- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- Wireless Connectivity
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- MCUXpresso Training Hub
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
-
- Home
- :
- Identification and Security
- :
- NFC
- :
- NHS3100: How to make the tlogger secure?
NHS3100: How to make the tlogger secure?
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
NHS3100: How to make the tlogger secure?
02-22-2019
03:15 PM
1,274 Views
stevewald
Contributor III
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using the NHS3100. We know there are products better suited, but for now we are stuck with this part. We want to extend the tlogger firmware and App functionality to make the logging more secure over the mission of the tag.
- We would like to at least ensure that a) the firmware is protected from prying eyes, b) that we can configure the tag's mission in a way that the configuration cannot be altered until complete, and c) that we can authenticate the integrity of the data log at mission completion at least to some reasonable degree.
- The 3100 has no hardware support for encryption, but we have developed software encryption which could be used. We need to know more about the interaction between the tags and the readers in a crypto-secure environment to keep the temperature log unaltered by unauthorized means.
- The document FTF-MHW-N1980 mentions AES and passwords in connection with access control for NHS3100 on slide 63, but gives few details. How might this be done?
- There are Lock and Protect bits in the flash, but we cannot find out how to exercise them. There is nothing in the SDK, and no hint of functions to work with them. Is there a document to explain the access and mapping of these bits?
Thanks,
Steve
1 Reply
02-26-2019
09:15 AM
1,099 Views
driesmoors
NXP Employee
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Steve,
- We would like to at least ensure that
a) the firmware is protected from prying eyes,
The IC has 3 levels of Code Read Protection (CRP). Check <SDK>/docs/firmware/ > SW Debug Considerations
b) that we can configure the tag's mission in a way that the configuration cannot be altered until complete, and
The firmware can block this, since a tag reader has no direct access to the FLASH and the ARM EEPROM. It must the firmware to do the copying to the NFC memory.
c) that we can authenticate the integrity of the data log at mission completion at least to some reasonable degree.
The data log can be appended with a hash, derived from the 16-byte unique ID of each IC. This unique ID is not directly accessible by a tag reader. - The 3100 has no hardware support for encryption, but we have developed software encryption which could be used. We need to know more about the interaction between the tags and the readers in a crypto-secure environment to keep the temperature log unaltered by unauthorized means.
A good question, and not an easy one. This is best tackled in a more private conversation. AFAIK a lot depends on your specific use case. - The document FTF-MHW-N1980 mentions AES and passwords in connection with access control for NHS3100 on slide 63, but gives few details. How might this be done?
Simple password control relies on a cleartext exchange of a shared secret. In the SDK this can be used to dynamically block or allow the high-level msg commands sent from tag reader to tag. I suggest using the MSG_COMMAND_ACCEPT_CB diversity setting in the msg module to do this.
AES also involves a share secret, but can be used for zero-knowledge communication to prove the identity of each side. This will consequences for your communication flow, and more severe adaptations to the SDK demo applications will be necessary. Best seems to find a standardized communication scheme and implement this on top of the command/response exchanges currently demonstrated in the demos. - There are Lock and Protect bits in the flash, but we cannot find out how to exercise them. There is nothing in the SDK, and no hint of functions to work with them. Is there a document to explain the access and mapping of these bits?
The SDK does not provide support for this, unfortunately. I also don't have a document that explains how to do this.
Thanks,
Steve
Reply
