Skip to content

Latest commit

 

History

History
708 lines (512 loc) · 23.3 KB

README.md

File metadata and controls

708 lines (512 loc) · 23.3 KB

ATECC608 Tools

Command-line tools to work with Atmel Crypto-Authentication (ATCA) library and devices.

See Customize section below to setup and compile the library.

Full article (spanish): Chips criptográficos de usar y tirar

Tools list

Primitives (simple commands)

Asimmetric encryption:

  • genecckey: Create an ECC private key, store it in the given slot and return the public parameters.
  • pubkey: Calculate the public key from an existing private key in a slot.
  • sign: Sign Tempkey using ECDSA algorithm with the private key in the slot.

Simmetric encryption:

  • aes_decrypt: AES128 decrypt a block using a key in a given slot.
  • aes_encrypt: AES128 encrypt a block using a key in a given slot.
  • derivekey: Create a new key from a parent, itself and tempkey.

Hash:

  • gendig: Issue a gendig-data command with the specified slot.
  • mac: Generate a MAC of the TempKey + Slot Key
  • sha: Calculate SHA256 of the message.

Random:

  • nonce_rand: Generate a random nonce with a challenge.
  • random: Retrieve a random number (or FF FF 00 00 ... if unlocked)

Utilities:

  • load_tempkey: Load TempKey with a given value.
  • read_slot: Read the first 32 bits from a data slot (cleartext)
  • serial: Get the chip's serial number.
  • state: Display device internal state.
  • write_8: Write data in slot 08.
  • write_enc: Write data using a writing key.
  • write_slot: Write 32 bytes of data to any slot.

Use cases (multiple commands)

  • auth_aes_dec: Decrypt a block of data using a secret symmetric key that requires Authorization
  • auth_aes_enc: Encrypt a block of data using a secret symmetric key that requires Authorization
  • authorize.sh: Performs a Check MAC with an authorization key in order to tell the device we know that key.
  • cbc_decrypt.sh: Decrypt data using AES-128-CBC mode.
  • cbc_encrypt.sh: Encrypt data using AES-128-CBC mode.
  • chip_info: Dump some information about the device.
  • eyc_original.sh: Verify an Original EyC component and retrieve verified data from a slot.
  • read_encrypted.sh: Read the contents of any slot encrypted with a Read key.
  • rotate_key.sh: Rotate a key from a parent key and a randon nonce.
  • setup_608: Configure ATECC608 with the configuration below.
  • symauth_diversified.sh: Like eyc_original.sh but using device diversified key.

Tools (auxiliary)

  • xor: Get two hexadecimal strings and return the xor.

Setup 608 configuration

This is a configuration proposal in order to try multiple things in this chip.

Run setup_608 to set up your device.

Summary

Slot Key Type Read Write Usage
00 ECC Private No Yes Device key. No usage restrictions.
01 AES 7 7 Symmetric key.
02 AES 7 7 Symmetric key with limited uses.
03 AES Yes Yes Symmetric key for debug.
04 SHA 7 7 Secret. Require random.
05 SHA 7 7 Secret with limited uses. Require random.
06 SHA Yes Yes Secret for debug.
07 SHA 7 7 Secret for encrypted I/O.
08 Data Yes Yes Info: Date, Model, Trademark, uuid.
09 ECC Public Yes Yes Public key for ECC on key 1.
10 SHA 0 7 Secret for Checkmac/Copy source.
11 SHA 0 7 Secret for Checkmac/Copy destination.
12 AES No 13 Symmetric key. Secret. Requires authorization by key 13.
13 SHA No 13 Secret to protect key 12. Require random.
14 ECC Public Yes Yes External key storage.
15 Data Yes 7 Secure info (you need to know key 7 to write it).

All slots are lockable.

Keys 7 and 13 and initialized to a random value generated by the device and only displayed once. You can change them knowing their current value.

Chip Info

This is the output of chip_info right after locking the config and data zones:

$ ./chip_info
Device type: 0x03
  CA:  yes
  CA2: no
  TA:  no
Sizes:
  Config: 128 (locked: yes)
  OTP: 64
  Data: 36 (locked: yes)

Config data:
01 23 11 6F 00 00 60 03 3D 78 39 66 EE 61 59 00
C0 00 00 00 87 20 C7 77 E7 77 07 07 C7 77 E7 77
07 07 87 07 07 07 07 07 C0 07 C0 0F 9D BD 8D 4D
07 07 00 47 3F FF 00 00 00 20 00 1F 00 FF 00 00
00 1F 00 1E 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 FF FF 00 00 00 00 00 00
73 00 78 00 78 00 18 00 7C 00 7C 00 1C 00 7C 00
3C 00 30 00 3C 00 3C 00 B8 0D 7C 00 30 00 3C 00

SN: 0123116f3d783966ee

Counter 0:   1000
Counter 1:   1000

OTP Contents: 1.0|2024/03/21|Electronica y Ciencia|www.electronicayciencia.com

Slot  0: <secret>
Slot  1: <secret>
Slot  2: <secret>
Slot  3: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot  4: <secret>
Slot  5: <secret>
Slot  6: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot  7: <secret>
Slot  8: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot  9: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot 10: <secret>
Slot 11: <secret>
Slot 12: <secret>
Slot 13: <secret>
Slot 14: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot 15: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

EEPROM

OTP EEPROM value will be like this:

1.0|2024/03/21|Electronica y Ciencia|www.electronicayciencia.com

Counters

Counters 0 and 1 are initialized to 1000.

Detailed keys purpose

Use cases and examples for the keys with above configuration.

Slot 0

Private key to sign with the device.

This key never leaves the chip so whomever uses this key has the chip.

It doesn't require authentication, so everybody can use it as long as they have the chip.

But it requires random nonce before use, so a replay attack is not possible.

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_EXT_SIG_MASK      // External signatures of arbitrary messages are enabled.
  | ATCA_SLOT_CONFIG_INT_SIG_MASK      // Internal signatures of messages generated by GenDig or GenKey are enabled.
  | ATCA_SLOT_CONFIG_ECDH_MASK         // ECDH operation is permitted for this key.
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_GEN_KEY_MASK      // GenKey may be used to write random keys into this slot.
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_PRIVATE_MASK       // The key slot contains an ECC private key
  | ATCA_KEY_CONFIG_PUB_INFO_MASK      // The public version of this key can always be generated.
  | ATCA_KEY_CONFIG_KEY_TYPE(ATCA_P256_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  | ATCA_KEY_CONFIG_REQ_RANDOM_MASK    // A random nonce is required.
  ;

Slot 1

Symmetric AES key for encription/decryption of external input data.

It is readable and writable if you know key 7.

It doesn't require authentication, so everybody can use it as long as they have the chip.

AES is used only with external input, so a random nonce is not required.

Example:

$ ./aes_encrypt 1 00000000000000000000000000000000
ec85f660317fc53302b54d1fa7dab892

Read contents:

$ ./read_encrypted.sh 1 7 0000000000000000000000000000000000000000000000000000000000000000
Reading data from slot: 1
Read key in slot: 7

Data: c54189118ec12e5691d2b830f19426fd78f218d44f345bf05afb44ab4b92efd6

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_ENC_READ_MASK     // Reads from this slot will be encrypted. IsSecret must also be set
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111)   // Encrypted write, derive key from parent
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE) // Key type
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  ;

Slot 2

Like key 1 but with limited uses.

Counter 0 is increased every time this key is used.

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_ENC_READ_MASK     // Reads from this slot will be encrypted. IsSecret must also be set
  | ATCA_SLOT_CONFIG_LIMITED_USE_MASK  // The key stored in the slot is Limited Use.
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111)   // Encrypted write, derive key from parent
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  ;

Slot 3

Like key 1, but publicly readable and writable.

You can use it for debug or to store an ephemeral session key.

To read the value:

$ ./read_slot 3
0000000000000000000000000000000000000000000000000000000000000000

To write:

$ ./write_slot 3 0000000000000000000000000000000000000000000000000000000000000000
Ok

To encrypt/decrypt:

$ ./aes_encrypt 3 00000000000000000000000000000000
66e94bd4ef8a2c3b884cfa59ca342b2e

$ ./aes_decrypt 3 66e94bd4ef8a2c3b884cfa59ca342b2e
00000000000000000000000000000000

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)       // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)     // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0)   // Always read/write
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  ;

Slot 4

Shared secret for MAC generation.

It is readable and writable if you know key 7.

It doesn't require authentication, so everybody can use it as long as they have the chip.

A random nonce is required to prevent replay attacks.

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_ENC_READ_MASK     // Reads from this slot will be encrypted. IsSecret must also be set
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111)   // Encrypted write, derive key from parent
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  | ATCA_KEY_CONFIG_REQ_RANDOM_MASK    // A random nonce is required.
  ;

Slot 5

Like slot 4 but with limited uses.

Counter 0 is increased every time this key is used.

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_ENC_READ_MASK     // Reads from this slot will be encrypted. IsSecret must also be set
  | ATCA_SLOT_CONFIG_LIMITED_USE_MASK  // The key stored in the slot is Limited Use.
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111)   // Encrypted write, derive key from parent
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  | ATCA_KEY_CONFIG_REQ_RANDOM_MASK    // A random nonce is required.
  ;

Slot 6

Like key 1, but publicly readable and writable.

Does not require nonce.

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0)   // Always read/write
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  ;

Slot 7

Shared secret for I/O. This key can be used to read and write any other key that requires encrypted read or write (except key 12).

Notice this does not provide any security while the slot is unlocked, because this key is writable in cleartext.

Ex. set SHA256("password") as the new key:

./write_slot 7 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0)   // Clear W
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  | ATCA_KEY_CONFIG_REQ_RANDOM_MASK    // A random nonce is required.
  ;

Slot 8

This is the longest slot in the device. It is publicly writable and readable. You can use it to store arbitrary public data.

Use write_8to write it:

$ ./write_8 "EyC Original. 2024/03/22."
   0:  45 79 43 20 4f 72 69 67 69 6e 61 6c 2e 20 32 30 32 34 2f 30 33 2f 32 32 2e 00 00 00 00 00 00 00
  32:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  64:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  96:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 128:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 160:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 192:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 224:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 256:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 288:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 320:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 352:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 384:  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Ok

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0)   // Clear W
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  ;

Slot 9

Public key. You can use it to store slot 0's public part.

Can be clear read and write.

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(7)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0)   // Clear W
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_P256_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  ;

Slot 10

TBD

Slot 11

TBD

Slot 12

Secret AES. This is a secret key, unkown.

It can be created or rotated using the DeriveKey command. But you cannot directly read or write it.

You must authenticate via key 13 to use this key.

Ex.: key 13 is the sha256 of password.

$ echo -n "password" | sha256sum | cut -d' ' -f 1
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8

$ ./authorize.sh 13 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Ok

$ ./state
TempKey.NoMacFlag:  0
TempKey.GenKeyData: 0
TempKey.GenDigData: 0
TempKey.SourceFlag: 0
TempKey.KeyID:      0
TempKey.Valid:      0
Auth Key ID:        13
Auth Valid:         1
SRAM RNG:           0
EEPROM RNG:         0

For some reason, authorization does not work as expected for AES keys. So you can't use this key to directly encrypt/decrypt.

However, you still can use this key to derive a symmetric key into TempKey.

Once authorized, you can load TempKey with a known value (like an IV), then use GenDig with this key to derive the AES encryption key:

$ ./load_tempkey 00000000000000000000000000000000
Ok

$ ./gendig 12
Ok

After this operation, you are no authorized anymore. TempTey is valid, derived from key 12 and a know value.

$ ./state
TempKey.NoMacFlag:  1
TempKey.GenKeyData: 0
TempKey.GenDigData: 1
TempKey.SourceFlag: 1
TempKey.KeyID:      12
TempKey.Valid:      1
Auth Key ID:        0
Auth Valid:         0
SRAM RNG:           0
EEPROM RNG:         0

Now you can encrypt/decrypt with the derived key:

$ ./aes_encrypt TEMPKEY 00000000000000000000000000000000
75e4ca11617b83e442d28fbcdb9210a4

This method is useful to encrypt multiple blocks with a limited use key. Because it only count as one use (the gendig command).

Like using AES-128-CBC mode:

$ cat LICENSE | ./cbc_encrypt.sh TEMPKEY > LICENSE.aes

To decrypt it:

$ cat LICENSE.aes | ./cbc_encrypt.sh TEMPKEY

Configuration code:

config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(13)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_NOMAC_MASK        // The key stored in the slot cannot be used by the MAC or HMAC commands. 
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_WRITE_KEY(13)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0b1011)  // Authorizing MAC required for DeriveKey command. (Create)
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  | ATCA_KEY_CONFIG_REQ_AUTH_MASK      // To use this key, authorization by AuthKey must be completed
  | ATCA_KEY_CONFIG_AUTH_KEY(13)        // If ReqAuth is one, this field points to the key that must be used for authorization 
  ;

Slot 13

Secret to use key 12.

A nonce is always required.

To prevent brute force attacks, you must also set limited uses for this key.

You can change this key only if you know its current value. Ex. changing from all zeros to the sha256 of password.

$ ./write_enc 13 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 \
              13 0000000000000000000000000000000000000000000000000000000000000000 \
              0000000000000000000000000000000000000000

Configuration code:

// General Purpose Slot Config (Not ECC Private Keys)
config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_READKEY(13)        // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
  | ATCA_SLOT_CONFIG_IS_SECRET_MASK    // The contents of this slot are secret
  | ATCA_SLOT_CONFIG_WRITE_KEY(13)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0100)   // Encrypt write (with itself)
  ;

config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  | ATCA_KEY_CONFIG_REQ_RANDOM_MASK    // A random nonce is required.
  ;

Slot 14

TBD

Slot 15

Data. Public read, encrypt write.

Since you need to know key 7 to write it, you can use it to store public data that the user can read but cannot modify.

$ ./read_slot 15 | xxd -r -p
To write this, you need key 7.

$ ./write_enc 15 546f20777269746520746869732c20796f75206e656564206b657920372e0000 \
               7 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 \
               0000000000000000000000000000000000000000

Configuration code:

// General Purpose Slot Config (Not ECC Private Keys)
config_data->SlotConfig[slot] = 
    ATCA_SLOT_CONFIG_WRITE_KEY(7)      // Use this key to validate and encrypt data written to this slot
  | ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0100)   // Encrypted W
  ;

// Key Config
config_data->KeyConfig[slot] = 
    ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE)        // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
  | ATCA_KEY_CONFIG_LOCKABLE_MASK      // Slot can be individually locked using the Lock command.
  ;

Customize

Edit device_cfg.c for your device. Then edit atca_config.h to enable proper things.

Build

Compile the library

Create a directory:

mkdir ~/atca && cd ~/atca

Clone the repository:

git clone https://github.com/electronicayciencia/ATECC608-Tools.git

Enter the main directory and update the library:

cd ATECC608-Tools
git submodule update --init --recursive

Build the library with your preferred options:

cd cryptoauthlib
cmake -DATCA_PKCS11:STRING=ON -DATCA_HAL_I2C=ON .
make

The file cryptoauthlib/lib/libcryptoauth.so is created.

Applications

Run make to build all the binaries.

cd ..
make

Run

Export the library path:

export LD_LIBRARY_PATH=$HOME/atca/cryptoauthlib/lib

Optionally, edit ~/.bashrc to include that line.

To inspect I2C messages, set ATCA_TRACE env. var.:

export ATCA_TRACE=1