Hi @kennychiu ,
Please kindly have my comments as below:
1. ALT Support Scope
Does the ALT implementation support all Cryptography modules in MbedTLS versions 2.x/3.x? For example, AES_CBC, AES_GCM, and other encryption modes.
- As of now, only ECDSA, RSA Sign and Verify, ECDH, and RNG are provided in ALT implementation. Not all cryptos.
2. KEY ID Management
When an HTTPS server performs a TLS handshake using MbedTLS, if there are multiple simultaneous HTTPS connections and each connection’s session key is AES, how should the KEY ID be managed under the SE050 MbedTLS AES ALT scenario?
- If the same KEY ID is used, the key must be reset for every encryption/decryption operation. How is this handled when multiple threads execute concurrently?
- If different KEY IDs are used, how should they be managed?
- There is no AES ALT for SE050.
3. Reference Key
In ecdsa_sign_alt.c, mbedtls_ecdsa_sign() checks whether the private key is a Reference Key. Does this imply that during HTTPS server initialization, the certificate’s public and private keys must be stored in SE050, and then a separate Reference Key is generated and passed to MbedTLS?
- Yes. Correct. Reference key for Private key in SE is to be created. Only Private key must be stored in SE. Storing Certificate is not required.
Hope that helps,
Have a great day,
Kan
-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------
