Getting Started with TrustFLEX for Public Key Rotation

Cryptographic best practices discourage extensive reuse of encryption keys. This page shows you how to use TrustFLEX to update public keys securely.

TrustFLEX is a pre-configured and partially pre-provisioned secure element to ensure that a product with the consumables it uses, firmware it runs, accessories that support it, and the network nodes it connects to are not cloned, counterfeited, or tampered with. It is one of three ATECC608A sub-families (including Trust&GO and TrustCUSTOM) found on the CryptoAuth Trust Platform evaluation kit.

trustflex_logo.png

The CryptoAuth Trust Platform includes hardware prototyping tools along with a unique design suite to accelerate the prototyping of commonly implemented use cases (e.g., IoT authentication, firmware validation (Secure Boot), IP protection, custom public key infrastructure, etc.). The presence of three sub-families allows for a wide variety of flexibility for implementation, based on the complexity of the application.

cryptoauth_trust_platform1.png
CryptoAuth Trust Platform

 Materials

Hardware Tools

Tool About Purchase
board-50px.png
CryptoAuth Trust Platform
Evaluation Kit

The CryptoAuth Trust Platform evaluation kit includes an on-board Embedded Debugger (EDBG).

Software Tools

Tool About Installers
Installation
Instructions
Windows Linux Mac OSX
MPLAB® X
Integrated Development Environment
MPLAB® XC32
C/C++ Compiler
swtool-28px.png
Trust Platform DesignSuite
Includes Anaconda Navigator & Jupyter Notebook

The Trust Platform Design Suite also includes example projects for the Atmel Studio 7 IDE.

1. TrustFLEX Devices

TrustFLEX devices (part number ATECC608A-TFLXTLS) are a pre-configured and partially pre-provisioned Secure Element.

1.1 Features:

  • Cloud Platform Support: Google Cloud, AWS IoT, AWS GreenGrass, and Microsoft Azure
  • Secure Boot Firmware validation
  • Secure Over The Air (OTA) upgrade
  • Custom Public Key Infrastructure (PKI)
  • IP/Firmware protection
  • Accessory and Disposable authentication

1.2 Device Customization Process:

There are five steps involved in customizing the TrustFLEX device:

  1. Select a Pre-defined Use Case(s) from the TrustFLEX use case library.
  2. Generate the development keys and certificates using the Jupyter Notebook resource generator.
  3. Prototype the Use Case(s) in the Jupyter Notebook.
  4. Test the Use Case(s) on an embedded platform using the MPLAB® projects provided in the suite.
  5. Generate the secret exchange for production.

2. Open Jupyter Notebook

Jupyter Notebook is an application packaged along with other packages in the Anaconda Distribution. Jupyter Notebook is an open-source web application that allows you to create documents that contain code and narrative text that can be executed in place. It provides Graphical User Interface (GUI) elements, the ability to add images, and provides an interactive look that is absent in normal code files.

The cells of the Notebook can be used to write code or text using markdown. The code cells contain executable code and the text cells contain the explanation of the code's functionality.

Choose your operating system from the tabs below:

1

Select the Windows Start icon.

2

Select Notebook (trust_platform) in the recently added group.

  • If you don't see it, type "Notebook" in the search bar.
start_jupyter.png


The Trust Platform DesignTools folder is shown below.

jupyter_designtools.png

3. TrustFLEX Resource Generator:

The Resource Generator Notebook supports the development of Cryptographic Keys, Custom Root, and Signer Keys to issue device certificates and prototype the TrustFLEX devices with development keys and certificates.

TrustFLEX devices come with pre-programmed certificates in slots 10, 11, and 12. Slots zero-four have pre-generated private keys, other than these mentioned slots all the other slots have no data in them.

The Resource Generator Notebook will create development keys and certificates for all slots that can be further customized. Keys and certificate chains are stored in the PC filesystem and not generated in a secure environment.

Note: This tool is used for development purposes only and not for mass production. The keys and certificate chains are not generated in a secure environment.

3.1 Setting up the Hardware:

  • Plug-in the CryptoAuth Trust Platform to the PC using the USB cable.
  • The Design Suite is set up such that it communicates with the TrustFLEX device only.

3.2 Using the Trust Platform Suite for TrustFLEX:

  • Open the Jupyter Notebook and navigate to the Resource Generation Notebook and click to open it.
  • Double click on Crypto Resource Generator.ipynb to proceed ahead.

Folder Structure

trustflex3.png

Crypto Resource Generator

trustflex4.png
  • Execute each cell using Cell > Run Cell and observe the output of each successfully executed code cell.
  • If the Notebook has already been executed before, then Kernel > Restart and Clean Output helps to start the refresh; the output of the script is shown.
trustflex5.png
  • Once all the cells are executed, you are prompted to choose between the MCHP certificate or a custom created certificate.

This enables you to select the certificate chain for the examples. If MCHP certificates are selected, then the resources would be generated to handle default MCHP certificates. If custom certificates are selected, then it would be prompted for information, such as Organization Name, to include in the custom certificates being generated.

  • Choose the required certificate by entering a number into the box
    • MCHP Certificate: "1"
    • Custom Certificate: "2"
    • For this example, enter the number 2 (custom certificate) in the certificate type box.
trustflex5a.png

TrustFLEX devices only use custom certificates for the AWS custom PKI use-case. For all other TrustFLEX use-cases, this selection is irrelevant because they don't use certificates.

  • A prompt will open asking you to enter the Organization Name. Choose any name (or a random set of characters) but make sure the name does not exceed 24 characters.
  • Once the Organization name has been entered, the output will be as follows:
  • The Notebook will also generate a manifest file to be uploaded into the public cloud of your choice (Google GCP, AWS IoT, and soon to be supported, Microsoft Azure).

4. Use Case Prototyping:

Typically, the validation authority public key will be loaded to a secure element and locked permanently. This permanent public key will be used to validate/invalidate another rotating public key in a different slot. Unless this key is validated, it can’t be used for cryptographic operations.

The slot containing the rotating public key is configured as PubInvalid. This setting restricts the rotating public key access for both writes and cryptography operations until it's enabled by the validation authority.

This validation/invalidation process includes the validation authority signing the rotating public key’s digest and generating the signature. The validation authority’s private key will be used for verifying the signature with the temporary public key’s digest.

Once the rotating public key is validated, it can be used for Elliptic Curve Cryptography (ECC) operations and cannot be overwritten by another fraudulent key.

The basic steps for rotating public key update as follow:

  1. Invalidate existing rotating public key.
  2. Update (write) new rotating public key.
  3. Validate new rotating public key.

The temporary public key invalidation process is the same as validation except for the verify command. Once the temporary public key is invalidated, the slot can be updated with a new temporary public key. Once this new key is generated, its digest must be signed by the validation authority.

Once the new temporary public key is written to the slot, it remains in the invalidated state. This state restricts any Cryptography operations. To validate this slot for cryptography operations, the digest of this slot and signature generated in the previous state should be verified using the authority permanent public key. Once it's verified successfully, the slot becomes validated and is ready for cryptography operations. No updates are allowed to the slot unless is it first invalidated.

4.1 Running Public Key Rotation example on Jupyter Notebook

  • From the Jupyter Home page, navigate to the TFLXTLS_Use_Cases\notebooks\public-key-rotation\Public Key Rotation with ECC608A-TFLXTLS Tutorial.ipynb notebook file and open it.
pub_key_rotation1.png

The notebook will open on your browser.

pub_key_rotation2.png
  • Run all cells by selecting Kernel > Restart & Run All.
pub_key_rotation3.png
  • It may take a while for the cells to complete processing. The circle beside the "Python 3" text in the graphics below indicate if the kernel is running (full circle) or idle (empty circle).
pub_key_rotation4.png
  • Navigate through different cells output for the description of the step and result from the execution.

4.1.1 Generate a validation authority key pair

This step creates a permanent public/private key pair for the validation authority. It is performed by the TrustFLEX Resource Generator notebook (Crypto Resource Generator.ipynb) in the previous step. The validation authority pubic key is stored in slot 13.

4.1.2 Generate a rotating key pair

This step generates a new rotating key pair. Note these keys are not written into any slot at this time.

Click the Gen Rotating key pair button at the bottom of the Notebook. The button will turn green after the keys are generated successfully, and will turn red if there is an error.

pub_key_rotation5.png

4.1.3 Authorize the rotating public key

Before the new rotating keys can be used, they must be validated by the validation authority. In this step, the validation authority calculates the rotating public key’s digest and signs it using the validation authority private key.

Click the Authorize key button at the bottom of the Notebook. The button will turn green after the keys are authorized successfully, and will turn red if there is an error.

pub_key_rotation6.png

4.1.4 Update rotating public key

This is where the actual slot (slot 14) update happens. Before updating, the existing slot must be invalidated using the existing public key digest and signature provided by the validation authority. This signature should be of the existing (old) rotating public key. Once the slot is invalidated, the new rotating public key can be overwritten to this slot. After writing it successfully, the slot remains in the invalidated state ("PubInvalid") and doesn’t allow any cryptographic operations.

4.1.5 Validate the rotating public key

This step does the slot validation after writing the new rotating public key into slot 14. Unless the slot is validated, it cannot be used for cryptographic operations.

The process of validation involves the rotating public key digest and the signature provided by the validation authority. During this process, the TrustFLEX device initiates an internal Public key digest calculation on slot 14. Once the digest is generated, atcab_verify_validate function will be executed with the slot number and signature as parameters. On the successful match of the digest and signature, the slot will be marked as valid. This restricts further writes to the slot but enables cryptographic operations using this slot.

Click the Validate Key button at the bottom of the Notebook. The button will turn green after the key is validated successfully, and will turn red if there is an error.

pub_key_rotation7.png

4.1.6 Verify the rotating public key

Once the rotating public key is validated, it can be used for cryptographic operations. To verify that the rotating public key is functional, you perform a sign and verify ECC operation.

Generate a temporary message digest and sign it with the rotating private key. The signature is verified by using the rotating public key. If it is verified, then the rotating public key is available for ECC operations.

Click the Verify key button at the bottom of the Notebook. The button will turn green after the key is verified successfully, and will turn red if there is an error.

pub_key_rotation8.png

4.2 Running Public Key Rotation example on CryptoAuth Trust Platform

This use case can also be executed on an embedded platform. Once the resources are generated, both Atmel Studio 7 and MPLAB X IDE projects provided can be used to run the application on the CryptoAuth Trust Platform.

Remember to provision the TrustFLEX device before using these projects:

  1. Program the CryptoAuth Trust Platform with the factory firmware.
  2. Execute the TrustFLEX Resource Generator notebook (see the previous step).

Select the IDE of your choice from the tabs below:

1

Open the example project in the IDE
Start the MPLAB X IDE and open the Public Key Rotation project.

  • Select File > Open Project.
  • Look in the trust_platform\DesignTools\TFLXTLS_Use_Cases\c\pub_key_rotate\mplab folder.
  • Double-click the pub_key_rotate.X file.
pub_key_rotation9.png

The application source file pub_key_rotate.c is found in this folder:
TFLXTLS_Use_Cases\c\pub_key_rotate

pub_key_rotation10.png

2

Program the CryptoAuth Trust Platform
Click the Make and Program Device icon and wait for the "Programming complete” message to be displayed in the Output window.

pub_key_rotation11.png
pub_key_rotation12.png

  • Once the programming is complete, the project will execute the public key rotation operation. On successful completion of the operation, the Trust Platform status LED will start blinking.
    • Public key rotation successful = LED blinks once every second
    • Public key rotation unsuccessful = LED blinks five times every second

It is also possible to view the console messages by using a terminal emulation program (i.e., TeraTerm). Open the application with the COM port related to CryptoAuth TrustPlatform with 115200-8-N-1 settings.

pub_key_rotation15.png
© 2019 Microchip Technology, Inc.
Notice: ARM and Cortex are the registered trademarks of ARM Limited in the EU and other countries.
Information contained on this site regarding device applications and the like is provided only for your convenience and may be superseded by updates. It is your responsibility to ensure that your application meets with your specifications. MICROCHIP MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WHETHER EXPRESS OR IMPLIED, WRITTEN OR ORAL, STATUTORY OR OTHERWISE, RELATED TO THE INFORMATION, INCLUDING BUT NOT LIMITED TO ITS CONDITION, QUALITY, PERFORMANCE, MERCHANTABILITY OR FITNESS FOR PURPOSE. Microchip disclaims all liability arising from this information and its use. Use of Microchip devices in life support and/or safety applications is entirely at the buyer's risk, and the buyer agrees to defend, indemnify and hold harmless Microchip from any and all damages, claims, suits, or expenses resulting from such use. No licenses are conveyed, implicitly or otherwise, under any Microchip intellectual property rights.