NXP Semiconductors
AN13500
EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device
authentication
Finally, the control unit verifies the signature with the machine public key
machine_pub.pem
.
openssl dgst -sha256 -verify machine_pub.pem -signature
mashine_signature.sha256 control_unit_random.txt
Figure 43. OpenSSL - Verify machine signature
The machine is authenticated in case OpenSSL returns
Verified OK
.
4.8 Binding A5000 to a host MCU/MPU using Platform SCP
Binding is a process to establish a pairing between the IoT device host MPU/MCU and
A5000, so that only the paired MPU/MCU is able to use the services offered by the
corresponding A5000 and vise versa.
A mutually authenticated, encrypted channel will ensure that both parties are indeed
communicating with the intended recipients and that local communication is protected
against local attacks, including man-in-the-middle attacks aimed at intercepting the
communication between the MPU/MCU and the A5000 and physical tampering attacks
aimed at replacing the host MPU/MCU or A5000 .
A5000 natively supports Global Platform Secure Channel Protocol 03 (SCP03) for this
purpose. PlatformSCP uses SCP03 and can be enabled to be mandatory.
This chapter describes the required steps to enable Platform SCP in the middlware for
A5000.
The following topics are discussed:
•
Introduction to the Global Platform Secure Channel Protocol 03 (SCP03)
•
How to enable Platform SCP in the Plug & Trust Middleware
•
How to configure the A5000 product specific SCP keys in the Plug &
Trust Middleware
4.8.1 Introduction to the Global Platform Secure Channel Protocol 03 (SCP03)
The Secure Channel Protocol SCP03 authenticates and protects locally the bidirectional
communication between host and A5000 against eavesdropping on the physical I2C
interface.
AN13500
All information provided in this document is subject to legal disclaimers.
© NXP B.V. 2022. All rights reserved.
Application note
Rev. 1.0 — 28 March 2022
33 / 45
