generator notebook, and click to open it.
    • Folder: …DesignTools\TrustFLEX\00_resource_generation\
    • File: TFLXTLS_resource_generator.ipynb
trustflex3.png

Crypto Resource Generator

trustflex4.png
  • Execute each cell using Cell > Run Cell and observe the output of each successfully executed code cell.
  • If the Notebook has already been executed before, then Kernel > Restart and Clean Output helps to start the refresh; the output of the script is shown.
trustflex5.png
  • Once all the cells are executed, you are prompted to choose between the MCHP certificate or a custom created certificate.

This enables you to select the certificate chain for the examples. If MCHP certificates are selected, then the resources would be generated to handle default MCHP certificates. If custom certificates are selected, then it would be prompted for information, such as Organization Name, to include in the custom certificates being generated.

  • Choose the required certificate by entering a number into the box
    • MCHP Certificate: "1"
    • Custom Certificate: "2"
    • For this example, enter the number 2 (custom certificate) in the certificate type box.
trustflex5a.png

TrustFLEX devices only use custom certificates for the AWS custom PKI use-case. For all other TrustFLEX use-cases, this selection is irrelevant because they don't use certificates.

  • A prompt will open asking you to enter the Organization Name. Choose any name (or a random set of characters) but make sure the name does not exceed 24 characters.
  • Once the Organization name has been entered, the output will be as follows:
▶ Show Output
  • The Notebook will also generate a manifest file to be uploaded into the public cloud of your choice (Google GCP, AWS IoT, and soon to be supported, Microsoft Azure).

4. Use Case Prototyping:

This hands-on lab is intended to demonstrate the usage of the host to authenticate the accessory device. It uses symmetric authentication where both host and accessory devices share a common secret key.

This process uses a challenge-response model. In this model, the host authenticates the accessory device based on a Message Authentication Code (MAC) response. MAC is calculated on the accessory device to prove that it holds the secret key that is shared by the host. Then the calculated MAC will be verified by the host to authenticate the accessory.

MAC calculation on accessory includes the device serial number, nonce (number used once), and a shared secret key. By including the serial number and nonce, the host can get unique MAC from each accessory every time, thereby avoiding the replay attacks.

This lab is developed by simulating the TrustFLEX device as an Accessory and host to authenticate the accessory. In TrustFLEX, both Slot5 and the host have the same shared secret key.

The resource generation for the TrustFLEX device will load a prototyping symmetric key to Slot5 of the TrustFLEX device.

The following sections provide detailed steps to execute the use case both on Jupyter Notebook and on the embedded project.

4.1 Running Accessory-Authentication example on Jupyter Notebook:

  • From the Jupyter Home page, navigate to the TFLXTLS_Use_Cases\notebooks\accessory-authentication\Accessory Authentication.ipynb notebook file and open it.
acc_auth1.png
  • Opening the notebook from Jupyter home page should load the following on the browser.
acc_auth2.png
  • Run all cells by selecting Kernel > Restart & Run All
acc_auth3.png
  • It may take a while for the cells to complete processing. The circle beside the "Python 3" text in the graphics below indicate if the kernel is running (full circle) or idle (empty circle).
acc_auth4.png
  • Navigate through different cells output for the description of the step and result from the execution.

4.1.1 Generate MAC from Accessory (TrustFLEX)

The code block of this step generates a random challenge and expects the accessory to provide the MAC for this challenge. The accessory calculates the MAC value by including its serial number, shared secret, and the challenge received from the host.

  • Calculate Nonce
    • To calculate the MAC, a nonce is used. The nonce is calculated based on the challenge which is initiated by the host. Then the calculated nonce will be stored in the tempkey on TrustFLEX and on the host.
  • Calculate MAC on the accessory device
    • The MAC is calculated on the accessory device to prove that the accessory device has access and holds the secret key which is shared by the host. The accessory device MAC is calculated with the accessory device serial number, calculated nonce, and secret key.
  • The calculated MAC will be sent to the host to authenticate the accessory device.
  • The following screenshot shows the accessory device MAC.
acc_auth5.png

4.1.2 Verify the MAC with the host device (TrustFLEX)

The code block of this step generates the Verify MAC button. Clicking the button performs a checkmac operation to verify if the MAC received from the accessory matches the host challenge, accessory serial number, and shared secret key. If any of these don't match, the checkmac operation fails indicating the accessory is not authentic.

acc_auth6.png
  • In Jupyter Notebook, run cells till the end of the notebook. You will see a Verify MAC button appear. Press the button. It will turn green if the accessory device is authenticated by the MCU or it will turn red indicating a failure to verify.

4.2 Running Accessory-Authentication on Embedded platform

This use case can also be executed on an embedded platform. Once the resources are generated, both Atmel Studio 7 and MPLAB X IDE projects provided can be used to run the application on the CryptoAuth Trust Platform.

Remember to provision the TrustFLEX device before using these projects:

  • Program the CryptoAuth Trust Platform with the factory firmware.
  • Execute the TrustFLEX Resource Generator notebook (see the previous step).

Select the IDE of your choice from the tabs below:

1

Open the example project in the IDE
Start the MPLAB X IDE and open the Accessory Authentication project.

  • Select File > Open Project.
  • Look in the TFLXTLS_Use_Cases\c\accessory_auth\mplab folder.
  • Select the accessory_auth.X file.
  • Click the Open Project button.
acc_auth16.png

The application source file accessory_auth.c is found in this folder:
TFLXTLS_Use_Cases\c\accessory_auth

acc_auth17.png

2

Program the CryptoAuth Trust Platform
Click the Make and Program Device icon and wait for the "Programming complete” message to be displayed in the Output window.

acc_auth18.png
acc_auth14.png

Once the programming is done, the firmware will perform the Accessory-Authentication operation. Depending on the Accessory-Authentication operation’s output, the Cryptoauth Trust Platform board’s status LED will blink at different rates.

  • Success: LED blinks once every second.
  • Fail: LED blinks five times every second.

It is also possible to view the console messages by using a terminal emulation program (i.e., TeraTerm). Open the application with the COM port related to CryptoAuth TrustPlatform with 115200-8-N-1 settings.

acc_auth10.png

5. CryptoAuth Trust Platform factory reset

Programming the CryptoAuth Trust Platform evaluation kit with this example project overwrites the project that was programmed onto the board when you received it. This project enables the board to be configured with the Jupyter notebooks.

To reprogram your board with the original project from the factory, see this page.

  Return to Top

© 2020 Microchip Technology, Inc.
Notice: ARM and Cortex are the registered trademarks of ARM Limited in the EU and other countries.
Information contained on this site regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights.