Copyright © https://mongoose-os.com

Mongoose OS Forum

frame

ESP8266: ATECC508A encryption

Is it possible to use the ATECC508A to encrypt certain files or the whole file system on the ESP8266, like the config file(s) or the main.c/init.js file?

Comments

  • rojerrojer Dublin, Ireland

    no, currently crypto chip can only be used for TLS handshake.

  • Is it technically possible though? It might be something I can take a look at doing but don't want to go down that path if it's not possible.

  • rojerrojer Dublin, Ireland
    edited February 6

    absolutely, it is. crypto chip support is implemented as another backend for mbedtls private key interface, so you can just instantiate a private key with path like ATCA:0 and perform encrypt/decrypt operations. even though ECC encryption with the chip is fast, i'd still recommend using AES for actual encryption but deriving the AES key by signing a nonce with a ECC key (i.e. the same way TLS works).
    you can use GCP library as a primer for using mbedtls crypto functions (it produces a JWT token by signing a nonces with an RSA or ECC key), and it works with the chip as well without even being aware of it (all you need to do is set gcp.key=ATCA:n).

    Thanked by 1applecrusher
  • rojerrojer Dublin, Ireland
    edited February 6

    in fact, why not encrypt everything on the filesystem, not just certain files? we already have a transparent SPIFFS encryption layer, and it uses AES, but the key derivation is specific to ESP32.
    look at the code in mgos_vfs_fs_spiffs.c behind the CS_SPIFFS_ENABLE_ENCRYPTION guard.
    if you replace the ESP32-specific AES key derivation with something that uses the chip, it should work just as well.

    Thanked by 1applecrusher
  • I think encrypted the file system based on the fact you have a transparent SPIFFS encryption layer is easier than doing specific files.

    Do you mean look at the "esp_flash_encrypt.h" only for the mgos_vfs_fs_spiffs.c? And this needs to be modified?

    Also, I am not quite sure what you mean by using the ESP32-specific AES key derivation since it's

    derived by using hardware flash decryption of 32 bytes of 0xff.

    So I am not quite sure how that is specific to the ESP32 since it's just an array of 0xff X 32, but I am not very familiar with encryption. So either way, the tmp array in the esp32_fs_crypt_init would need to be changed to something that works with the crypto chip?

  • rojerrojer Dublin, Ireland

    i said replace ESP32-specific key derivation with something else, because - well, exactly what you quoted, it's esp32-specific and relies on hardware encryption. the whole spiffs encryption thing was invented to deal with it in the first place, but it can be repurposed, and fairly easily.
    i think i've said enough and gave enough breadcrumbs for someone who is able to do it to follow. i am severely short on time and if you are not following - well, maybe you are not able to do it. sorry.

  • No worries. I asked some questions before doing my homework and going to do that now. You do what you have to do and make Mongoose OS awesome! 100% support you guys.

Sign In or Register to comment.