NXP Semiconductors
AN13500
EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device
authentication
4.7 Mutual authentication flow
As already described in
the authentication flow consists of a mutual
authentication procedure. First, the machine will authenticate the control unit. If the
machine was successfully authenticated, the control unit will authenticate the machine.
4.7.1 Control unit authentication
The authentication of the control unit consists of two steps:
•
Step 1: Control unit device certificate validation
•
Step 2: Proof of control unit private key possession
The example below will demonstrate the basic principle of the control unit authentication
flow as show in the figure below using the OpenSSL command-line tools .
Figure 29. Control unit authentication flow
4.7.1.1 Step 1: Control unit device certificate validation
The first step the control unit sends the control unit certificate (
control_unit.pem
)
to the machine for validating the certificate. The OpenSSL
verify
command-line tools
allows the validation of a certification chain. It is required to provide OpenSSL the NXP
A5000 root CA and the NXP A5000 intermediate CA and the A5000 device certificate to
be validated:
openssl verify -CAfile nxp_a5000_root_ca.pem -untrusted
nxp_a5000_intermediate_ca.pem control_unit.pem
Figure 30. OpenSSL - Verify control unit device certificate
AN13500
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2022. All rights reserved.
Application note
Rev. 1.0 — 28 March 2022
25 / 45