94aa31c3cb
* deleted old version wolfSSL before updating * updated wolfSSL to the latest version(v4.4.0) * updated wolfSSL to the latest version(v4.4.0) * added macros for timing resistance Co-authored-by: RichardBarry <3073890+RichardBarry@users.noreply.github.com> Co-authored-by: Ming Yue <mingyue86010@gmail.com>
3.5 KiB
Microchip/Atmel ATECC508A/ATECC608A Support
Support for ATECC508A using these methods:
- TLS: Using the PK callbacks and reference ATECC508A callbacks. See Coding section below. Requires options
HAVE_PK_CALLBACKSandWOLFSSL_ATECC_PKCB or WOLFSSL_ATECC508A - wolfCrypt: Native wc_ecc_* API's using the
./configure CFLAGS="-DWOLFSSL_ATECC508A"or#define WOLFSSL_ATECC508A.
Dependency
Requires the Microchip CryptoAuthLib. The examples in wolfcrypt/src/port/atmel/atmel.c make calls to the atcatls_* API's.
Building
Build Options
HAVE_PK_CALLBACKS: Option for enabling wolfSSL's PK callback support for TLS.WOLFSSL_ATECC508A: Enables support for initializing the CryptoAuthLib and setting up the encryption key used for the I2C communication.WOLFSSL_ATECC_PKCB: Enables support for the reference PK callbacks without init.WOLFSSL_ATMEL: Enables ASF hooks seeding random data using theatmel_get_random_numberfunction.WOLFSSL_ATMEL_TIME: Enables the built-inatmel_get_curr_time_and_datefunction get getting time from ASF RTC.ATECC_GET_ENC_KEY: Macro to define your own function for getting the encryption key.ATECC_SLOT_I2C_ENC: Macro for the default encryption key slot. Can also get via the slot callback withATMEL_SLOT_ENCKEY.ATECC_MAX_SLOT: Macro for the maximum dynamically allocated slots.
Build Command Examples
./configure --enable-pkcallbacks CFLAGS="-DWOLFSSL_ATECC_PKCB"
#define HAVE_PK_CALLBACKS
#define WOLFSSL_ATECC_PKCB
or
./configure CFLAGS="-DWOLFSSL_ATECC508A"
#define WOLFSSL_ATECC508A
Coding
Setup the PK callbacks for TLS using:
/* Setup PK Callbacks for ATECC508A */
WOLFSSL_CTX* ctx;
wolfSSL_CTX_SetEccKeyGenCb(ctx, atcatls_create_key_cb);
wolfSSL_CTX_SetEccVerifyCb(ctx, atcatls_verify_signature_cb);
wolfSSL_CTX_SetEccSignCb(ctx, atcatls_sign_certificate_cb);
wolfSSL_CTX_SetEccSharedSecretCb(ctx, atcatls_create_pms_cb);
The reference ATECC508A PK callback functions are located in the wolfcrypt/src/port/atmel/atmel.c file.
Adding a custom context to the callbacks:
/* Setup PK Callbacks context */
WOLFSSL* ssl;
void* myOwnCtx;
wolfSSL_SetEccKeyGenCtx(ssl, myOwnCtx);
wolfSSL_SetEccVerifyCtx(ssl, myOwnCtx);
wolfSSL_SetEccSignCtx(ssl, myOwnCtx);
wolfSSL_SetEccSharedSecretCtx(ssl, myOwnCtx);
Benchmarks
Supports ECC SECP256R1 (NIST P-256)
TLS
TLS Establishment Times:
- Hardware accelerated ATECC508A: 2.342 seconds average
- Software only: 13.422 seconds average
The TLS connection establishment time is 5.73 times faster with the ATECC508A.
Cryptographic ECC
Software only implementation (SAMD21 48Mhz Cortex-M0, Fast Math TFM-ASM):
EC-DHE key generation 3123.000 milliseconds, avg over 5 iterations, 1.601 ops/sec
EC-DHE key agreement 3117.000 milliseconds, avg over 5 iterations, 1.604 ops/sec
EC-DSA sign time 1997.000 milliseconds, avg over 5 iterations, 2.504 ops/sec
EC-DSA verify time 5057.000 milliseconds, avg over 5 iterations, 0.988 ops/sec
ATECC508A HW accelerated implementation:
EC-DHE key generation 144.400 milliseconds, avg over 5 iterations, 34.722 ops/sec
EC-DHE key agreement 134.200 milliseconds, avg over 5 iterations, 37.313 ops/sec
EC-DSA sign time 293.400 milliseconds, avg over 5 iterations, 17.065 ops/sec
EC-DSA verify time 208.400 milliseconds, avg over 5 iterations, 24.038 ops/sec
For details see our wolfSSL Atmel ATECC508A page.