Creating digital signature on the devices for a secure channel

[MuratUrsavas]

We will be creating a trusted chain between our services and devices via utilizing ATECC608B.

The tasks will be:

• Generate a CSR on the ECC
• Sign and store the certificate in ECC
• Transfer the digital signature to hm-dashboard to deal with Google IoT Cloud Core.

[shawaj]

@MuratUrsavas I don't think we need to generate a CSR or any kind of certificate.

The ECC key is already an asymmetric encryption key. We do not need to create a new one

Example code https://github.com/MicrochipTech/gcp-iot-core-examples

[shawaj]

This might also be helpful https://github.com/MicrochipTech/cryptoauthlib/tree/main

[shawaj]

Basically, all we need to do is store the public key of each device (i.e. the helium public key) in google iot core.

This can then be used to sign JWTs on the device and use these JWTs to authenticate to IoT core.

Alternatively, we could create another private key in another slot in the ECC, and a corresponding public key and then upload that to iot core - but this seems like overkill and way more cumbersome. As we already have the ECC public key being generated and sent to our dashboard during manufacturing.

Sources:

• Creating keys - https://cloud.google.com/iot/docs/how-tos/credentials/keys#generating_an_elliptic_curve_keys
• Creating signed jwts - https://cloud.google.com/iot/docs/how-tos/credentials/jwts
• JWT python module from microchip - https://github.com/MicrochipTech/cryptoauthlib/blob/main/python/cryptoauthlib/atjwt.py
• JWT c source - https://github.com/MicrochipTech/cryptoauthlib/tree/main/lib/jwt
• PDF guide (See page 330) - https://github.com/MicrochipTech/cryptoauthlib/blob/main/cryptoauthlib-manual.pdf

Others:

• https://www.microchip.com/en-us/products/security-ics/cryptoauthentication-family/use-case-archives/google-iot-core-atecc608a#
• https://stackoverflow.com/questions/68629781/how-to-use-atecc608-chip-to-generate-jwt-signatures-in-gcp
• https://cloud.google.com/community/tutorials/embedded-c-getting-started
• https://cloud.google.com/iot/docs/how-tos/credentials/jwts
• https://cloud.google.com/community/tutorials/cloud-iot-gateways-rpi
• https://github.com/GoogleCloudPlatform/iot-device-sdk-embedded-c
• https://github.com/MicrochipTech/cryptoauthtools

[MuratUrsavas]

@shawaj It's not just about encrypted line between the device and cloud. We need to make sure it is authentic and non-tampered. So this signature will include our authentication key and the rest of the details (CPUID, MAC's, SerialNum, eMMC/SDCARD serial, Concentrator Serial etc. All possible traceable unique numbers).

This way we will be able to track its integrity.

[shawaj]

@MuratUrsavas why do we need any of that?

Seems like major overkill.

We can already verify it is the device using the private/public key pair and signed transactions

The other stuff is superfluous and unnecessary

[vpetersson]

This barely adds any complexity. These are just meta field for when we create the certificate. We can basically just add whatever data we want, but the key generation process is basically identical.

[MuratUrsavas]

I agree with @vpetersson. We can't use the keys of the Helium Network. So we need to add our logic for creating Private / Public keys. If we do that, creating a CSR would be almost the same effort as creating a key pair. But it would add a lot of value via providing integrity validation and message authenticity.

[vpetersson]

@MuratUrsavas Since we're using self-singed keys, a CSR isn't really necessary (only really needed for a full PKI setup). However, I'm not sure exactly how this library works if we can just skip that (like you can with openssl).

[shawaj]

Not sure we really need this anymore - @KevinWassermann94 any thoughts?