topic Re: SE050 MbedTLS ALT questions in Secure Authentication

SE050 MbedTLS ALT questions

kennychiu — Thu, 20 Mar 2025 16:25:05 GMT

Hi,

We are using EdgeLock SE05x Plug & Trust Middleware (version 04.07.00) and have encountered some questions regarding the MbedTLS ALT use.

1. ALT Support Scope
Does the ALT implementation support all Cryptography modules in MbedTLS versions 2.x/3.x? For example, AES_CBC, AES_GCM, and other encryption modes.

2. KEY ID Management
When an HTTPS server performs a TLS handshake using MbedTLS, if there are multiple simultaneous HTTPS connections and each connection’s session key is AES, how should the KEY ID be managed under the SE050 MbedTLS AES ALT scenario?
- If the same KEY ID is used, the key must be reset for every encryption/decryption operation. How is this handled when multiple threads execute concurrently?
- If different KEY IDs are used, how should they be managed?

3. Reference Key
In ecdsa_sign_alt.c, mbedtls_ecdsa_sign() checks whether the private key is a Reference Key. Does this imply that during HTTPS server initialization, the certificate’s public and private keys must be stored in SE050, and then a separate Reference Key is generated and passed to MbedTLS?

Thank you for your assistance!

Re: SE050 MbedTLS ALT questions

Kan_Li — Fri, 21 Mar 2025 06:11:55 GMT

Hi @kennychiu ,

Please kindly have my comments as below:

1. ALT Support Scope
Does the ALT implementation support all Cryptography modules in MbedTLS versions 2.x/3.x? For example, AES_CBC, AES_GCM, and other encryption modes.

- As of now, only ECDSA, RSA Sign and Verify, ECDH, and RNG are provided in ALT implementation. Not all cryptos.

- There is no AES ALT for SE050.

- Yes. Correct. Reference key for Private key in SE is to be created. Only Private key must be stored in SE. Storing Certificate is not required.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

Re: SE050 MbedTLS ALT questions

kennychiu — Fri, 21 Mar 2025 09:04:14 GMT

Hi Kan,

I hope you don’t mind me asking a few more questions:

1. Are there any plans to support more cryptos in the near future?

2. Would you please provide suggestions on how to implement an AES ALT?

For example:

• Is there any reference code for AES encryption/decryption?

• How should key IDs be managed in this multiple-session-key scenario?

Thank you very much for your assistance!

Kenny

Re: SE050 MbedTLS ALT questions

Kan_Li — Tue, 01 Apr 2025 02:38:27 GMT

Hi @kennychiu ,

Please kindly have my comments as below:

1. Are there any plans to support more cryptos in the near future?

- That is decided by the product management, so far we have no idea about it, but I will pass your request to the PM side.

2. Would you please provide suggestions on how to implement an AES ALT?

For example:

• Is there any reference code for AES encryption/decryption?

- Yes, please refer to the demo of ex_symmetric for details.

• How should key IDs be managed in this multiple-session-key scenario?

- From my personal understanding, different ID should be used, and the key type should be Transient type to avoid NVM consumption.

Hope that helps,

Have a great day,
Kan

Re: SE050 MbedTLS ALT questions

kennychiu — Wed, 02 Apr 2025 05:20:33 GMT

Hi Kan,

Thank you for your assistance.
If I have any further questions, I will contact you.

Kenny