NXP Semiconductors EdgeLock A5000 Application Note
  1. Manuals
  2. Brands
  3. NXP Semiconductors Manuals
  4. Microcontrollers
  5. EdgeLock A5000
  6. Application note

NXP Semiconductors EdgeLock A5000 Application Note

Secure authenticator for electronic anticounterfeit protection using device-to-device authentication
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AN13500
EdgeLock A5000 Secure Authenticator for electronic anti-
counterfeit protection using device-to-device authentication
Rev. 1.0 — 28 March 2022
Document information
Information
Content
Keywords
A5000, mutual authentication, proof of possession
Abstract
This document describes how to leverage A5000 for device-to-device
authentication
Application note

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the EdgeLock A5000 and is the answer not in the manual?

Questions and answers

Related Manuals for NXP Semiconductors EdgeLock A5000

Summary of Contents for NXP Semiconductors EdgeLock A5000

  • Page 1 AN13500 EdgeLock A5000 Secure Authenticator for electronic anti- counterfeit protection using device-to-device authentication Rev. 1.0 — 28 March 2022 Application note Document information Information Content Keywords A5000, mutual authentication, proof of possession Abstract This document describes how to leverage A5000 for device-to-device...
  • Page 2 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Revision history Revision history Revision Date Description number 2022-03-28 Initial version AN13500 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2022. All rights reserved.

  • Page 3: Device-To-Device Authentication

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Device-to-device authentication The IoT environment increases the exposure of high value components to new security threats. OEM manufacturers need to protect themselves from non-authorized components, discriminate original devices from fake copies, avoid device misuse and over usage, and make sure customers purchase original equipment.

  • Page 4: Certificate Chain Of Trust

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Certificate chain of trust IoT requires each device to possess a unique identity. For certificate-based authentication scheme, the identity is made of: • Device certificate • Device key pair The digital certificate binds an identity with a public key.
  • Page 5 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 3.  Certificate hierarchy Before a machine or control unit manufactured by the OEM goes to the operation phase, they must possess the CA certificate, an individual certificate and a key pair securely...

  • Page 6: Mutual Authentication Flow

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Mutual authentication flow The authentication flow consists of a mutual authentication procedure. First, the machine will authenticate the control unit that it will be connected to. After that, the control unit will authenticate the machine that attempts to connect.

  • Page 7: Machine Authentication

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 5.  Control unit authentication flow 3.2 Machine authentication The authentication of the machine also consists of two steps: the certificate validation and the private key proof of possession as shown in Figure 6.
  • Page 8 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 6.  Machine authentication flow AN13500 All information provided in this document is subject to legal disclaimers. © NXP B.V. 2022. All rights reserved. Application note Rev.

  • Page 9: Evaluating A5000 For Anticounterfeit Protection

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Evaluating A5000 for anticounterfeit protection This chapter describes how to evaluate the A5000 Secure Authenticator for anticounterfeit protection using device-to-device authentication. The following description is provided only for demonstration. Therefore, the subsequent procedure must be adapted and adjusted accordingly for commercial deployment.
  • Page 10 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Middleware test examples” describes the CMake settings to build the middleware accessing a SE05x Secure Element. To build the Plug & Trust Middleware to support the A5000 Secure Authenticator...

  • Page 11: Openssl Engine Overview

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 7.  A5000 CMake options 4.2 OpenSSL engine overview OpenSSL is a free software library contains an open-source implementation of the protocols. OpenSSL is available for most Unix-like operating systems (including Linux, macOS, and BSD) and Microsoft Windows.
  • Page 12 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication The OpenSSL software library, written in C, includes a command-line interface for general-purpose cryptography and managing certificates. For simplification the demos below are using the OpenSSL CLI.

  • Page 13: Plug & Trust Middleware Ssscli Tool Introduction

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication • Certificate/Public Key: The Certificate/Public Key as read from the Secure Element can still be inserted into the OpenSSL key structure. The A5000 Secure Authenticator can be easily integrated by applications which are already using the OpensSSL API or the command-line tools.
  • Page 14 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 10. ssscli help The help includes a parameter description for all supported commands. To list all options for the connect command use: ssscli connect --help Figure 11. ssscli connect help Note: The subsystem option auth shall be used to define a session with the A5000 authenticator.

  • Page 15: Pre-Provisioned A5000 Device Certificates Used By The Example

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 12. ssscli se05x help The following commands will list all A5000 secure objects: ssscli connect auth t1oi2c none ssscli se05x readidlist Figure 13. ssscli readidlist Note: If you are not able to connect to the A5000 with an error saying that there is a session already open, run ssscli se05x disconnect first.

  • Page 16: Retrieve The Pre-Provisioned A5000 Credentials

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication To be able to demonstrate the principle of machine and control unit authentication flow with a single Raspberry Pi and OM-A5000ARD board the ECC256 key pair 0 (object ID 0xF0000000) and the corresponding certificate 0 (object ID 0xF0000001) are used as “machine”...
  • Page 17 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication ssscli get cert F0000001 machine.pem ssscli get cert F0000003 control_unit.pem Figure 14. Retrieve the pre-provisioned A5000 device certificats Both certificates are stored in PEM format. These are text files containing base64 encoded data.
  • Page 18 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication The x509 Openssl command can be used to display the contents of a certificate in human readable form (-text switch). The -noout switch reduces the output by not printing the base64 encoded certificate itself.

  • Page 19: Retrieve The Pre-Provisioned A5000 Device Certificates Public Keys

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 17.  Content of the control unit certificate 4.5.2 Retrieve the pre-provisioned A5000 device certificates public keys The ECC public keys are required for the ECC verify operation. The ECC public keys can be extracted from the corresponding certificate using the OpenSSL command-line tool or with the help of the ssscli tool.

  • Page 20: Create The Reference Key Files For The Openssl Engine

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 19. Device public keys in PEM format The x509 OpenSSL command also supports to display the public keys contents: openssl ec -pubin -in machine_pub_key.pem -text openssl ec -pubin -in control_unit_pub_key.pem -text Figure 20. Content of the device public keys...
  • Page 21 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 21. Create the reference key files for the OpenSSL engine The ssscli commands above are storing the reference keys in PEM format. cat machine_ref_key.pem cat control_unit_ref_key.pem Figure 22. Reference private keys in PEM format...

  • Page 22: Chain Of Trust Of The Pre-Provisioned Device Certificates

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 23. Content of the reference private keys Instead of a real private ECC device key the reference key contains mainly the A5000 private key object ID. The remaining bytes are containing a 64-bit "magic number"...
  • Page 23 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication A5000 device A5000 device private key certificate A5000 device name A5000 public key Reference NXP Issuer‘s (CA) name Sign NXP Intermediate NXP Issuer‘s (CA) signature NXP Issuer‘s private key certificate NXP Issuer‘s name...
  • Page 24 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 26. Convert the NXP intermediate certificate file nxp_a5000_intermediate_ca.crt" into a PEM formatted file The NXP intermediate certificate is signed by a NXP root certificate. To be able to verify the validity of the NXP intermediate certificate you need also to download the NXP root certificate.

  • Page 25: Mutual Authentication Flow

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication 4.7 Mutual authentication flow As already described in Section 3 the authentication flow consists of a mutual authentication procedure. First, the machine will authenticate the control unit. If the machine was successfully authenticated, the control unit will authenticate the machine.

  • Page 26: Step 2: Proof Of Control Unit Private Key Possession

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Note: We assume the NXP root and intermediate CA are already stored in the machine and control unit. Note: To simplify the example we do not use the A5000 for validating the control unit certificate, because the keys of the NXP root and intermediate CA are not stored inside the A5000 device.
  • Page 27 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 32. Plug & Trust Middleware OpenSSL engine default configuration Note: The A5000 does not support RSA, there it is recommended to remove the entry RSA from the default algorithmus entry.
  • Page 28 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 34. OpenSSL - A5000 random numbers are stored in a text file The control unit uses the A5000 to generate the ECC signature using standard OpenSSL commands. This is performed by providing a control unit reference key (control_unit_ref_key.pem) instead of a private key.

  • Page 29: Machine Authentication

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication openssl x509 -in control_unit.pem -pubkey -noout > control_unit_pub.pem Finally, the machine verifies the signature with the control unit public key control_unit_pub.pem. Because we are using the public key of another entity, this step is performed by the OpenSSL engine in software.

  • Page 30: Step 1: Machine Device Certificate Validation

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 38. Control unit authentication flow 4.7.2.1 Step 1: Machine device certificate validation The first step the machine sends the machine certificate (machine.pem) to the control unit for validating the certificate. We use again the OpenSSL verify command-line tools to validate the certification chain.

  • Page 31: Step 2: Proof Of Control Unit Private Key Possession

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 39. OpenSSL - Verify machine certificate Note: We assume the NXP root and intermediate CA are already stored in the machine and control unit. Note: To simplify the example we do not use the A5000 for validating the machine certificate, because the keys of the NXP root and intermediate CA are not stored inside the A5000 device.
  • Page 32 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figure 40. OpenSSL - A5000 random numbers are stored in a text file The machine uses the A5000 to generate the ECC signature. This is performed by providing a machine reference key (machine_ref_key.pem) instead of a private key.

  • Page 33: Binding A5000 To A Host Mcu/Mpu Using Platform Scp

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Finally, the control unit verifies the signature with the machine public key machine_pub.pem. openssl dgst -sha256 -verify machine_pub.pem -signature mashine_signature.sha256 control_unit_random.txt Figure 43. OpenSSL - Verify machine signature The machine is authenticated in case OpenSSL returns Verified OK.
  • Page 34 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication A5000 can be bound to the host by injecting in both the host and A5000 the same unique SCP03 AES key-set and by enabling the Platform SCP feature in the Plug & Trust Middleware.
  • Page 35 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Table 3. SCP03 session keys Description Usage Type Used for data confidentiality S-ENC Session Secure Channel Encryption Key S-MAC Used for data and protocol integrity Secure Channel Message...

  • Page 36: How To Enable Platform Scp In The Plug & Trust Middleware

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication 4.8.2 How to enable Platform SCP in the Plug & Trust Middleware To enable Platform SCP it is required to rebuild the Plug & Trust Middleware with the following CMake setting: •...

  • Page 37: How To Configure The A5000 Product Specific Scp Keys In The Plug & Trust Middleware

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication cmake-gui . Update the CMake settings as explained above. Press first the Configure button and second the Generate button and close the CMake GUI. cmake --build .

  • Page 38: Manage Access From Multiple Linux Processes To The A5000

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication to protect keys it is not in the scope of this document to demonstrate how to store the Platform SCP shared binding keys securely. For commercial deployment the secure storage of Platform SCP keys must be adapted accordingly.
  • Page 39 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Please refer to the Plug & Trust Middleware documentation chapter 5.4.3. Access Manager for more details. AN13500 All information provided in this document is subject to legal disclaimers.

  • Page 40: A5000 Secure Provisioning

    EdgeLock2GO • EdgeLock SE05x provisioning by OEMs, distributors or third-party partners: OEMs can provision EdgeLock A5000 on their own or select a distributor or third-party partner for provisioning the A5000 . AN13500 All information provided in this document is subject to legal disclaimers.

  • Page 41: References

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication References • DS6676xx, A5000 EdgeLock Secure Authenticator Product data sheet. Available under: https://www.nxp.com/docs/en/data-sheet/A5000-DATASHEET.pdf • AN12570, EdgeLock SE05x Quick start guide with Raspberry Pi. Available under: https://www.nxp.com/docs/en/application-note/AN12570.pdf AN13500 All information provided in this document is subject to legal disclaimers.

  • Page 42: Legal Information

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Legal information Terms and conditions of commercial sale — NXP Semiconductors products are sold subject to the general terms and conditions of commercial 7.1 Definitions sale, as published at http://www.nxp.com/profile/terms, unless otherwise agreed in a valid written individual agreement.
  • Page 43 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Tables Tab. 1. Pre-provisioned certificates and keys used Tab. 3. SCP03 session keys ........35 by the example ..........16 Tab. 4. 128-bit AES Default Platform SCP keys ..37 Tab.
  • Page 44 AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Figures Fig. 1. Device-to-device authentication scenario ..3 Fig. 28. Convert the NXP root certificate file "nxp_ Fig. 2. Certificate chain of trust ........4 a5000_root_ca.crt"into a PEM formatted Fig.

  • Page 45: Table Of Contents

    AN13500 NXP Semiconductors EdgeLock A5000 Secure Authenticator for electronic anti-counterfeit protection using device-to-device authentication Contents Device-to-device authentication ......3 Certificate chain of trust ........4 Mutual authentication flow .........6 Control unit authentication .........6 Machine authentication ........7 Evaluating A5000 for anticounterfeit protection .............9...

Table of Contents