- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- Neural Processing UnitsNeural Processing Units
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
- Neural Processing Units
-
- NXP Tech Blogs
- Home
- :
- Identification and Security
- :
- Secure Authentication
- :
- MbedTLS v.1.2 handshake
MbedTLS v.1.2 handshake
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
MbedTLS v.1.2 handshake
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to offload TLS v.1.2 handshake process to SE052 Secure element IC from host ESP32c3devkitm.
It is act as server, which is v.3.7.0 zephyr based sample application.
There is no support is added in module to offload whole cryptographic operations to SE.
I go though "SE05x IoT applet APDU Specification". Using this document, I was thinking i can create wrapper function using APDU commands. Which is working based on directly perform operation on SE052.
There is Understanding gap for certificate stores.
If I store CA certificate or server certificate inside SE052, than how it will become part of TLS handshake using SE052 ICs.
If I will not stores it inside SE052 than how to add support for TLS handshake process.(Whole handshake process is offloaded to SE052).
What approach should I use to handshake offloads to SE052 from host controller.
What maximum operations can i performs.
I can create wrapper function for possible each process.
@Kan @kan_li
Kan_Li
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MohitGediya ,
No—you should not design this as a full TLS 1.2 handshake offload to SE052. The host TLS stack may use SE05x/SE052 as a secure crypto co-processor , but not as a standalone TLS engine that owns the complete TLS protocol state machine. The host MCU/RTOS still runs mbedTLS/Zephyr TLS, parses and builds handshake messages, manages certificate exchange/validation flow, and uses the secure element for selected cryptographic operations and secure credential storage such as :
random generation, ECDH/ECDHE-related secret derivation, and ECDSA or RSA sign/verify/decrypt depending on configuration and key type.
For your questions:
1)If I store CA certificate or server certificate inside SE052, than how it will become part of TLS handshake using SE052 ICs.
It becomes part of the handshake only after the host retrieves or associates that certificate with the TLS stack . The middleware example shows the certificate being read from the SE, parsed on the host, and then used by mbedTLS; the private key remains referenced inside the SE for sign/ECDH operations.
For CA certificates specifically, the common architecture is that the host uses the CA certificate to verify the peer certificate chain.
2) If I will not stores it inside SE052 than how to add support for TLS handshake process.
You can still do the handshake normally by:
- keeping the certificate chain in host memory/flash
- loading it into mbedTLS on the host
- keeping only the private key in SE052 and associating it as a reference key for sign/ECDH operations
Hope that makes sense,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
