EdgeLock SE051: encrypted session + get public key

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

EdgeLock SE051: encrypted session + get public key

Jump to solution
4,763 Views
LAc00
Contributor II

Hello Experts,

we have EdgeLock SE051, and we try to manage it with EdgeLock Plug & Trust Middleware.

I have now 2 questions, what we could not solve yet:

1, How could we establish an encrypted session between host and SE?

Now we are using plain session with ID 0. Does it mean, that we dont have a session?

2, We could generate ECC key pair in SE. (This is good.) If we call Se05x_API_CheckObjectExists, it says yes, it is there. We try to get the public key from this key pair with these functions:

sss_key_store_get_key or Se05x_API_ReadObject

but we are not able to get it. ReadObject returns with SM_NOT_OK.

(We are using plain session here as well, but I think it is ok, because we need only the public key.)

Please help us!

Thank you!

 

Best regards,

 

Laszlo

0 Kudos
Reply
1 Solution
4,748 Views
michaelsalfer
NXP Employee
NXP Employee

Hello Laszlo,

the plain session with ID 0 is also called default session. So it is as well a "session", but not an individually authenticated one. Typically you should at least enable PlatformSCP which encrypts any communication ongoing between the host and the SE using AES encryption. You can enable this encryption in the MW examples when you set the cmake define SE05x_Auth to "PlatformSCP" as shown in AN12662 Binding a host device to EdgeLock SE05x in section "Ease binding configuration with EdgeLock SE05x Plug & Trust Middleware". This enables the startup code in the examples (libcommon) to start the examples with an authenticated and encrypted PlatformSCP channel.

Regarding the fail of the object read, are you using the MW compiled with correct Applet version? See AN13013 Get started with EdgeLock SE05x support package section "Product specific CMake build settings".

Kind regards,
Michael

View solution in original post

9 Replies
4,749 Views
michaelsalfer
NXP Employee
NXP Employee

Hello Laszlo,

the plain session with ID 0 is also called default session. So it is as well a "session", but not an individually authenticated one. Typically you should at least enable PlatformSCP which encrypts any communication ongoing between the host and the SE using AES encryption. You can enable this encryption in the MW examples when you set the cmake define SE05x_Auth to "PlatformSCP" as shown in AN12662 Binding a host device to EdgeLock SE05x in section "Ease binding configuration with EdgeLock SE05x Plug & Trust Middleware". This enables the startup code in the examples (libcommon) to start the examples with an authenticated and encrypted PlatformSCP channel.

Regarding the fail of the object read, are you using the MW compiled with correct Applet version? See AN13013 Get started with EdgeLock SE05x support package section "Product specific CMake build settings".

Kind regards,
Michael

4,717 Views
LAc00
Contributor II

Hello Michael,

 

Now I have an encrypted platform SCP session on ID 0. I generate an ECC key pair like this:

sss_key_store_context_init(pKeyStore, pPfSession);

sss_key_object_init(&asymmetricKeyPair, pKeyStore);

sss_key_object_allocate_handle(&asymmetricKeyPair, id, kSSS_KeyPart_Pair, kSSS_CipherType_EC_NIST_P, keyByteLenMax, kKeyObject_Mode_Persistent);

sss_key_store_generate_key(pKeyStore, &asymmetricKeyPair, keyBitLen, NULL);

with this the key pair is there (in SE). Then I would like to get the public key with this call:

sss_key_store_get_key(pKeyStore, &asymmetricKeyPair, publicKey, &len , &keyBitLen);

The keystore and the keyobject and the session is the same.

And it is failed at Se05x_API_ReadObject call.

Could you help me to solve this issue as well?

 

Best regards,

 

Laszlo

0 Kudos
Reply
4,707 Views
LAc00
Contributor II

Hello Michael,

 

I could read out the public key now. I used a smaller buffer, because I did not calculate with the concatenated header, which length is 26. I increased my buffer with this value, and now everything is fine. I will close this topic! Thank you for your help!

 

Best regards,

 

Laszlo

0 Kudos
Reply
4,680 Views
michaelsalfer
NXP Employee
NXP Employee

Hello Laszlo,

good to hear this and thanks also for sharing your findings!

Kind regards,
Michael

0 Kudos
Reply
4,737 Views
LAc00
Contributor II

Hello Michael,

thank you for your quick reply!

I try to solve the encrypted session first.

I am doing this:

SE_Connect_Ctx_t *pConnectCtx = &gex_sss_secure_element_ctx.se05x_open_ctx;

sss_session_t *pPfSession = &gex_sss_secure_element_ctx.session;

pConnectCtx->connType = kType_SE_Conn_Type_T1oI2C;

pConnectCtx->portName = NULL;

pConnectCtx->auth.authType = kSSS_AuthType_SCP03;

sss_session_open(pPfSession, kType_SSS_SE_SE05x, 1, kSSS_ConnectionType_Encrypted, pConnectCtx);

But I get an error:

:ERROR:nxScp03_GP_InitializeUpdate fails Invalid objects sent 3C3C0000

:ERROR:Could not set SCP03 Secure Channel

What did I miss? Should I somehow set the AES key? I thought there is a default one.

Thank you again!

 

Best regards,

Laszlo

0 Kudos
Reply
4,735 Views
LAc00
Contributor II

I extended the code with this call before the session_open:

ex_sss_se05x_prepare_host_keys(pHostSession, pHostKeyStore, pConnectCtx, pAuthCtx, 0);

Now it is failed here:

nxScp03_HostLocal_VerifyCardCryptogram

Do you have any idea, what could be the problem here?

 

Best regards,

 

Laszlo

0 Kudos
Reply
4,731 Views
michaelsalfer
NXP Employee
NXP Employee

Hi Laszlo,

typically the wrong keys have been used. Please check if your code refers to the correct default keys  which are set in the individual product variants like described in "How to configure the product specific default Platform SCP keys" of document AN13013 Get started with EdgeLock SE05x support package .

Kind regards,
Michael

4,718 Views
LAc00
Contributor II

Hi Michael,

 

thank you for the hint. I reconfigured the default keys. I open the session like this:

SE_Connect_Ctx_t *pConnectCtx = &gex_sss_secure_element_ctx.se05x_open_ctx;
sss_session_t *pPfSession = &gex_sss_secure_element_ctx.session;
sss_session_t *pHostSession = &gex_sss_secure_element_ctx.host_session;
sss_key_store_t *pHostKeyStore = &gex_sss_secure_element_ctx.host_ks;
ex_SE05x_authCtx_t *pAuthCtx = &gex_sss_secure_element_ctx.ex_se05x_auth;

pConnectCtx->connType = kType_SE_Conn_Type_T1oI2C;
pConnectCtx->portName = NULL;

ex_sss_se05x_prepare_host(pHostSession, pHostKeyStore, pConnectCtx, pAuthCtx, kSSS_AuthType_SCP03);

sss_session_open(pPfSession, kType_SSS_SE_SE05x, 0, kSSS_ConnectionType_Encrypted, pConnectCtx);

 

and IT IS WORKING now. I have an encrypted session. Thank you very much!

0 Kudos
Reply
4,728 Views
LAc00
Contributor II

Hello Michael,

 

I see this file:

ex_sss_tp_scp03_keys.h

There are defines in it. (I understand that I have to choose the right one.) What I don't see: where are these defines used? They should be used at calculating the card cryptogram on host, isn't it?

 

Best regards,

 

Laszlo

0 Kudos
Reply