• State
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 651 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

Using external crypto chips with SimpleLink TLS

Deomid Ryabkov
Intellectual 435 points
Other Parts Discussed in Thread: CC3200, CC3100

We are developing a secure IoT solution where device credentials are stored in an external chip (specifically, we are working with Atmel ATECC508A).

However, SimpleLink requires TLS certificate to be stored in plain text on the SPI flash chip, so this presents a problem for us: we have to use external TLS library, at considerable cost in terms of RAM (and effort involved).

Would it be possible to have NWP invoke user application code to perform the signing operation during handshake?

Otherwise it seems impossible to use CC3200 in a highly secured (one might say - properly secured) application.

  • 0
    TI__Guru 64555 points

    Hello Deomid,

    Let me first try to understand the use case.

    Is the device acts as a client or server?

    It is true that certificates are stored on the serial flash but if you are acting as client, the certificates do not contain any secret data, just public key and are transferred over the air anyway. If you are acting as server, this is another story as you also need to store the private key and this I can understand.

    In any case, NWP cannot offload the signing operation as it is all internal.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    Intellectual 435 points

    hi Shlomi

    device is a client. in the system, a PKI and client certificates are used to authenticater clients.

    yes, i know NWP cannot do it today, that's what i'm requesting - a callback to user code, something like

    int sign_this(const uint8_t *buf, size_t length, uint8_t *signature, size_t buf_size);

    available algorithm (RSA, ECDS, EDCSA) and key length is configured upfront.

    as it stands today, the situation with CC3100/CC3200 and security is pretty grim: there is no secured storage, essentially, and no way to use secure credentials with TLS.

  • 0 in reply to Deomid Ryabkov
    TI__Guru 64555 points

    Hello Deomid,

    I understand the request and can pass it on for discussion.

    However, I do not see how such a request can be patched into network processor easily.

    Will update you on this.

    Regards,

    Shlomi

  • 0 in reply to Shlomi Itzhak
    TI__Guru 64555 points

    Hello Deomid,

    Unfortunatelly, this cannot be done for current generation of devices.

    I am closing the thread for now.

    Regards,
    Shlomi