manualshive.com logo in svg

NXP Semiconductors EdgeLock A5000, Примечание к применению

NXP Semiconductors EdgeLock A5000 - устройство надежного хранения данных для безопасного хранения конфиденциальной информации. Бесплатно загружайте руководства по применению и руководства по эксплуатации с нашего сайта. Получите доступ к полной документации по продукту на manualshive.com.

Поделиться
Скачать
background image

NXP Semiconductors

AN13500

EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device

authentication

Figures

Fig. 1.

Device-to-device authentication scenario ..........3

Fig. 2.

Certificate chain of trust .................................... 4

Fig. 3.

Certificate hierarchy .......................................... 5

Fig. 4.

Machine and control unit credentials .................5

Fig. 5.

Control unit authentication flow ......................... 7

Fig. 6.

Machine authentication flow ..............................8

Fig. 7.

A5000 CMake options .....................................11

Fig. 8.

Principle of the OpenSSL engine .................... 12

Fig. 9.

Check the installed OpenSSL version .............13

Fig. 10.

ssscli help ........................................................14

Fig. 11.

ssscli connect help ..........................................14

Fig. 12.

ssscli se05x help .............................................15

Fig. 13.

ssscli readidlist ................................................ 15

Fig. 14.

Retrieve the pre-provisioned A5000 device

certificats ......................................................... 17

Fig. 15.

Device certificats in PEM format ..................... 17

Fig. 16.

Content of the machine certificate ...................18

Fig. 17.

Content of the control unit certificate ...............19

Fig. 18.

Retrieve the pre-provisioned A5000 device

certificate's public keys ................................... 19

Fig. 19.

Device public keys in PEM format ...................20

Fig. 20.

Content of the device public keys ................... 20

Fig. 21.

Create the reference key files for the

OpenSSL engine .............................................21

Fig. 22.

Reference private keys in PEM format ............21

Fig. 23.

Content of the reference private keys ............. 22

Fig. 24.

Certification chain of the pre-provisioned

A5000 device certificates ................................ 23

Fig. 25.

Download the NXP intermediate certificate ..... 23

Fig. 26.

Convert the NXP intermediate certificate

file nxp_a5000_intermediate_ca.crt" into a

PEM formatted file .......................................... 24

Fig. 27.

Download the NXP root certificate .................. 24

Fig. 28.

Convert the NXP root certificate file "nxp_

a5000_root_ca.crt"into a PEM formatted

file ....................................................................24

Fig. 29.

Control unit authentication flow ....................... 25

Fig. 30.

OpenSSL - Verify control unit device

certificate ......................................................... 25

Fig. 31.

OpenSSL - Random numbers generated by

OpenSSL in software ...................................... 26

Fig. 32.

Plug & Trust Middleware OpenSSL engine

default configuration ........................................27

Fig. 33.

OpenSSL - Random number generated by

A5000 .............................................................. 27

Fig. 34.

OpenSSL - A5000 random numbers are

stored in a text file .......................................... 28

Fig. 35.

OpenSSL - The A5000 signs the random

numbers with the private ECC key stored

inside the A5000 ............................................. 28

Fig. 36.

Control unit signature ......................................28

Fig. 37.

OpenSSL - Verify control unit signature .......... 29

Fig. 38.

Control unit authentication flow ....................... 30

Fig. 39.

OpenSSL - Verify machine certificate ..............31

Fig. 40.

OpenSSL - A5000 random numbers are

stored in a text file .......................................... 32

Fig. 41.

OpenSSL - The A5000 signs the random

numbers with the private ECC key stored

inside the A5000 ............................................. 32

Fig. 42.

Machine signature ...........................................32

Fig. 43.

OpenSSL - Verify machine signature .............. 33

Fig. 44.

SPC03 mutual authentication – principle .........35

Fig. 45.

SPC03 Encryption and MACing principle ........ 35

Fig. 46.

A5000 CMake options to enable Platform

SCP ................................................................. 36

Fig. 47.

A5000Platform SCP plain text key file .............37

Fig. 48.

A5000 CMake options to enable Platform

SCP ................................................................. 38

AN13500

All information provided in this document is subject to legal disclaimers.

© NXP B.V. 2022. All rights reserved.

Application note

Rev. 1.0 — 28 March 2022

44 / 45

Содержание EdgeLock A5000

Страница 1: ...protection using device to device authentication Rev 1 0 28 March 2022 Application note Document information Information Content Keywords A5000 mutual authentication proof of possession Abstract This...

Страница 2: ...ction using device to device authentication Revision history Revision number Date Description 1 0 2022 03 28 Initial version Revision history AN13500 All information provided in this document is subje...

Страница 3: ...ect to it The machines also authenticate the control unit that will manage it Therefore only authenticated machines and control units will be used in the supply chain This mechanism ensures protection...

Страница 4: ...ed it The certificate chain of trust results in a root CA signing an intermediate CA that in turn signs a leaf certificate as shown in Figure 2 Verify Signature Sign Owner s name Leaf certificate Owne...

Страница 5: ...ividual certificate and a key pair securely stored as shown in Figure 4 Figure 4 Machine and control unit credentials Secure silicon chips like A5000 are capable of internally protecting private keys...

Страница 6: ...es of all the certificates in the chain up to the root CA If the control unit certificate is valid it means that the public key included in it can be trusted Proof of possession The second step is the...

Страница 7: ...e machine certificate is valid it means that the public key included in it can be trusted Proof of possesion The second step is the proof of possession This procedure is needed to make sure that the c...

Страница 8: ...ctronic anti counterfeit protection using device to device authentication Figure 6 Machine authentication flow AN13500 All information provided in this document is subject to legal disclaimers NXP B V...

Страница 9: ...3 Section 4 3 Plug Trust Middleware ssscli tool introduction 4 Section 4 4 Pre provisioned A5000 device certificates used by the example 5 Section 4 5 Retrieve the pre provisioned A5000 credentials 6...

Страница 10: ...t 07_02 for the CMake option PTWM_SE05X_Ver Disable the CMake option SSSFTR_SE05X_RSA The project settings can be specified dynamically using the CMake GUI Figure 7 shows a CMake GUI screenshot with E...

Страница 11: ...L engine overview OpenSSL is a free software library contains an open source implementation of the TLS protocols OpenSSL is available for most Unix like operating systems including Linux macOS and BSD...

Страница 12: ...SL engine allows to use the A5000 Secure Authenticator for the following operations EC crypto EC sign verify and ECDH compute key Fetching random data The A5000 secure key and object management is not...

Страница 13: ...000 interactively through the command line For example you can use the ssscli to create keys and credentials in the A5000 security IC during evaluation development and testing phases The ssscli tool i...

Страница 14: ...e ssscli connect help Figure 11 ssscli connect help Note The subsystem option auth shall be used to define a session with the A5000 authenticator For the Raspberry Pi the connection method none can be...

Страница 15: ...If you are not able to connect to the A5000 with an error saying that there is a session already open run ssscli se05x disconnect first To close a session use ssscli disconnect 4 4 Pre provisioned A5...

Страница 16: ...ides an OpenSSL engine which allows to use so called reference keys instead of private keys A reference key contains only a reference the object ID to the private key inside the A5000 The reference ke...

Страница 17: ...re provisioned A5000 device certificats Both certificates are stored in PEM format These are text files containing base64 encoded data The Linux command cat can be used to output the contents of a tex...

Страница 18: ...cate in human readable form text switch The noout switch reduces the output by not printing the base64 encoded certificate itself openssl x509 noout text in machine pem Figure 16 Content of the machin...

Страница 19: ...the OpenSSL command line tool or with the help of the ssscli tool In this chapter the ssscli tool is used ssscli get ecc pub format PEM 0xF0000000 machine_pub_key pem ssscli get ecc pub format PEM 0x...

Страница 20: ...e ECC private keys are securely stored inside the A5000 and cannot be read out like the public certificate or public key To be able to delegate a private crypto operation like an ECC signature generat...

Страница 21: ...cat machine_ref_key pem cat control_unit_ref_key pem Figure 22 Reference private keys in PEM format In the first glance the reference key looks like as any other private key therefore it is required t...

Страница 22: ...ivate key In case a reference key is passed to the OpenSSL API or command line tool the NXP OpenSSL engine will invoke the A5000 to perform the private crypto operation 4 6 Chain of trust of the pre p...

Страница 23: ...ates we need to download the intermediate certificate The NXP intermediate certificate can be downloaded via the following link https www gp ca nxp com CA getCA caid 63709315060022 The Linux command w...

Страница 24: ...ww gp ca nxp com CA getCA caid 63709315050010 We can use again the Linux command wegt to download the certificate wget https www gp ca nxp com CA getCA caid 63709315050010 O nxp_a5000_root_ca crt Figu...

Страница 25: ...of the control unit authentication flow as show in the figure below using the OpenSSL command line tools Figure 29 Control unit authentication flow 4 7 1 1 Step 1 Control unit device certificate valid...

Страница 26: ...ignature signed random number is returned to the machine The machine verifies the signature with the control unit public key The control unit is authenticated in case of successful signature verificat...

Страница 27: ...CONF This step is performed with the help of the shell s export command export OPENSSL_CONF se_mw simw top demos linux common openssl11_sss_se050 cnf Now we can use the same OpenSSL command to delegat...

Страница 28: ...ndom sha256 in binary format openssl dgst sha256 sign control_unit_ref_key pem out control_unit_signature sha256 machine_random txt Figure 35 OpenSSL The A5000 signs the random numbers with the privat...

Страница 29: ...7 OpenSSL Verify control unit signature The control unit is authenticated in case OpenSSL returns Verified OK 4 7 2 Machine authentication The authentication of the machine also consists of two steps...

Страница 30: ...tep the machine sends the machine certificate machine pem to the control unit for validating the certificate We use again the OpenSSL verify command line tools to validate the certification chain open...

Страница 31: ...nSSL returns OK This also means that the public key included in the machine certificate can be trusted 4 7 2 2 Step 2 Proof of control unit private key possession In this step the machine must prove t...

Страница 32: ...sha256 sign machine_ref_key pem out mashine_signature sha256 control_unit_random txt Figure 41 OpenSSL The A5000 signs the random numbers with the private ECC key stored inside the A5000 We can use th...

Страница 33: ...in the middle attacks aimed at intercepting the communication between the MPU MCU and the A5000 and physical tampering attacks aimed at replacing the host MPU MCU or A5000 A5000 natively supports Glob...

Страница 34: ...SO7816 4 secure channel APDUs The establishment of an SCP03 channel requires three static 128 bit AES keys shared between the two communicating parties Key ENC Key MAC and Key DEK Key ENC and Key MAC...

Страница 35: ...entication SPC03 Mutual authentication MA Principle I Host A5000 GP INITIALIZE UPDATE Response Card Challenge Card Auth Cryptogram GP INITIALIZE UPDATE Command Host Challenge GP EXTERNAL AUTHENTICATE...

Страница 36: ...lect PlatfSCP03 for the CMake option PTWM_SE05X_Auth The project settings can be specified dynamically using the CMake GUI The figure below shows a CMake GUI screenshot with the required project setti...

Страница 37: ...ault Platform SCP keys for a different product Therefore it is required to change the default settings For evaluation purpose the MW supports to store the Platform SCP key in a plain text file For fur...

Страница 38: ...ases authentication with default Platform SCP keys and the rotation update of those keys with user defined keys The example documentation is available in the EdgeLock SE05x Plug Trust Middleware docum...

Страница 39: ...on using device to device authentication Please refer to the Plug Trust Middleware documentation chapter 5 4 3 Access Manager for more details AN13500 All information provided in this document is subj...

Страница 40: ...ovisioned with keys which can be used for all major use cases including device to device authentication EdgeLock 2GO Custom NXP offers a customization service for injecting the credentials that you ne...

Страница 41: ...enticator Product data sheet Available under https www nxp com docs en data sheet A5000 DATASHEET pdf AN12570 EdgeLock SE05x Quick start guide with Raspberry Pi Available under https www nxp com docs...

Страница 42: ...on or use by customer s third party customer s NXP does not accept any liability in this respect Terms and conditions of commercial sale NXP Semiconductors products are sold subject to the general ter...

Страница 43: ...ion Tables Tab 1 Pre provisioned certificates and keys used by the example 16 Tab 2 Static SCP03 keys 34 Tab 3 SCP03 session keys 35 Tab 4 128 bit AES Default Platform SCP keys 37 AN13500 All informat...

Страница 44: ...rmediate certificate file nxp_a5000_intermediate_ca crt into a PEM formatted file 24 Fig 27 Download the NXP root certificate 24 Fig 28 Convert the NXP root certificate file nxp_ a5000_root_ca crt int...

Страница 45: ...25 4 7 1 Control unit authentication 25 4 7 1 1 Step 1 Control unit device certificate validation 25 4 7 1 2 Step 2 Proof of control unit private key possession 26 4 7 2 Machine authentication 29 4 7...

Отзывы:

Нет отзывов

Похожие инструкции для EdgeLock A5000

Falcon RS500 Owner'S And Installer'S Manual preview
RS500
Бренд: Falcon Страницы: 3
Galaxy Control Systems 635 Series Worksheet preview
635 Series
Бренд: Galaxy Control Systems Страницы: 5
Wesa AE04 Installation And Operation Manual preview
AE04
Бренд: Wesa Страницы: 8
Zeversolar Zeverlution S Setup Manual preview
Zeverlution S
Бренд: Zeversolar Страницы: 8
ECUE DMX2CC 12ch Setup Manual preview
DMX2CC 12ch
Бренд: ECUE Страницы: 39
Regada SP 1 Installation, Service And Maintenance Instructions preview
SP 1
Бренд: Regada Страницы: 41
WAGO 750-872 Quick Start Manual preview
750-872
Бренд: WAGO Страницы: 44
C-LOGIC 502-PC Instruction Manual preview
502-PC
Бренд: C-LOGIC Страницы: 2
Unidrive M600-M70X Installation Sheet preview
M600-M70X
Бренд: Unidrive Страницы: 5
ENDA EUC942 Manual preview
EUC942
Бренд: ENDA Страницы: 5
Veris Industries TWS Series Installation Manual preview
TWS Series
Бренд: Veris Industries Страницы: 4
MPPT M2430C User Manual preview
M2430C
Бренд: MPPT Страницы: 8
Tews Technologies TVME200 Series User Manual preview
TVME200 Series
Бренд: Tews Technologies Страницы: 28
Omega PRG352A Instruction Sheet preview
PRG352A
Бренд: Omega Страницы: 2
Dialog Semiconductor DA1469 PRO series User Manual preview
DA1469 PRO series
Бренд: Dialog Semiconductor Страницы: 22
Samson 45-9 Mounting And Operating Instructions preview
45-9
Бренд: Samson Страницы: 44
DMX4ALL DMX-LED-Dimmer BB4 User Manual preview
DMX-LED-Dimmer BB4
Бренд: DMX4ALL Страницы: 18
WYTRON DVD-688 Operation Manual preview
DVD-688
Бренд: WYTRON Страницы: 33

Бренды по названию

Популярные бренды

Загрузить еще бренды