Difference between revisions of "CryptoAuthentication SOIC Xplained Pro Starter Kit (DM320109)"

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search
 
(15 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Summary ==  
== Summary ==  
!!!!  W O R K  I N  P R O G R E S S  !!!! (Petra Fenzel)


This documentation describes the usage of the CryptoAuthentication SOIC Xplained Pro Starter Kit (DM320109)
This documentation describes the usage of the CryptoAuthentication SOIC Xplained Pro Starter Kit (DM320109)
Line 20: Line 19:




* [https://www.microchip.com/wwwproducts/en/atsha204a ATSHA204A] (SHA256)
=== Implementation of ATSHA204A ===
* [https://www.microchip.com/wwwproducts/en/atecc508a ATECC508A] (Ellipticcurve P256, SHA256)
An example implementation for the ATSHA204A can be found under Philly's Tutorial ATSHA204A - A Full Tutorial [https://phillystutorials.blogspot.com/2019/07/atsha204a-full-tutorial.html]
* [https://www.microchip.com/wwwproducts/en/atecc608a ATECC608A] (Ellipticcurve P256, SHA256, AES-GCM)
* [https://www.microchip.com/wwwproducts/en/ataes132a ATAES132A] (AES128)


=== Implementation for ATECCx08A and ATSHA204A ===
The example program implements:
The [https://git.fh-campuswien.ac.at/c1710475053/atmel-sam-cryptography-with-cryptoauth-xpro-b implementation for ATECCx08A and ATSHA204A] is based on the [https://github.com/MicrochipTech/cryptoauthlib Cryptoauthlib].For ease of use of the ASF USART a custom abstraction layer got implemented.
* Device Details like serial number, device number, lock config
* Locking the configuration, OTP and Data Zone
* HMAC challenge
* GenDig example
* Read encrypted slots
* Creating diversified keys for challenges
* CheckMac
* DeriveKey


The example program Implements:
* Showing the serial numbers of the chips
* Hashing a message
* Showing locked zones
* Locking zones
* Generate a random number (only works with locked configuration Zone)
* Generate a keypair (only works with locked configuration Zone)


Usage:
Usage:
* Connect your microcontroller to the EDGB USB port and upload the software
* The program code can be found on Phil's website: [https://github.com/PhillyNJ/SAMD21/tree/master/examples/atsha204a DemoProject]
* Open a terminal Program ([https://www.putty.org/ Putty], [https://ttssh2.osdn.jp/index.html.en TeraTerm])
* Download the code and open it in Microchip Studio, build it and flash it onto your DM320109 board
* Terminal program configuration:
* To flash the code connect your DM320109 board with the USB cable at the USB EDBG port and your PC
   Baud rate    115200
* Open a terminal program like TeraTerm [https://tera-term.de.softonic.com/ Tera Term Download]
   Data bits    8
* Terminal / Tera Term port setup:
  Stop bits    1
   Port          according to your device manager e.g. COM3
  Speed        9600
   Data         8 bit
   Parity        none
   Parity        none
* Press the restart button in the controller
  Stop bits    1 bit
* The implementation has an text menu which allows you to navigate by numbers
  Flow control  none
* Press then the reset button on your DM320109 board and in the Tera Term terminal the menu of the program will appear
[[File:ATSHA204Menu.png]]
* You can navigate through the different implementations via the menu  
* To get details like serial number about the device select (01). If your ATSHA204A is connected correctly, you should see similar information as follows:
[[File:ATSHA204DeviceDetails.png]]


=== Implementation for ATAES132A ===
[[File:AES132ADatasheet.pdf]] -> that Datasheet is made available from Atmel to get a better understanding of the ATAES132A Chip.


The ATAES132A Chip is NOT based on the [https://github.com/MicrochipTech/cryptoauthlib Cryptoauthlib]. Therefore Atmel doesn't offer  complete or functioning example codes for this Chip. There are some example codes that might be working but only for the SAMD21 Xplained Pro board not the SAMR21 Xplained Pro B board, which we are using. I tried to use those example codes, with some changes so it would be working with our board, but I got ERROR messages each time. The main error probably is, that the SAMR21 Xplained Pro Microcontroller is not able to connect to the ATAES132A chip as a I2C slave. Some other problems are, that the example codes for the SAMD21 Xplained Pro board rely too much on that board, so it is nearly impossible to change it for the SAMR21 Xplained Pro B board. Another problem is that Atmel don't even offer an example code to connect to the extension boards, so I wasn't able to check if the ATAES132A chip is working, because no connection could be build. One of the codes is probably working if the connection could be established, because I got a build access and I could load the code onto the board, but I only got negative replies over the Usart.
* To configure the device, write all the keys to the slots and lock the device, you have to follow the below steps:
* Step 1 - configure the device - command (03) Personalize Device
* Step 2 - lock the configuration zone - command (04)
* Step 3 - write to the OTP zone - command (05)
* Step 4 - write the keys - command (06)
* Step 5 - lock OTP and data zones - command (07)
* Step 6 - read OTP zones - command (08)
* Step 7 - run deriveKey for slot 5 - command (AB)
* Step 8 - run deriveKey (Key Roll) for slot 4 - command (AE)
* Step 9 - validate key - command (AA)


Here is the link to the projects I tried: [https://github.com/georgie047/Wahlfachprojekt/tree/master/Code/ATAES132A]
* When selecting (02) you get the slot configuration which is saved in bytes 20 - 51 within the 88 bytes configuration zone. There you have 16 slots of each 2 bytes containing the access restriction values for the slots in the data zone
[[File:ATSHA204SlotConfiguration.png]]


== Security Features ==
* To interpret the slot configuration as displayed above the overview below will give useful information. More details can be found in the ATSHA204A data sheet.
[[File:Sicherheits-Features.pdf]]
[[File:ATSHA204ConfigurationZone.png]]


== Cryptographic algorithms ==
* If bit 6 is set to 1, then a slot which is secret allows encrypted read to access. Reading these slots returns the encrypted data which the host then has to decrypt by the read key defined in the slot configuration of the slot being read. Selecting command (A2) reads the encrypted slots as shown below:
[https://git.fh-campuswien.ac.at/c1710475053/atmel-sam-cryptography-with-cryptoauth-xpro-b/blob/master/Dokumentation/Cryptographic_Algorithms.pdf Click here for Pdf]
[[File:ATSHA204EncryptRead.png]]


== User Guides ==
* For an HMAC challenge use the command (A0) of the menu. This will perform an HMAC challenge against slot 3 and 12. Both are derived from the root key. This examples compares the HMAC digest generated on the client and an HMAC on the host using all possible modes (start mode / update mode / finalize mode).
* [[File:User Guide Atmel.pdf]]
[[File:ATSHA204HMAC.png]]
* [[File:User Guide EDGB.pdf]]
 
* [[File:User Guide Security Features.pdf]]
* ATSHA204a also supports key rolling to prevent repeated use of the same key value. After a certain number of uses of the current key value gets replaced with the SHA-256 digest  of itself combined with some offset e.g. a constant, a serial number or model number. This is implemented by using the DeriveKey command. Selecting AE will perform a rolling key operation on key 4. Further details can be found in Philly's Tutorial.
those User Guides are made available from Atmel to get a better understanding of their products.
 
 
 
== User Guides and Data Sheets ==
* [http://ww1.microchip.com/downloads/en/DeviceDoc/DM320109-CryptoAuthentication-Xplained-Pro-Starter-Kit-Users-Guide-DS50002774A.pdf CryptoAuthentication Xplained Pro Starter Kit User Guide]
* [http://ww1.microchip.com/downloads/en/DeviceDoc/ATSHA204A-Data-Sheet-40002025A.pdf ATSHA204A Data Sheet]
 
 
== Used  Software and Hardware ==
The links for the used software Microchip Studio and the used hardware CryptoAuthentication SOIC Xplained Pro Starter Kit (DM320109) and its microchips can be found at the beginning of this article under "requirements" and "description".


== Used Hardware ==


* [[Cryptoauth XPro B]]
* [https://www.microchip.com/mplab/avr-support/atmel-studio-7 AtmelStudio]
* [https://www.microchip.com/developmenttools/ProductDetails/atsamr21-xpro Atmel SAM R21 Xplained Pro]
* [https://www.microchip.com/DevelopmentTools/ProductDetails/atcryptoauth-xpro-b ATCRYPTOAUTH-XPRO-B]


== Courses ==
== Courses ==
Line 80: Line 96:


Implementation:
Implementation:
* https://www.insidegadgets.com/2017/04/21/alarm-system-v3-part-3-using-the-atmel-cryptoauthentication-atsha204a/
* https://phillystutorials.blogspot.com/2019/07/atsha204a-full-tutorial.html
* https://www.youtube.com/watch?v=TAOVKcN-pwY
 
* https://microchiptech.github.io/cryptoauthlib/html/index.html


Cryptographic algorithms:
Hash and Cryptographic Algorithms:
* https://en.wikipedia.org/wiki/SHA-2
* https://www.tutorialspoint.com/cryptography/cryptography_hash_functions.htm
* http://www.iwar.org.uk/comsec/resources/cipher/sha256-384-512.pdf
* https://www.tutorialspoint.com/cryptography/advanced_encryption_standard.htm
* https://www.geeksforgeeks.org/implementation-diffie-hellman-algorithm/
* https://www.geeksforgeeks.org/implementation-diffie-hellman-algorithm/
* https://www.korelstar.de/informatik/aes.html
 
* https://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Description_of_the_ciphers


[[Category:Documentation]]
[[Category:Documentation]]

Latest revision as of 18:48, 18 November 2021

Summary

This documentation describes the usage of the CryptoAuthentication SOIC Xplained Pro Starter Kit (DM320109)

Requirements


Description

The CryptoAuthentication SOIC Xplained Pro Starter Kit (DM320109) consists of:


Implementation of ATSHA204A

An example implementation for the ATSHA204A can be found under Philly's Tutorial ATSHA204A - A Full Tutorial [1]

The example program implements:

  • Device Details like serial number, device number, lock config
  • Locking the configuration, OTP and Data Zone
  • HMAC challenge
  • GenDig example
  • Read encrypted slots
  • Creating diversified keys for challenges
  • CheckMac
  • DeriveKey


Usage:

  • The program code can be found on Phil's website: DemoProject
  • Download the code and open it in Microchip Studio, build it and flash it onto your DM320109 board
  • To flash the code connect your DM320109 board with the USB cable at the USB EDBG port and your PC
  • Open a terminal program like TeraTerm Tera Term Download
  • Terminal / Tera Term port setup:
  Port          according to your device manager e.g. COM3
  Speed         9600
  Data          8 bit
  Parity        none
  Stop bits     1 bit
  Flow control  none
  • Press then the reset button on your DM320109 board and in the Tera Term terminal the menu of the program will appear

ATSHA204Menu.png

  • You can navigate through the different implementations via the menu
  • To get details like serial number about the device select (01). If your ATSHA204A is connected correctly, you should see similar information as follows:

ATSHA204DeviceDetails.png


  • To configure the device, write all the keys to the slots and lock the device, you have to follow the below steps:
  • Step 1 - configure the device - command (03) Personalize Device
  • Step 2 - lock the configuration zone - command (04)
  • Step 3 - write to the OTP zone - command (05)
  • Step 4 - write the keys - command (06)
  • Step 5 - lock OTP and data zones - command (07)
  • Step 6 - read OTP zones - command (08)
  • Step 7 - run deriveKey for slot 5 - command (AB)
  • Step 8 - run deriveKey (Key Roll) for slot 4 - command (AE)
  • Step 9 - validate key - command (AA)
  • When selecting (02) you get the slot configuration which is saved in bytes 20 - 51 within the 88 bytes configuration zone. There you have 16 slots of each 2 bytes containing the access restriction values for the slots in the data zone

ATSHA204SlotConfiguration.png

  • To interpret the slot configuration as displayed above the overview below will give useful information. More details can be found in the ATSHA204A data sheet.

ATSHA204ConfigurationZone.png

  • If bit 6 is set to 1, then a slot which is secret allows encrypted read to access. Reading these slots returns the encrypted data which the host then has to decrypt by the read key defined in the slot configuration of the slot being read. Selecting command (A2) reads the encrypted slots as shown below:

ATSHA204EncryptRead.png

  • For an HMAC challenge use the command (A0) of the menu. This will perform an HMAC challenge against slot 3 and 12. Both are derived from the root key. This examples compares the HMAC digest generated on the client and an HMAC on the host using all possible modes (start mode / update mode / finalize mode).

ATSHA204HMAC.png

  • ATSHA204a also supports key rolling to prevent repeated use of the same key value. After a certain number of uses of the current key value gets replaced with the SHA-256 digest of itself combined with some offset e.g. a constant, a serial number or model number. This is implemented by using the DeriveKey command. Selecting AE will perform a rolling key operation on key 4. Further details can be found in Philly's Tutorial.


User Guides and Data Sheets


Used Software and Hardware

The links for the used software Microchip Studio and the used hardware CryptoAuthentication SOIC Xplained Pro Starter Kit (DM320109) and its microchips can be found at the beginning of this article under "requirements" and "description".


Courses

References

Implementation:


Hash and Cryptographic Algorithms:

Retrieved from "https://wiki.elvis.science/index.php?title=CryptoAuthentication_SOIC_Xplained_Pro_Starter_Kit_(DM320109)&oldid=8015"