- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
SE050 MbedTLS ALT questions
Hi,
We are using EdgeLock SE05x Plug & Trust Middleware (version 04.07.00) and have encountered some questions regarding the MbedTLS ALT use.
1. ALT Support Scope
Does the ALT implementation support all Cryptography modules in MbedTLS versions 2.x/3.x? For example, AES_CBC, AES_GCM, and other encryption modes.
2. KEY ID Management
When an HTTPS server performs a TLS handshake using MbedTLS, if there are multiple simultaneous HTTPS connections and each connection’s session key is AES, how should the KEY ID be managed under the SE050 MbedTLS AES ALT scenario?
- If the same KEY ID is used, the key must be reset for every encryption/decryption operation. How is this handled when multiple threads execute concurrently?
- If different KEY IDs are used, how should they be managed?
3. Reference Key
In ecdsa_sign_alt.c, mbedtls_ecdsa_sign() checks whether the private key is a Reference Key. Does this imply that during HTTPS server initialization, the certificate’s public and private keys must be stored in SE050, and then a separate Reference Key is generated and passed to MbedTLS?
Thank you for your assistance!
Hi @kennychiu ,
Please kindly have my comments as below:
1. ALT Support Scope
Does the ALT implementation support all Cryptography modules in MbedTLS versions 2.x/3.x? For example, AES_CBC, AES_GCM, and other encryption modes.
- As of now, only ECDSA, RSA Sign and Verify, ECDH, and RNG are provided in ALT implementation. Not all cryptos.
2. KEY ID Management
When an HTTPS server performs a TLS handshake using MbedTLS, if there are multiple simultaneous HTTPS connections and each connection’s session key is AES, how should the KEY ID be managed under the SE050 MbedTLS AES ALT scenario?
- If the same KEY ID is used, the key must be reset for every encryption/decryption operation. How is this handled when multiple threads execute concurrently?
- If different KEY IDs are used, how should they be managed?
- There is no AES ALT for SE050.
3. Reference Key
In ecdsa_sign_alt.c, mbedtls_ecdsa_sign() checks whether the private key is a Reference Key. Does this imply that during HTTPS server initialization, the certificate’s public and private keys must be stored in SE050, and then a separate Reference Key is generated and passed to MbedTLS?
- Yes. Correct. Reference key for Private key in SE is to be created. Only Private key must be stored in SE. Storing Certificate is not required.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
Hi Kan,
I hope you don’t mind me asking a few more questions:
1. Are there any plans to support more cryptos in the near future?
2. Would you please provide suggestions on how to implement an AES ALT?
For example:
• Is there any reference code for AES encryption/decryption?
• How should key IDs be managed in this multiple-session-key scenario?
Thank you very much for your assistance!
Kenny
Hi @kennychiu ,
Please kindly have my comments as below:
1. Are there any plans to support more cryptos in the near future?
- That is decided by the product management, so far we have no idea about it, but I will pass your request to the PM side.
2. Would you please provide suggestions on how to implement an AES ALT?
For example:
• Is there any reference code for AES encryption/decryption?
- Yes, please refer to the demo of ex_symmetric for details.
• How should key IDs be managed in this multiple-session-key scenario?
- From my personal understanding, different ID should be used, and the key type should be Transient type to avoid NVM consumption.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
