kmackay / micro-ecc

ECDH and ECDSA for 8-bit, 32-bit, and 64-bit processors.
BSD 2-Clause "Simplified" License
1.26k stars 460 forks source link

HASH out value differnet on same file? #206

Open InspireSemi opened 1 year ago

InspireSemi commented 1 year ago

Using : const struct uECC_Curve_t *curve = uECC_secp256k1();

We are using it this way: uECC_sign(APPPRIVKEY, sha256_output, sizeof(sha256_output), signature, curve);

This is generating a different signature each time we run the same file through this. Is this expected?
I assumed that the signature would be the same for the same binary file?

utzig commented 1 year ago

I assumed that the signature would be the same for the same binary file?

It's not unless RFC-6979 is implemented, which is not for uECC_sign. The library has a function which does a simplified deterministic signature generation, use uECC_sign_deterministic.

InspireSemi commented 1 year ago

I assume the ecc_verify() api just authenticates a given sha2 against the signature.. and does not need the rgn number b to do this.

Sent from my T-Mobile 5G Device Get Outlook for Androidhttps://aka.ms/AAb9ysg


From: Fabio Utzig @.> Sent: Wednesday, March 15, 2023 5:25:51 PM To: kmackay/micro-ecc @.> Cc: Marc Karasek @.>; Author @.> Subject: Re: [kmackay/micro-ecc] HASH out value differnet on same file? (Issue #206)

I assumed that the signature would be the same for the same binary file?

It's not unless RFC-6979 is implemented, which is not for uECC_sign. The library has a function which does a simplified deterministic signature generation, use uECC_sign_deterministic.

— Reply to this email directly, view it on GitHubhttps://url.avanan.click/v2/___https://github.com/kmackay/micro-ecc/issues/206%23issuecomment-1470867291___.YXAzOmluc3BpcmVzZW1pOmE6bzo2YWM0ZjM3MDIyMmFkZGYzOTczZjA5MGM4NmQ4MzI4Mjo2OjhmZTQ6MmQ0MGJjMGZjYWUyMmZjNzFlM2JmNzMyMmE0YjAwY2RhY2RlYzI1NjIxMmQ2MWNmYzI4MDQ0ZjI4Yzg4ZGFjNjpoOlQ, or unsubscribehttps://url.avanan.click/v2/___https://github.com/notifications/unsubscribe-auth/AR3S6Y5PEOSSJVM336W2773W4IXV7ANCNFSM6AAAAAAV35RU6E___.YXAzOmluc3BpcmVzZW1pOmE6bzo2YWM0ZjM3MDIyMmFkZGYzOTczZjA5MGM4NmQ4MzI4Mjo2OmFiOTg6ZjQ3MDdhYmY3ZWFiMjg5NmI5YzNjMzZiOGJlMzI2MzRiY2UwZDZiOWQ3Y2UwNDFhZjc2YzVmMmMxYWFkZTg0MTpoOlQ. You are receiving this because you authored the thread.Message ID: @.***>

uc-mani commented 1 year ago

I think as long as the signature created using uECC_sign() is verified by the uECC_verify() function, we are good.

InspireSemi commented 1 year ago

We plan on using the first api on a PC to sign the binaries and the second api on the device to authenticate so we should be ok.

Marc Karasek Principal Software Engineer M: 678.770.3788

@.*** www.inspiresemi.comhttp://www.cryptocoretech.com/

THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND/OR EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If the reader of this message is not the intended recipient or agent responsible for delivering the message to the intended recipient, then you are hereby notified that any dissemination or copying of this communication is strictly prohibited. If you have received this electronic transmission in error, please delete it from your system without copying it and notify the sender by reply e-mail so that our address record can be corrected. Thank you.

From: uc-mani @.> Sent: Thursday, March 16, 2023 2:12 AM To: kmackay/micro-ecc @.> Cc: Marc Karasek @.>; Author @.> Subject: Re: [kmackay/micro-ecc] HASH out value differnet on same file? (Issue #206)

I think as long as the signature created using uECC_sign() is verified by the uECC_verify() function, we are good.

— Reply to this email directly, view it on GitHubhttps://url.avanan.click/v2/___https:/github.com/kmackay/micro-ecc/issues/206%23issuecomment-1471379349___.YXAzOmluc3BpcmVzZW1pOmE6bzpiOWQxYzk1MGVkYTNmM2M2MzAzMDdkNDA5ZmExMjk5YTo2OmJkNGQ6NTFjNGNiM2EwYmJjNzFhZjAyODNjNTNlMWFiMWU0YWU2NTIxMjVkNzM2Y2M5MWViNjQ2ODI1YmY0NThhZjQ4MzpoOlQ, or unsubscribehttps://url.avanan.click/v2/___https:/github.com/notifications/unsubscribe-auth/AR3S6YZMRUOPLWLI7QPOQRTW4KVK7ANCNFSM6AAAAAAV35RU6E___.YXAzOmluc3BpcmVzZW1pOmE6bzpiOWQxYzk1MGVkYTNmM2M2MzAzMDdkNDA5ZmExMjk5YTo2OmIxODM6NzkwZmExMjA4ODBiMTA2NzRlM2MzNTg2MTc0ODFjZWU1NzNjMDllMjRjOTA3NjBjNTFhZjg3ZTM3ODc4NDJiYjpoOlQ. You are receiving this because you authored the thread.Message ID: @.**@.>>

uc-mani commented 1 year ago

We plan on using the first api on a PC to sign the binaries and the second api on the device to authenticate so we should be ok. Marc Karasek Principal Software Engineer M: 678.770.3788 @.***

Hey marc, my suggestion is after uECC_sign api. Use the verify uECC api on PC as just an additional step for your signature verification. I am following the same approach for Firmware Update.

InspireSemi commented 1 year ago

Great minds…. Am already doing that to verify the signature after packaging…

Marc Karasek Principal Software Engineer M: 678.770.3788

@.*** www.inspiresemi.comhttp://www.cryptocoretech.com/

THIS MESSAGE IS INTENDED ONLY FOR THE USE OF THE INDIVIDUAL OR ENTITY TO WHICH IT IS ADDRESSED AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, CONFIDENTIAL AND/OR EXEMPT FROM DISCLOSURE UNDER APPLICABLE LAW. If the reader of this message is not the intended recipient or agent responsible for delivering the message to the intended recipient, then you are hereby notified that any dissemination or copying of this communication is strictly prohibited. If you have received this electronic transmission in error, please delete it from your system without copying it and notify the sender by reply e-mail so that our address record can be corrected. Thank you.

From: uc-mani @.> Sent: Friday, March 17, 2023 2:14 AM To: kmackay/micro-ecc @.> Cc: Marc Karasek @.>; Author @.> Subject: Re: [kmackay/micro-ecc] HASH out value differnet on same file? (Issue #206)

We plan on using the first api on a PC to sign the binaries and the second api on the device to authenticate so we should be ok. Marc Karasek Principal Software Engineer M: 678.770.3788 @.***

Hey marc, my suggestion is after uECC_sign api. Use the verify uECC api on PC as just an additional step for your signature verification. I am following the same approach for Firmware Update.

— Reply to this email directly, view it on GitHubhttps://url.avanan.click/v2/___https:/github.com/kmackay/micro-ecc/issues/206%23issuecomment-1473205958___.YXAzOmluc3BpcmVzZW1pOmE6bzo3NzkwOGVjMDQ1MGIyNWFjNjFhMmY5ZmM5ZjFiZmFhYjo2OjFhMWY6MTA2YjI1MDY4N2E5Njg1NTRjNTYzNTEwMDRhZWQ2N2FjNmRiNjMxOTY3YTFjYWViNDRjMjgxNTk0ZGE0MTA0NjpoOlQ, or unsubscribehttps://url.avanan.click/v2/___https:/github.com/notifications/unsubscribe-auth/AR3S6Y3EHBRJAAYAK6AVA6LW4P6KDANCNFSM6AAAAAAV35RU6E___.YXAzOmluc3BpcmVzZW1pOmE6bzo3NzkwOGVjMDQ1MGIyNWFjNjFhMmY5ZmM5ZjFiZmFhYjo2OjJiOWM6M2RjOTg5NzNjNDVhNjIwODYxNGMxODQyMjdhNGJhN2YzYWFhMmJiZmNiN2VmMzFhOWVkZWUxMWMwMmM2NDRiMjpoOlQ. You are receiving this because you authored the thread.Message ID: @.**@.>>