About this document

Scope and purpose

The scope of this document is the OPTIGA™ Trust M[1] solution spanning from the device with its external interface to the enabler components used for integrating the device with a bigger system. Throughout this document the term OPTIGA™ is interchangable used for the particular OPTIGA™ Trust family member OPTIGA™ Trust M, which is subject of this document.

Intended audience

This document addresses the audience: development teams as well as customers, solution providers or system integrators who are interested in solution details.

Table of Contents

• 1 Introduction
  • 1.1 Abbreviations
  • 1.2 Naming Conventions
  • 1.3 References
  • 1.4 Overview
• 2 Supported use cases
  • 2.1 Architecture Decomposition
    • 2.1.1 Host code size
  • 2.2 Sequence Diagrams utilizing basic functionality
    • 2.2.1 Use Case: Read General Purpose Data - data object
    • 2.2.2 Use Case: Read General Purpose Data - metadata
    • 2.2.3 Use Case: Write General Purpose Data - data object
    • 2.2.4 Use Case: Write General Purpose Data - metadata
    • 2.2.5 Use Case: Integrity Protected Update of a data object
    • 2.2.6 Use Case: Confidentiality Protected Update of key or a data object
  • 2.3 Sequence Diagrams utilizing cryptographic toolbox functionality
    • 2.3.1 Use Case: Mutual Authentication establish session -toolbox-(TLS-Client)
    • 2.3.2 Use Case: Abbreviated Handshake -toolbox- (TLS-Client)
    • 2.3.3 Use Case: Host Firmware Update
    • 2.3.4 Use Case: Pair OPTIGA™ with Host (Pre-Shared Secret based)
    • 2.3.5 Use Case: Verified Boot -toolbox-
    • 2.3.6 Use Case: Update Platform Binding Secret during runtime(Pre-Shared Secret based)
    • 2.3.7 Use Case: Local "data-at-rest" protection
    • 2.3.8 Use Case: Local "data-at-rest" and "data-in-transit" protection
    • 2.3.9 Use Case: Host "data-at-rest" and "data-in-transit" protection
    • 2.3.10 Use Case: Generate MAC (HMAC with SHA2)
    • 2.3.11 Use Case: Verify Authorization (HMAC with SHA2)
    • 2.3.12 Use Case: Generate Hash 36
• 3 Enabler APIs
  • 3.1 Service Layer Decomposition
    • 3.1.1 optiga_crypt
      • 3.1.1.1 Basic (e.g. initialization, shielded connection settings) operations
      • 3.1.1.2 Random generation operations
      • 3.1.1.3 Hash operations
      • 3.1.1.4 ECC based operations
      • 3.1.1.5 RSA based operations
      • 3.1.1.6 Symmetric based operations
      • 3.1.1.7 Hmac, key derivation based operations
    • 3.1.2 optiga_util
      • 3.1.2.1 Basic (e.g. initialization, shielded connection settings)operations
      • 3.1.2.2 Open and Close operations
      • 3.1.2.3 Read and Write operations
      • 3.1.2.4 Protected update operations
  • 3.2 Abstraction Layer Decomposition
    • 3.2.1 pal
    • 3.2.2 pal_crypt
    • 3.2.3 pal_gpio
    • 3.2.4 pal_i2c
    • 3.2.5 pal_os
  • 3.3 Data Types
    • 3.3.1 Enumerations
• 4 OPTIGA™ Trust M External Interface
  • 4.1 Warm Reset
  • 4.2 Power Consumption
    • 4.2.1 Sleep Mode
  • 4.3 Protocol Stack
  • 4.4 Commands
    • 4.4.1 Command definitions
      • 4.4.1.1 OpenApplication
      • 4.4.1.2 CloseApplication
      • 4.4.1.3 GetDataObject
      • 4.4.1.4 SetDataObject
      • 4.4.1.5 SetObjectProtected
      • 4.4.1.6 GetRandom
      • 4.4.1.7 EncryptSym
      • 4.4.1.8 DecryptSym
      • 4.4.1.9 EncryptAsym
      • 4.4.1.10 DecryptAsym
      • 4.4.1.11 CalcHash
      • 4.4.1.12 CalcSign
      • 4.4.1.13 VerifySign
      • 4.4.1.14 GenKeyPair
      • 4.4.1.15 GenSymKey
      • 4.4.1.16 CalcSSec
      • 4.4.1.17 DeriveKey
    • 4.4.2 Command Parameter Identifier
    • 4.4.3 Command Performance
  • 4.5 Security Policy
    • 4.5.1 Overview
    • 4.5.2 Policy Attributes
    • 4.5.3 Policy Enforcement Point
  • 4.6 Security Monitor
    • 4.6.1 Security Events
    • 4.6.2 Security Monitor Policy
    • 4.6.3 Security Monitor Configurations
    • 4.6.4 Security Monitor Characteristics
• 5 OPTIGA™ Trust M Data Structures
  • 5.1 Overview Data and Key Store
  • 5.2 Access Conditions (ACs)
  • 5.3 Life Cycle State
  • 5.4 Common and application specific objects and ACs
  • 5.5 Metadata expression
  • 5.6 Common data structures
  • 5.7 Application-specific data structures
• 6 Appendix
  • 6.1 Command Coding Examples
  • 6.2 Data encoding format examples
    • 6.2.1 ECC Private Key
    • 6.2.2 ECC Public Key
    • 6.2.3 ECDSA Signature
    • 6.2.4 RSA Private Key
    • 6.2.5 RSA Public Key
    • 6.2.6 RSA Signature
  • 6.3 Limitations
    • 6.3.1 Memory Constraints
  • 6.4 Certificate Parser Details
    • 6.4.1 Parameter Validation
  • 6.5 Security Guidance
    • 6.5.1 Use Case: Mutual Authentication -toolbox-
    • 6.5.2 Use Case: Host Firmware Update -toolbox-
    • 6.5.3 Key usage associated to toolbox functionality
    • 6.5.4 Key pair generation associated to toolbox functionality
    • 6.5.5 Static key generation associated to toolbox functionality
    • 6.5.6 Shared secret for key derivation or MAC generation associated to toolbox and protected update functionalities
    • 6.5.7 Auto states
    • 6.5.8 Shielded Connection
    • 6.5.9 Algorithm usage
  • 6.6 Shielded Connection V1 Guidance
    • 6.6.1 Setup
    • 6.6.2 Usage
    • 6.6.3 Host authenticates OPTIGA™
      • 6.6.3.1 Write and read nonce to/from a data object
      • 6.6.3.2 Derive keys using nonce during run time
      • 6.6.3.3 Derive keys using nonce and a static (additional) pre-shared secret
  • 6.7 Protected Update
    • 6.7.1 Payload Confidentiality
    • 6.7.2 Format of keys in Payload
      • 6.7.2.1 ECC
      • 6.7.2.2 RSA
      • 6.7.2.3 AES
    • 6.7.3 Metadata update
    • 6.7.4 CDDL Tool
  • 6.8 Glossary
• Revision history

This chapter provides beyond others abbreviations, naming conventions and references to maintain a common language throughout the document.

1. Abbreviations

Throughout this document the naming of cryptographic material (e.g. keys) are constructed by concatenating abbreviations (in "camel notation") given in this section (e.g. SmcPriAUT → OPTIGA™ Private Key for Authentication).

2. Naming Conventions

The shown references are either direct used throughout this document or worth to read for a better understanding of the eco-systems with which the OPTIGA™ interacts.

3. References

The OPTIGA™ provides a cryptographic feature set which in particular supporting IoT use cases and along with that it provides a number of key and data objects which hold user/customer related keys and data.

The subsequent document is structured in the chapters Supported Use Cases, Enabler APIs, OPTIGA™ Trust M External Interface, OPTIGA™ Trust M Data Structures and Appendix.

• Supported Use Cases provides the main use cases in a form of sequence diagrams which explains how the host side Enabler APIs are used in the respective use cases.

• Enabler APIs provides the necessary details of the host side architectural APIs which are implemented based on the OPTIGA™ Trust M External Interface.

• OPTIGA™ Trust M External Interface provides the necessary details of the external interface to utilize the OPTIGA™ functionality.

• OPTIGA™ Trust M Data Structures provides details of the key and data objects provided by the OPTIGA™.

• Appendix provides some useful information with regards to Command Coding Examples, Limitations, Certificate Parser Details, Security Guidance, Shielded Connection V1 Guidance, Protected Update, Glossary, etc.

In the Supported use cases chapter a collection of use cases are provided which are expressed as UML sequence diagrams to show how to utilize the OPTIGA™ enabler components (Enabler APIs) to achieve the target functionality of the solution. This chapter is intended to maintain a well understanding of the OPTIGA™ eco system components particular for system integrators who like to integrate the OPTIGA™ with their solution.

The architecture components contained in the shown solution architecture view (OPTIGA™Trust Communication Protection - toolbox - View) are listed and briefly described in the table below.

4. Architecture components

The class diagram OPTIGA™Trust Communication Protection - toolbox - View shows the Communication Protection Solution Architecture in case the local host is invoking a third_party_crypto library (e.g. WolfSSL, OpenSSL, mbedTLS, ...) containing its main functional blocks. The OPTIGA™ is integrated via its toolbox functionality. The entities communicating across a protected channel are the Server and the Client (Host) and optionally the Client and the OPTIGA™ (Shielded Connection). This view is applied for toolbox based solution kind of use cases, where the involved blocks are represented as dedicated lifelines.

The color coding provides information of whether the functional block is:

• yellow: platform agnostic and provided by IFX or

• green: platform ported (subject of porting to a target platform) and provided by IFX as an example ported to the evaluation board or

• blue: platform specific provided by a third party.

Figure 1 - OPTIGA™Trust Communication Protection - toolbox - View

The below table shows the footprint of the various host side configurations. The "Note" column specifies the components contained in the footprint calculation. All other components even shown by the architecture diagram are heavily project specific and provided by the system integrator. The values specified in the table are based on Keil ARM MDK v5.25 targeting Cortex M (32 bit) controller. These values are subjected to vary based on the target controller architecture (8/16/32 bit), compiler and optimization level chosen.

5. Host library – Code and RAM size details

In addition, the optiga_lib_config.h file (in the host side library) can be updated to enable or disable the features based on the target usage to reduce the code consumption if compiler is not optimizing automatically.

The local_host_application intends to read the content of a data object maintained by the OPTIGA™.

This sequence diagram is provided to show the functions involved in reading a data object. The function is performed atomic (no other invocation of the optiga_cmd module will interrupt the execution).

Pre-condition:

• The OPTIGA™ application is already launched.

• The necessary access conditions for reading the target data object are satisfied.

Figure 2 - Use Case: Read General Purpose Data - data object

The local_host_application intends to read the metadata of a data/key object maintained by the OPTIGA™.

This sequence diagram is provided to show the functions involved in reading the metadata of a data/key object. The function is performed atomic (no other invocation of the optiga_cmd module will interrupt the execution).

Pre-condition:

• The OPTIGA™ application is already launched

Figure 3 - Use Case: Read General Purpose Data - metadata

The local_host_application intends to update a data object maintained by the OPTIGA™.

This sequence diagram is provided to show the functions involved in performing updating an data object by a single invocation of the optiga_cmd module. The function is performed atomic (no other invocation of the optiga_cmd module will interrupt the execution).

Pre-condition:

• The OPTIGA™ application is already launched

• The necessary access conditions for writing the target data object are satisfied

Post-condition:

• The target data object is updated

Figure 4 - Use Case: Write General Purpose Data - data object

The local_host_application intends to update the metadata associated to a data object, which is maintained by OPTIGA™.

This sequence diagram is provided to show the functions involved in updating metadata associated to a data object.

Pre-condition:

• The OPTIGA™ application is already launched

• The necessary access conditions for writing the metadata associated with a data/key object are satisfied.

Post-condition:

• The metadata associated to the target data/key object is updated

Figure 5 - Use Case: Write General Purpose Data - metadata

The Management Server intends to update a data object (e.g. a Trust Anchor) with integrity protected. The Management Server provides an update data set, which is forwarded to the OPTIGA™. The OPTIGA™ checks and removes the protection and upon success updates the target data object.

Pre-condition(s):

• The OPTIGA™ application is already launched

• The Trust Anchor for management purpose is well formatted and available at the OPTIGA™.

• The access conditions of the target data object allow protected update.

Post-condition:

• The target data object is updated.

Figure 6 - Use Case: Integrity Protected Update of a data object

The Management Server intends to update a key or a data object (e.g. Pre-shared Secret) with integrity and confidentiality protected. The Management Server provides an update data set, which is forwarded to the OPTIGA™. The OPTIGA™ checks and removes the protection and upon success updates the target data/key object.

1. OPTIGA™ Trust M V1 doesn’t support confidentiality and update of keys & metadata as part of protected update.

Pre-condition(s):

• The OPTIGA™ application is already launched.

• The Trust Anchor for management purpose is well formatted and available at the OPTIGA™.

• The protected update secret for management purpose (to enable confidentiality) is available at OPTIGA™.

• The access conditions of the target data/key object allow protected updating.

Post-condition:

• The target data / key object is updated.

Figure 7 - Use Case: Confidentiality Protected Update of key or a data object

The Server and the Client (on behalf of the User), which incorporates the OPTIGA™, intend to proof the authenticity of each other. Both the Server and OPTIGA™ providing challenges (random value) and both entities return one or multiple cryptograms (depending on the applied authentication protocol) as response by which both parties proof their authenticity. The Server and Client executing ECDHE for key agreement and ECDSA FIPS 186-3 sign SHA256 hash for authentication, and the Client is authenticated as well.

2. The hashing of the handshake messages by the Client is not shown. This could be performed by SW at the Client or via CalcHash command by the OPTIGA™. In the latter case, the intermediate results shall be returned by OPTIGA™ and provided for continuing the hashing with further commands.

Pre-conditions:

• The OPTIGA™ application is already launched.

• The public key pairs for authentication purpose and public key certificates are properly installed at the OPTIGA™.

• The Trust Anchor for verifying the Public Key Certificates of the authentication partner (Server) is properly installed.

Post-condition:

• The Client knows the session keys (write_key) to run the application protocol without the help of the OPTIGA™.

Figure 8 - Use Case: Mutual Authentication establish session -toolbox- (TLS-Client)

Figure 9 - Use Case: Mutual Auth establish session -toolbox- (TLS-Client) cont'd

The Server and the Client (on behalf of the User), which incorporates the OPTIGA™, intend to resume an established session. Both the Server and OPTIGA™ providing challenges (random value via "Hello" msg) and both entities providing verification data to prove the possession of the cryptographic parameters (master secret) previously negotiated.

Note: the hashing of the handshake messages by the Client is not shown. This could be performed by SW at the Client or via CalcHash command by the OPTIGA™*. In the latter case, the intermediate results shall be returned by* OPTIGA™ and provided for continuing the hashing with further commands.

Pre-conditions:

• The OPTIGA™ session master secret, which was calculated by the previous handshake - is available at the regarded session context and gets used as input by DeriveKey for the new session key(s).

• The Client is able to hash all handshake messages without the help of OPTIGA™.

Post-condition:

• The Client knows the session keys (write_key) to run the application protocol without the help of the OPTIGA™.

Figure 10 - Use Case: Abbreviated Handshake -toolbox- (TLS-Client)

The Host intends to update its FW in a protected way, which prevents from installation and execution of unauthorized code. This sequence diagram is provided to show the functions involved in performing.

Pre-condition:

• The FW-image shared secret is loaded to an arbitrary data object (e.g. 0xF1D0-0xF1DF), which should be locked for read = NEV and in operational mode at least.

• The Trust Anchor (signer's certificate) is loaded to a data object at OPTIGA™.

• Host receives the firmware update manifest (e.g. image version, signer, hash & sign algorithms, firmware image hash, firmware image decryption key derivation information, manifest signature, etc. ) and encrypted firmware image. The details to be signed (TBS) in the manifest are signed by signer and Host verifies the signature generated over TBS using the Trust Anchor installed at OPTIGA™.

Post-condition:

• The metadata signature is verified

• The FW-image decryption secret is returned to the Host

Figure 11 - Use Case: Host Firmware Update

The OPTIGA™ and Host establishing a protected communication channel, which provides integrity and confidentiality for data exchanged between both entities. This sequence diagram is about generation and exchange of those assets during production of the customer solution. The solution comprises at least of the Host and the OPTIGA™.

Pre-condition(s):

• The Platform Binding Secret data object is not locked. The LcsO (Life Cycle Status of the Object) must be less than operational.

Post-conditions(s):

• The pre-shared secret is available and locked (read/write = NEV or read = NEV).

Figure 12 - Use Case: Pair OPTIGA™ with Host (Pre-Shared Secret based)

The Host system intends to verify the integrity of the host software image. The verification shall be done based on a public key signature scheme. The components involved are the immutable_boot_block, the primary_boot_loader, some further platform specific components integrated in the boot process and the OPTIGA™.

Pre-conditions:

• The OPTIGA™ application is already launched.

• The Trust Anchor for verifying the image hash is properly installed at the OPTIGA™.

Post-condition:

• The Host software image is proven being integrity correct.

Figure 13 - Use Case: Verified Boot -toolbox-

This sequence diagram is about generation and exchange of Platform Binding Secret using Shielded Connection during runtime. The solution comprises the Host and the OPTIGA™.

Pre-condition(s):

• The Pairing of OPTIGA™ and Host (Pre-Shared secret based) is performed.

• The change access condition of Platform Binding Secret is enabled for the runtime protected update using Shielded Connection (e.g. CONF (E140)).

Post-conditions(s):

• The pre-shared secret is updated with the new secret.

Figure 14 - Use Case: Update Platform Binding Secret during runtime (Pre-Shared Secret based)

A Host needs to protect data against access by any third party. This sequence diagram is about high volume data encryption at the Host. For that purpose, Host and OPTIGA™ establish a unique key for local data encryption/ decryption. Host generates a random secret once and uses it for lifetime to derive the actual secret used for encrypt/decrypt of local data by the Host.

Pre-condition:

• Either there is at least one arbitrary data object (Data Structure Arbitrary data object) of type 3 (in this example OID = 0xF1D1) available at the OPTIGA™ to save the unique secret for local encryption.

• Or the unique secret for local encryption is already saved and locked.

• The OPTIGA™ Shielded connection is activated (presentation layer of the I2C protocol [IFX_I2C] is present) and is recommended to be used for all commands and responses carrying secret data.

Post-condition:

• The local secret for encryption is known by the Host

Figure 15 - Use Case: Local "data-at-rest" protection

A Host needs to protect data against access by any third party. This sequence diagram is about protecting low volume of data at the Host. For that purpose OPTIGA™ stores the data at its embedded data store. The data store needs to be configured in a way the protection (OPTIGA™ Shielded Connection) of data being transferred between data object and host is enforced by the respective access conditions defined as part of the metadata associated with the target data objects.

Pre-condition:

• Each data object to protect data at rest are configured in a way writing (AC CHA = Conf(0xE140)) or reading (AC RD = Conf(0xE140)) it must apply protection by OPTIGA™ Shielded Connection.

Post-condition:

• The plain payload read or written was traveling on the I2C bus confidentiality protected.

Figure 16 - Use Case: Local "data-at-rest" and "data-in-transit" protection

A host needs to protect data against access by any third party. This sequence diagram is about protecting higher volume of data at the Host persistent storage. For that purpose OPTIGA™ encrypts (writing) or decrypts (reading) the data to be store at the host. The host has to persistently store the encrypted data objects at its NVM.

Note: OPTIGA™ Trust M V1 doesn’t support symmetric algorithms.

Pre-condition:

• The symmetric key for local data protection is randomly generated and available at the OPTIGA™.

• The OPTIGA™ Shielded Connection is enabled.

Post-condition:

• The plain payload read or written was traveling on the I2C bus confidentiality protected.

Figure 17 - Use Case: Host "data-at-rest" and "data-in-transit" protection

This use case diagram shows the way of generating the MAC for the given input data using the secret installed at OPTIGA™.

Note: OPTIGA™ Trust M V1 doesn’t support HMAC based operations.

Pre-condition:

• The input secret required for the hmac operation is available at OPTIGA™.

Post-condition:

• The generated MAC is available for Local Host Application for further usage.

Figure 18 - Use Case: Generate MAC (HMAC with SHA2)

This use case diagram shows the way of verifying the MAC for the given input data using the secret installed at OPTIGA™.

3. OPTIGA™ Trust M V1 doesn’t support HMAC based operations.

Pre-condition:

• The input secret required for the HMAC operation is available at OPTIGA™ and its OID is known by the application.

Post-condition:

• The satisfied access condition is available at Local Host Application for further usage.

Figure 19 - Use Case: Verify Authorization (HMAC with SHA2)

This use case diagram shows the way of generating the Hash for the given input data using OPTIGA™.

Pre-condition:

• The OPTIGA™ is initialized.

Post-condition:

• The generated Hash is available for Local Host Application for further usage.

Figure 20 - Use Case: Generate Hash

This chapter provides the specification of the host side APIs of the enabler components, which gets provided by the OPTIGA™ solution. The target platforms for those enabler components are embedded systems, Linux and Windows.

The class diagram OPTIGA™Trust Enabler Software Overview shows host side library architecture and it’s main functional blocks.

The color coding provides information of whether the function blocks are platform agnostic, platform specific, platform ported or third party.

• Platform agnostic components (yellow) could be reused on any target platform with just compiling the source code for a specific platform. The code is endian aware.

• Platform specific components (dark blue) are available for a specific platform. The component could be provided as source or in binary format.

• Platform ported components (green) are used to connect platform specific and platform agnostic components. Those components exposing a platform agnostic API and calling platform specific APIs.

• Third Party components (light blue) need to be ported to platform agnostic APIs.

Figure 21 – OPTIGA™ Trust Enabler Software Overview

The Service Layer Decomposition diagram shows the components providing the services at the main application interface.

Figure 22 - Service Layer Decomposition

The optiga_crypt module provides cryptographic tool box functionality with the following characteristics:

• Multiple instances could be created using optiga_crypt_create to allow concurrent access to the toolbox.

• Uses optiga_cmd module to interact with the OPTIGA™*.*

• The optiga_cmd module might get locked for some consecutive invocations, which need to be executed atomic (strict).

6. optiga_crypt - Basic (e.g. initialization, shielded connection settings) APIs

7. optiga_crypt – Random generation APIs

8. optiga_crypt - Hash APIs

9. optiga_crypt - ECC based APIs

10. optiga_crypt - RSA based APIs

11. optiga_crypt - Symmetric based APIs

12. optiga_crypt – HMAC generation APIs

13. optiga_crypt – HMAC based authorization APIs

14. optiga_crypt – Key derivation APIs

The optiga_util module provides useful utilities to manage the OPTIGA™ (open/close) and data/key objects with the following characteristics:

• Multiple instances could be created to allow concurrent access to other services.

• Uses optiga_cmd module to interact with the OPTIGA™*.*

15. optiga_util - Basic (e.g. initialization, shielded connection settings) APIs

16. optiga_util - Open and close APIs

17. optiga_util - Read and write APIs

18. optiga_util - Protected update APIs

The Abstraction Layer Decomposition diagram shows the components providing an agnostic interface to the underlying HW and SW platform functionality used by the higher-level components of the architecture.

Figure 23 - Abstraction Layer Decomposition

The pal is a Platform Abstraction Layer, abstracting HW and Operating System functionalities for the Infineon XMC family of µController or upon porting to any other µController. It abstracts away the low level device driver interface (platform_timer, platform_i2c, platform_socket, ...) to allow the modules calling it being platform agnostic. The pal is composed of hardware, software and an operating system abstraction part.

19. pal APIs

The pal_crypt module provides the platform specific migration of platform-specific cryptographic functionality (either SW libraries or HW) and is exposing cryptographic primitives invoked by platform agnostic modules.

20. pal_crypt APIs

This Module provides APIs to set GPIO high/low to perform below operations.

• Power on/off

• HW Reset on/off

21. pal_gpio APIs

The pal_i2c module is a platform ported module and provides the platform specific migration of HW based I2C functionality. The pal_i2c is invoked as a platform agnostic security device communication API by platform agnostic modules. It is assumed that multiple callers are invoking its API concurrently. Therefore, the implementation of each API function is atomic and stateless (except the initialization).

22. pal_i2c APIs

The pal_os module provides the platform specific migration of operating system (e.g. RTOS) based functionality, which is invoked by platform agnostic modules.

23. pal_os APIs

This section defines the data types used by the service layer operations specified in Enabler APIs.

Types of ECC Curves supported by OPTIGA™

24. optiga_ecc_curve_t

Note*:* OPTIGA™ Trust M V1 doesn’t support Brainpool and ECC NIST P 521 curves.

Hash context length/size while using OPTIGA™ for digest generation.

25. optiga_hash_context_length_t

Types of digest/hash generation supported by OPTIGA™

1. optiga_hash_type_t

Types of key derivation based on HKDF supported by OPTIGA™.

2. optiga_hkdf_type_t

Note: OPTIGA™ Trust M V1 doesn’t support HKDF.

Types of hmac generation supported by OPTIGA™.

3. optiga_hmac_type_t

Note: OPTIGA™ Trust M V1 doesn’t support HMAC.

Key slot IDs in OPTIGA™

4. optiga_key_id_t

Types of Key usage.

The multiple key usage types can be selected based on the requirement and key type.

For example, if the private key from OPTIGA™ to be used for key agreement (Diffie-Hellmann) and signature generation purpose, then the key usage can be chosen as (OPTIGA_KEY_USAGE_SIGN | OPTIGA_KEY_USAGE_KEY_AGREEMENT).

5. optiga_key_usage_t

Types of random number generation supported by OPTIGA™

6. optiga_rng_type_t

RSA Encryption schemes supported by OPTIGA™ for encryption and decryption.

7. optiga_rsa_encryption_scheme_t

Types of RSA keys supported by OPTIGA™

8. optiga_rsa_key_type_t

RSA Signature schemes supported by OPTIGA™ for sign and verify

9. optiga_rsa_signature_scheme_t

Note: OPTIGA™ Trust M V1 doesn’t support RSA SSA PKCS#1 v1.5 SHA512.

Symmetric Encryption schemes supported by OPTIGA™ for encryption and decryption.

10. optiga_symmetric_encryption_mode_t

Note: OPTIGA™ Trust M V1 doesn’t support above specified symmetric encryption and MAC algorithms.

Types of symmetric keys supported by OPTIGA™

11. optiga_symmetric_key_type_t

Note: OPTIGA™ Trust M V1 doesn’t support above specified symmetric keys.

Types of key derivation based on TLSv1.2 PRF supported by OPTIGA™.

12. optiga_tls_prf_type_t

Note: OPTIGA™ Trust M V1 doesn’t support PRF with SHA384 and SHA512.

This chapter provides the detailed definition of the OPTIGA™ device commands and responses available at its [I²C] interface.

The Warm Reset (reset w/o power off/on cycle) of the OPTIGA™ might be triggered either by HW signal or by SW. In case of a HW triggered Warm Reset the RST pin must be set to low (for more details refer to [Data Sheet M]). In case of a SW triggered Warm Reset the I2C master must write to the SOFT_RESET register (for more details refer to [IFX_I2C]).

When operating, the power consumption of OPTIGA™ is limited to meet the requirements regarding the power limitation set by the Host. The power limitation is implemented by utilizing the current limitation feature of the underlying HW device in steps of 1 mA from 6mA to 15 mA with a precision of ±5% (refer to table Common data objects with TAG’s and AC‘s OID '0xE0C4').

The OPTIGA™ automatically enters a low-power mode after a configurable delay. Once it has entered Sleep mode, the OPTIGA™ resumes normal operation as soon as its address is detected on the I2C bus.

In case no command is sent to the OPTIGA™ it behaves as shown in Figure "Go-to-Sleep diagram".

(1) As soon as the OPTIGA™ is idle it starts to count down the “delay to sleep” time (tSDY).

(2) In case this time elapses the device enters the “go to sleep” procedure.

(3) The “go to sleep” procedure waits until all idle tasks are finished (e.g. counting down the SEC). In case all idle tasks are finished and no command is pending, the OPTIGA™ enters sleep mode.

Figure 24 - Go-to-Sleep diagram

The OPTIGA™ is an I2C slave device. The protocol stack from the physical up to the application layer is specified in [IFX_I2C]. The protocol is defined for point-to-point connection and a multi-layer approach with low failure rate. It is optimized for minimum RAM usage and minimum overhead to achieve maximum bandwidth, but also offers error handling, flow control, chaining and optional communication protection.

The used ISO/OSI layers are Physical, Data Link, Network, Transport, Presentation and Application layer as the figure below depicts.

Figure 25 - Overview protocol stack used

The Physical Layer is entirely defined in [I²C]. Only a subset of those definitions is used for this protocol:

• Support of 7-Bit Addressing only (only 1 Address value)

• Single-Master / Multi-Slave configuration

• Speed (Fast Mode (Fm) up to 400 KHz; optional (Fm+) up to 1000 KHz)

• IFX standardized register interface.

The Data Link Layer provides reliable transmission of data packets.

The Network Layer provides the routing of packets to different channels.

The Transport Layer provides data packet chaining in case the upper layer consists of more data as the maximum packet size of the Data Link Layer supports.

The Presentation Layer is optional and provides the communication protection (integrity and confidentiality) according to the OPTIGA™ Shielded Connection technology specified by [IFX_I2C]. The OPTIGA™ Shielded Connection technology gets controlled by the Enabler APIs through its Service Layer components.

The Application Layer provides the functionality of the OPTIGA™ as defined in chapter Commands of this document.

The protocol variation for the OPTIGA™ is defined by Table "Protocol Stack Variation".

13. Protocol stack variation

This chapter provides the detailed description of the OPTIGA™ command coding and how those commands behave.

Table 'Command Codes' lists the command codes for the functionality provided by the OPTIGA™.

14. Command codes

Note: OPTIGA™ Trust M V1 doesn’t support EncryptSym, DecryptSym, and GenSymKey commands.

Table 'APDU Fields' lists the fields contained in a command and response APDU.

15. APDU Fields

The Generic Source and Destination definition allows providing and returning of command and response data from or to three types of objects which are defined within the InData part of the command definition. Each object is defined by an associated TLV object. For commands, the source of data fed in the command execution could be actual input data, the data or key store, or a session context.

The input data are represented by a tag, the actual length of the data and the data itself.

The data or key store is represented by a tag, the length (=2) of the regarded identifier and the OID of the data or key object.

The session context is represented by a tag, the length (=2) of the regarded identifier and the OID of the session context. The session context behaves as a temporary volatile storage space where various intermediate data might be buffered or retrieved from. Those data could be:

• an ephemeral key

• a shared session secret

• etc.

The Session context could be addressed as part of the command definition being input to a command definition or target for the response or parts of the response.

Table 'Response Status Codes' lists the status codes provided by a response APDU.

16. Response Status Codes

The possible error codes are listed in Table Error Codes. If multiple commands happen to produce subsequent errors then only the highest-numbered error code is stored.

17. Error Codes

This command is used to open an application on the OPTIGA™. Since after cold or warm Reset all applications residing on the OPTIGA™ are closed, an application has to be opened before using it. This command initializes the application context. This command might be issued multiple times as well to re-initialize an already opened application context. Optionally a previous saved application context could be restored. In any case, a saved context is invalidated/ flushed as soon as the application context is initialized. In case an invalid context handle is used with the restore function, the application context gets flushed and an error gets returned.

Note: The OpenApplication (restore) after restoring the context, enforces the presentation layer of the communication stack to be enabled if the CloseApplication (hibernate) was performed with presentation layer enabled.

18. OpenApplication

This command is used to close an application on the OPTIGA™. The application to be closed gets addressed by communication means like a dedicated Network channel. The application context becomes invalid and all resources allocated at OpenApplication and during the execution of the application get released to the OS for further reuse. After the CloseApplication command is successful executed no further commands specified for the closed application, except OpenApplication, is available. Optionally, this command might save the application context persistently. This allows surviving power-lost by keeping the achieved security state and session contexts of the application. This application context could be restored once by the next OpenApplication command.

The CloseApplication also writes the current SEC maintained in RAM (SEC_CURR) to Security Event Counter (SEC), if SEC_CURR is not same as in Security Event Counter (SEC).

19. CloseApplication

This command command is used to read data objects from the OPTIGA™. The field “Param” contains the type of data accessed. The field “InData” contains the OID of the data object, and optional the offset within the data object and maximum length to be returned with the response APDU.

Note: This command supports chaining through partial read applying offset & length as appropriate.

20. GetDataObject

This command command is used to write data objects to the OPTIGA™. The field “Param” contains the type of data accessed. The field “InData” contains the OID of the data object, the offset within the data object, and the data to be written.

Note: This command supports chaining through partial write applying offset & length as appropriate.

21. SetDataObject

This command command is used to write data or metadata objects protected (integrity and optionally confidentiality) to the OPTIGA™. The field “Param” contains the manifest version of the update data set. The field “InData” contains the protected update data set to be written. The contained manifest addresses the protection keys and the target object.

Notes:

• OPTIGA™ Trust M V1 doesn’t support confidentiality protection and as well doesn’t support updating keys and metadata.

• This command supports chaining (start, continue, finalize) through partial write.

• This command does not support the data objects specified below.

• Life Cycle Status (Global/Application)

• Security Status (Global/Application)

• Coprocessor UID

• Sleep mode activation delay

• Current Limitation

• Security Event Counter

• *Last Error Code and *

• Maximum Com Buffer Size

• The Trust Anchor data object used to enable the integrity protection (in the metadata access conditions of target data object) and the target data object to be updated must not be same.

• The manifest provided as part of InData must follow the strict cbor [CBOR] encoding as specified in Manifest and Signature format (Refer Appendix).

• For “WriteType = Write" (refer Manifest CDDL format), if the command execution fails during either Continue or Final and payload version is already invalidated, reattempt with “WriteType = Write” is allowed only with the same payload version until the target data object gets successfully updated.

22. SetObjectProtected

This command command is used to generate a random stream to be used by various security schemes. The generated random stream is either returned and/or gets stored in the addressed session context (OID) if specified. The field “Param” contains the type of random stream (0x00 or 0x01).

Note: OPTIGA™ Trust M V1 doesn’t support storing random in session when Param is TRNG or DRNG.

23. GetRandom

This command is used to protect data by the OPTIGA™, based on a secret key scheme or to calculate a MAC over provided data. Those data and their sequence of exchange between the OPTIGA™ and the connected host are defined in detail in Chapter “Supported use cases”. The data padding must be provided for the last block of data in case the used algorithm (refer to Symmetric Modes of Operation) doesn't define default padding.

Notes:

1. OPTIGA™ Trust M V1 doesn’t support this command.

2. In case the presentation layer protection is enabled the command must be protected. The response protection is up to the caller.

3. In case of applied chaining, the sequence from start to final must be strict (no other command in between).

24. EncryptSym

This command is used to unprotect data by the OPTIGA™ or to verify a provided verification value, based on a secret key scheme. Those data and their sequence of exchange between the OPTIGA™ and the connected host are defined in detail in Chapter “Supported use cases”.

Notes:

1. OPTIGA™ Trust M V1 doesn’t support this command.

2. In case the presentation layer protection is enabled the response must be protected. The command protection is up to the caller.

3. In case of applied chaining, the sequence from start to final must be strict (no other command in between).

4. In case of verification failure, at any execution state of the command, the Auto(X) state for the respective data object gets cleared.

25. DecryptSym

This command is used to protect an arbitrary message by the OPTIGA™, based on a public key scheme.

Note: In case the shared secret from a session is used and the cryptogram gets returned and the presentation layer protection is enabled the command must be protected. The response protection is up to the caller.

26. EncryptAsym

This command is used to unprotect an arbitrary message by the OPTIGA™, based on a public key scheme.

Note: In case the presentation layer protection is enabled the response must be protected in case the unprotected data get exported. The command protection is up to the caller.

27. DecryptAsym

This command is used calculating a digest of a message by the OPTIGA™. The message to be hashed gets either provided by the External World or could be one data object, or a part of a data object, or parts of multiple data objects, hosted by the OPTIGA™ whose read access rights are met.

In case the Intermediate hash data (context of the hash sequence which allows continuing it) is returned, the hash calculation can be continued regardless whether another hash function is executed in-between. However, the in-between hash function must be finalized or it gets terminated upon continuing the exported (context) sequence.

Note: Once the hash calculation is started (y=0) and not finalized (y=1/3/4) each command starting a new hash (e.g. CalcHash with start hashing) will terminate the currently running hash calculation and drop the result.

28. CalcHash

This command is used to calculate a signature over the message digest provided with the InData. This command is notifying the security event Private Key Use.

29. CalcSign

This command is used to verify a signature over a given digest provided with the InData.

30. VerifySign

This command is used to generate a key pair. The Public Key gets returned to the caller. The Private Key gets stored at the provided OID of a Key or it gets returned to the caller in case no OID is provided.

31. GenKeyPair

This command is used to generate a symmetric key. The key gets stored at the provided OID of a Key or it gets returned to the caller in case no OID is provided.

Note: OPTIGA™ Trust M V1 doesn’t support this command.

32. GenSymKey

This command command calculates a shared secret, applying the algorithm defined by Param. The session context addressed in InData (tag 0x08) gets flushed and the agreed shared secret is stored there for further use or returned as requested by InData (tag 0x07).

33. CalcSSec

This command command derives a key from a shared secret. The derived key is returned or saved as part of the addressed session context. The key which is stored as part of the session context can be further used as shared secret until it gets flushed.

*Note: In case the shared secret from a session is used and the presentation layer protection is enabled the command must be protected. The response protection is up to the caller. *

34. DeriveKey

**
**

Table 'Algorithm Identifier' lists the algorithm identifier supported by the OPTIGA™.

Note: OPTIGA™ Trust M V1 doesn’t support ECC Brainpool, ECC NIST P 521 curves and symmetric (AES).

35. Algorithm Identifier

Table 'Key Usage Identifier' lists the key usage identifier supported by the OPTIGA™.

36. Key Usage Identifier

Table 'Asymmetric Cipher Suite Identifier' lists the supported asymmetric cipher suites used in public key schemes and their coding.

37. Asymmetric Cipher Suite Identifier

Table 'Key Agreement Schemes' lists the key agreement schemes supported by the OPTIGA™.

38. Key Agreement Schemes

Table 'Key Derivation Method' lists the key derivation method supported by the OPTIGA™.

Note: OPTIGA™ Trust M V1 doesn’t support HKDF (SHA256/384/512) and PRF (SHA384/512).

39. Key Derivation Method

Table 'Signature Schemes' lists the signature schemes supported by the OPTIGA™.

40. Signature Schemes

Table 'Symmetric Modes of Operation' lists the supported symmetric cipher modes of operation used in secret key schemes and their coding.

Note: OPTIGA™ Trust M V1 doesn’t support symmetric operations specified in the below table.

41. Symmetric Modes of Operation

The performance metrics for various schemes are provided by Table 'Command Performance Metrics'.

If not particular mentioned the performance is measured @ OPTIGA™ I/O interface including data transmission with:

• I2C FM mode (400KHz)

• Without power limitation

• @ 25°C

• VCC = 3.3V

The performance of the commands, which use the secrets (e.g. private keys, shared secrets, etc.) at OPTIGA™ would get influenced by Security Monitor behavior.

The values specified in the below table are without shielded connection.

42. Command Performance Metrics

A Security policy is a crucial concept for turning a generic cryptographic device into an optimally tailored device for the respective customer needs. The essential components are the Policy-Enforcement-Point and Policy-Attributes.

In order to define a project specific security set-up the OPTIGA™ provides a set of Policy Attributes and a Policy Enforcement Point. The Policy Enforcement Point hosted by the key and data store, combines the Policy Attributes with the access conditions associated with each key or data object and finally judges whether the intended access is permitted or not.

Figure 26 - Security Policy Architecture

*Note: OPTIGA™ Trust M V1 doesn’t support security policies like boot phase, authorization, confidentiality (for protected update). *

The Policy Attributes are grouped in Identity, Security State and Life Cycle State based attributes.

• Identity (e.g. Identity of the Host: platform binding, namely OPTIGA Shielded Connection technology, is used for command/response)

• Security State (e.g. Usage counter of a data or key object is not elapsed)

• Life Cycle State (Lcs); e.g. Lcs for an object is in initialization state

The key and data store implementation acts as Policy Enforcement Point. The enforcement is expressed by granting or denying a type of access (read, change, execute) to a dedicated key or data object, which is addressed by its unique object identifier (OID). The diagram below depicts the flow, which leads to granting or denying the respective access.

Figure 27 - Policy Enforcement Flow

The access conditions and the policy attribute details are provided in Access Conditions (ACs) section.

The Security Guidance section provides the recommendations with respect to security policy enforcements.

The Security Monitor is a central component, which enforces the security policy of the OPTIGA™. It consumes security events sent by security aware parts of the OPTIGA™ embedded SW and takes actions accordingly.

Table 'Security Events' provides the definition of not permitted security events considered by the OPTIGA™ implementation.

43. Security Events

This paragraph provides all details of the policy chosen for the OPTIGA™ project.

In order to mitigate exhaustive testing of the OPTIGA™ private keys, secret keys and shared secrets, and to limit the possible number of failure attacks targeting disclosure of those assets, the Security Monitor judges the notified security events regarding the number of occurrence over time and in case those violate the permitted usage profile of the system it takes actions to throttle down the performance and thus the possible frequency of attacks.

The permitted usage profile is defined as:

1. One protected operation (refer to Security Events) events per t_max period.

2. A Suspect System Behavior event is never permitted and will cause setting the SEC to its maximum.

3. t_max is configurable, and default value is 5 seconds (± 5%).

The Security Monitor must enforce, in exhaustive testing scenarios, that the maximum permitted usage profile is not violated.

With other words, it must not allow more than one out of the protected operations per t_max period (worst case, ref to bullet 1. above). This condition must be stable, at least after 500 uninterrupted executions of protected operations.

The SEC Credit (SEC_CREDIT) methodology is introduced in order to reduce stress for the NVM cells hosting the SEC. For that purpose, the device collects SEC_CREDIT over time (residing in RAM).

• After power-up or restart the SEC_CREDIT is cleared.

• In case the t_max elapses without a Security Event and the SEC is > 0, the SEC gets decreased by one.

• In case t_max elapses without a Security Event and the SEC is =0, the SEC_CREDIT gets increased by one to a maximum limit configured.

• In case a Security Event occurs and the SEC_CREDIT is > 0, the SEC_CREDIT gets decreased by one.

• In case the SEC_CREDIT is = 0 and a Security Event occurs, the SEC increased.

Note: OPTIGA™ Trust M V1 doesn’t support these security monitor configurations.

The possible security monitor configurations (available in Security Monitor Configurations data object) are,

• t_max

The default value of t_max is 5 seconds. Due to use case demands, the t_max can be set to a different value.

If t_max is set to 0, the security monitor gets disabled. In general, higher t_max value lowers the possible frequency of attacks.

The maximum value of t_max that will be applied internally is 5 seconds even if t_max is configured to a higher value than 5 seconds.

In case, the current SEC is > 0 and t_max is configured to 0, the SEC gets set to 0.

• Maximum SEC_CREDIT (SEC_{CREDIT_MAX})

The maximum SEC_CREDIT that can be achieved is configurable. The default value is 5.

If this value is set to 0, the SEC_CREDIT will be set to 0 and will not be incremented.

For example, if t_max = 4000 milliseconds, if there are 720 sign operations distributed across in an hour (3600 seconds) (on average, for every 5 seconds, there is one sign operation), Then there is a possibility of SEC_CREDIT gets incremented about 180 times.

• Delayed SEC decrement synchronization count

The SEC is as well maintained in RAM (SEC_CURR) in addition to the NVM (Security Event Counter (SEC))(SEC_NVM) and the synchronization (writing to SEC data object in NVM) of decrement events (e.g. t_max elapsed or Decryption Failure) can be delayed by configuring this value (> 1). If there are multiple security events with in t_max due to use case demand, the number of NVM write operations can be avoided by configuring this count appropriately.

The default and minimum value is 1. In case, this value is configured to 0, minimum 1 will be applied.

This option reduces SEC NVM write operations reasonably across the life time, if there are too frequent security events.

For example, if this configuration is set to 4, and there are 4 security events (e.g. sign operations) immediate after reset which led to SEC increment, then the total number of SEC NVM write operations are 5 instead of 8 (in case of default ( = 1) configuration).

The offset details of above specified configurations in Security Monitor Configurations data object are specified in Security Monitor Configurations table.

Figure 28 - Security Monitor flow diagram

The security monitor configurations are adopted during the power-up sequence and if there is change in the configuration (e.g. updated using SetDataObject, or SetObjectProtected). In case of SetObjectProtected - metadata update, these values get reset to default values if reset type (random/zeroes) is defined.

The MSB (invalid flag) of version tag and EXE access conditions are ignored for Security Monitor Configurations data object while using internally.

This paragraph provides the throttle down characteristics for the protected operations implemented by the Security Monitor. The Security Monitor uses the SEC to count Security Events in order to figure out not permitted usage profiles. Figure "Throttling down profile" depicts the characteristic (dotted line) of the dependence between the value of the SEC and the implemented delay for protected operations. The value of SEC gets decreased by one every t_max period. With other words, the delay starts as soon as SEC reaches the value of 128 and will be t_max in case the SEC reaches its maximum value of 255.

Figure 29 - Power profile

Figure "Power Profile" depicts the power profile of a regular startup sequence, caused either by PowerUP, Warm Reset, or Security Reset. The OPTIGA™ starts up with its maximum power consumption limit set by the Current limitation data object (refer to Table Common data structures). As soon as the OPTIGA™ enters idle state (nothing to compute or communicate) the OPTIGA™ reduces its power consumption to the low power limit (ref for details to “System Halt Power Consumption” in [Data Sheet M]). In case a time period of t_max is elapsed the SEC gets decremented by one. As soon as the SEC reaches the value of 0, the SEC_CREDIT counter reaches its maximum value, and the OPTIGA™ is in idle state, the OPTIGA™ enters the sleep mode to achieve maximum power saving. It is recommended not to switch off the power before the SEC becomes 0. In order to avoid power consumption at all, VCC could be switched off while keeping the I2C bus connected. However, before doing that the SEC value should have reached 0, to avoid accumulated SEC values which might lead to throttling down the OPTIGA™ performance (ref to Figure "Throttling down profile") for functionalities which potentially triggering Security Events. However, the method of switching VCC off and on is limited to 200.000 times over lifetime.

Figure 30 - Throttling down profile

The data and key store has some important parameters to be considered while utilizing it. Those parameters are the data-retention-after-testing, the data-retention-after-cycling, hardening, the maximum endurance and the supported number of tearing-safe-programming-cycles.

• data-retention-after-testing defines how long NVM programmed during production (at wafer tester) is preserved, in case the NVM experiences no additional programming attempts, this time is the same as the device lifetime defined in the data sheet.

• data-retention-after-cycling defines how long NVM data, programmed throughout lifetime, are preserved. The number of experienced programming cycles is important for how long the data are preserved. For maximum 100 times the same as data-retention-after-testing applies. After e.g. 20 000 times the NVM data retention declines linearly down to 2 years and even more down to ½ year after about 40 000 NVM programming cycles. ½ year data-retention-after-cycling is the worst case. With other words, if NVM data get often cycled the time between programming attempts should not exceed half a year. If erases (sub-function of a programming cycle) are frequently done, than regular hardening is performed, in this case the data-retention-after-cycling worst case improves from ½ year to 3 years. In case of high cycling, beyond 20 000 times, the cycles shall be homogeneous distributed across lifetime.

• hardening is a process which is embedded in any erase cycle (each NVM programming cycle causes one or multiple erase cycles) and refreshes a randomly chosen NVM page. After a certain number of erase cycles, which is dependent on the physical NVM size (For OPTIGA™ Trust M about 5 000), all NVM is “refreshed”. Hardening is performed without erasing or physically moving the hardened data, i.e. hardening is neither susceptible to tearing nor does it count as a programming cycle.

• maximum endurance defines how often a NVM data could be programmed until it wears out.

• number of tearing-safe-programming-cycles defines how many tearing-safe-programming-cycles could be performed for the data and key store. It is worth to mention, that each data or key store programming attempt is performed in a tearing safe manner. The maximum number of tearing-safe-programming-cycles is 2 million.

The following list provides the cases when a tearing-safe-programming-cycle takes place:

• Update of a data object causes one tearing-safe-programming-cycle

• Protected update of data object causes a minimum of 3 tearing-safe-cycles and it will go up to 5 depending up on size of data object

• Protected update of key object causes tearing-safe-cycles (for ECC – 4 cycles, for RSA - 6 cycles, for AES - 4 cycles)

• Update of a key object causes one to six tearing-safe-programming-cycles (average for ECC is one and for RSA is five)

• Usage (EXE or CHA or RD) of a data or key object which is linked to a usage counter causes one (additional) tearing-safe-programming-cycle

• The Security Event Counter (SEC) gets increased and subsequently decreased (refer to list of Security Events) and causes two tearing-safe-programming-cycle

• One hibernate cycle causes five tearing-safe-programming-cycles

The figure "Overview Data and Key Store" below provides an overview of all data and key objects hosted by the OPTIGA™ and the recommended maximum cycling (color coding) per object. In case those recommendations are meet and for higher cycled data objects the homogeneous distributed of applied programming cycles across lifetime are respected, the data integrity over lifetime could be considered being safe.

Figure 31 – OPTIGA™ Trust M (V1) : Overview Data and Key Store

Figure 32 – OPTIGA™ Trust M (V3) : Overview Data and Key Store

4. In the above figure, the endurance of arbitrary data objects (type 3) is shared between other data objects in the same group. In case of SetObjectProtected (for protected update), the data object memory gets updated 3 times for one complete update cycle. Hence the endurnace specified in the above figure is to be considered accordingly across lifetime.

Examples:

• Each monotonic counter can be updated up to a maximum of 600 000 times.

• The maximum number of updates across all objects (key/data) is allowed up to 2 million times either due to external interface requests or due to internal operations (the list is given above). This means the maximum updates per object and the overall update limit across all objects must be respected to prevent reliability issues.

At each level of the data structure, Access Conditions (AC’s) are defined. The ACs are defined for commands acting upon data. The ACs must be fulfilled before the data can be accessed through the regarded commands.

The following access types are used in this document:

RD reading a data or key object by an external command (e.g. GetDataObject)

CHA changing (writing or flushing) a data or key object by an external command (e.g. SetDataObject)

EXE utilizing a data or key object implicitly by executing a command (e.g. CalcSign, GenKeyPair, ...)

MUPD Updating metadata by an external command (e.g. SetObjectProtected).

Note: OPTIGA™ Trust M V1 doesn’t support MUPD access type.

The following ACs are used in this document:

ALW the action is always possible. It can be performed without any restrictions.

NEV the action is never possible. It can only be performed internally.

LcsG(X) the action is only possible in case the global Lifecycle Status meets the condition given by X.

LcsA(X) the action is only possible in case the application-specific Lifecycle Status meets the condition given by X.

LcsO(X) the action is only possible in case the data object-specific Lifecycle Status meets the condition given by X.

Conf(X) the action is only possible in case the data involved (to be read/write) are confidentiality protected with key given by X.

Int(X) the action is only possible in case the data involved (to be read/write) are integrity protected with key given by X.

Auto(X) the action is only possible in case the authorization of the external world was successful performed, providing the Authorization Value which matches the Data Object Types. Authorization Reference given by X.
Note: Up to 4 independent Auto(X) states at a time are supported.

SecStaG(X) the action is only possible in case the global security status ANDed with X is equal X.

SecStaA(X) the action is only possible in case the application specific security status ANDed with X is equal X.

The following access driven behavior definition is used in this document:

Luc(x) in case of EXE accessing the object, the linked counter defined by X gets advanced by 1 and the action is allowed in case the count value did not reach its threshold value.

Table 'Access Condition Identifier and Operators' defines the Access Condition Identifier and Operands to be used, to define ACs associated with data objects. Access Condition Identifier must be used with the commands trying to achieve associated ACs.

There are simple and complex Access Condition expressions defined (Examples how to code are given in chapter Metadata expression).

• A Simple AC (sAC) expression consists just of an access type tag (e.g. read, change, increment, decrement, delete), the length of the condition, and a single condition (e.g. ALW, NEV, LcsO < 0x04 …) which must be satisfied to grand access for that access type.

• A Complex AC (cAC) expression consists of multiple simple expressions combined by && and/or || operators. Where …
  ... && operators combine sACs to an access token (AT)
  AT = sAC₁ … && sAC_n (n = 1…7)
  ... || operators combine multiple ATs to a cAC
  cAC = AT₁ … || AT_m (m = 1…3; ((n₁+ … +n_m) * m) > 1)

Notes:

• An AT evaluates TRUE in case all contained simple AC evaluate TRUE (logical AND).

• In case one of the AT evaluates TRUE, the regarded access becomes granted (logical OR).

• ALW and NEV are not allowed in cACs

Remark: With the rules given above it doesn’t matter whether starting the evaluation of a complex expression from the beginning or the end. However, the implementation evaluates from left to right and acts accordingly.

The access conditions which could be associated to OPTIGA™ data and key objects are defined by Table 'Access Condition Identifier and Operators'.

Note: OPTIGA™ Trust M V1 doesn’t support SecStaG(X), SecStaG(X), and Auto (X) Identifiers.

44. Access Condition Identifier and Operators

Table 'Data Object Types' lists the various types of data objects supported by OPTIGA™.

45. Data Object Types

Note: OPTIGA™ Trust M V1 doesn’t support UPDATSEC and AUTOREF types.

The device, the application, and key and data objects have a life cycle state associated; the life cycle status (LCS) allows to identify the different states of the associated logical units throughout the OPTIGA™ lifetime. To support flexible management of the life cycle, four primary states (Bit 2³ - 2⁰) are defined in the following order:

1. Creation state (cr)

2. Initialization state (in)

3. Operational state (op)

4. Termination state (te)

The LCS is implemented in a way that the four primary states only progress in one direction from a lower value to a higher value (e.g. initialization (in) => operational (op) state, but not vice versa). The application-specific part of the LCS, if used at all, are managed by the particular application.

The life cycle status shall be interpreted according to Table 'Life Cycle Status'.

Table 'Common data objects with TAG’s and AC‘s' lists all common data structures defined for the OPTIGA™ with its TAG’s and AC’s.

46. Common data objects with TAG’s and AC‘s

Table 'Common key objects with TAG’s and AC‘s' lists all common Keys defined for the OPTIGA™ with its TAG’s and AC’s.

47. Common key objects with TAG’s and AC‘s

Table 'Authentication application-specific data objects with TAG’s and AC‘s' lists all data structures defined for the OPTIGA™ Authentication Application with its TAGs and ACs.

48. Authentication application-specific data objects with TAG’s and AC‘s

Metadata associated with data / key objects are expressed as constructed TLV data objects. The metadata itself are expresses as simple TLV-Objects contained within the metadata constructed TLV-Object. The following table provides a collection of the possible metadata types as data attributes (e.g. LCS, max length …) and access conditions (read, change …) to those data objects. The access conditions expressed in Table Access Condition Identifier and Operators describing under which condition metadata itself could be accessed (GetDataObject or SetDataObject; Param == 0x01).

Implicit rules:

• In case the entry for an access condition (tag = 0xD?) is absent, the regarded access condition is defined NEV.

• In case the LcsO is absent, the access conditions of the regarded data object is considered as operational (op) and couldn’t be changed.

• In case the Used size (Tag 0xC5) is absent, the used size is same as max. size.

• The changed metadata get effective as soon as the change gets consolidated at the data object.

Table 'Metadata associated with data and key objects' lists all common data structures defined for the OPTIGA™ with its TAG’s and AC’s.

49. Metadata associated with data and key objects

Table 'Metadata Update Identifier' lists the metadata update identifier supported by the OPTIGA™. The identifier could be combined by ORing them (e.g. 0x11 => LcsO = cr & flush object with zero). However, the bits in the upper nibble are not allowed being combined. In case of protected metadata update the new LcsO gets provided, this overrules the setting given by the Metadata Update Identifier.

50. Metadata Update Identifier

5. The maximum size of metadata is 44 bytes.

Examples of commonly used access conditions:

• Arbitrary Data Record @ shipping to customer*
  0x20, 0x11, // TL metadata TLV-Object
  • 0xC0, 0x01, 0x03, // TLV LcsO = in*
  • 0xC4, 0x01, 0x8C, // TLV max size = 140*
  • 0xC5, 0x01, 0x0A, // TLV used size = 10*
  • 0xD1, 0x01, 0x00, // TLV Read = ALW

0xD0, 0x03, 0xE1, 0xFC, 0x07 // TLV Change = LcsO < op

*Note: in case of NEV the AC term for that kind of AC could be absent. *

• Project-Specific device Public Key Certificate @ shipping to customer*
  *0x20, 0x13, // TL metadata TLV-Object *
  • 0xC0, 0x01, 0x03, // TLV LcsO = in*
  • 0xC4, 0x02, 0x06, 0xC0, // TLV max size = 1728*
  • 0xC5, 0x02, 0x03, 0x40, // TLV used size = 832*
  • 0xD1, 0x01, 0x00, // TLV Read = ALW*
  • 0xD0, 0x03, 0xE1, 0xFC, 0x07; // TLV Change = LcsO < op

Note: there is no ordering rule for metadata tags

Figure 33 - Metadata sample

Figure 34 - SetDataObject (Metadata) examples

Note: The values specified in above example figures are in hex

Table 'Common data structures' lists all common data structures defined for the OPTIGA™.

51. Common data structures

Table 'Life Cycle Status' lists all coding of the Life Cycle Status defined for the OPTIGA™.

52. Life Cycle Status

Table 'Security Status' shows the security status defined for the device either global or application-specific. The default is set after reset for the global and after OpenApplication for the application-specific Security Status[106] [107].

53. Security Status

Table 'Coprocessor UID OPTIGA™ Trust Family' shows UID definition for the OPTIGA™.

54. Coprocessor UID OPTIGA™ Trust Family

Table 'Security Monitor Configurations' shows the possible configurations w.r.t. Security Monitor.

55. Security Monitor Configurations

Table 'Data Structure Unique Application Identifier' shows unique identifier for the OPTIGA™ application which gets used with the OpenApplication command.

56. Data Structure Unique Application Identifier

Table 'Data Structure Arbitrary data object' lists the supported types of arbitrary data objects.

57. Data Structure Arbitrary data object

• GetDataObject

For Example, The GetDataObject command to read 5 bytes of Coprocessor UID data object starting from offset 2 is as shown below.

Figure 35 - GetDataObject [Read data] example

Note: The values specified in Figure 35 are in HEX format.

• SetDataObject

For Example, The SetDataObject command to write 8 bytes of data to arbitrary data object 0xF1D0 starting from offset 9 is as shown below.

Figure 36 - GetDataObject [Read data] example

Note: The values specified in Error! Reference source not found. are in HEX format.

This section provides the examples for the encoding format of Asymmetric key pairs and Signature used across the Enabler APIs.

The examples for format of ECC Private Key exported as part of Generate Key Pair are given below.

• Example for ECC NIST P-256 Private Key [Values are in hex]

// DER OCTET String Tag (Private Key)

04

// Length of Tag

20

// Private Key

20 DC 58 98 CF 51 31 44 22 EA 01 D4 0B 23 B2 45

7C 42 DF 3C FB 0D 33 10 B8 49 B7 AA 0A 85 DE E7

• Example for ECC NIST P-384 Private Key [Values are in hex]

// DER OCTET String Tag (Private Key)

04

// Length of Tag

30

// Private Key

53 94 F7 97 3E A8 68 C5 2B F3 FF 8D 8C EE B4 DB

90 A6 83 65 3B 12 48 5D 5F 62 7C 3C E5 AB D8 97

8F C9 67 3D 14 A7 1D 92 57 47 93 16 62 49 3C 37

The examples for the format of ECC Public Key (referred by Generate Key Pair, Verify signature and ECDH operations) are given below.

• Example for ECC NIST P-256 Public Key [Values are in hex]

// Bit String tag

03

// Length of Bit string tag

42

// Unused bits

00

// Compression format. Supports only 04 [uncompressed]

04

// Public Key (e.g. ECC NIST P-256, 0x40 Bytes)

// Qx - 0x20 Bytes

8B 88 9C 1D D6 07 58 2E D6 F8 2C C2 D9 BE D0 FE

6D F3 24 5E 94 7D 54 CD 20 DC 58 98 CF 51 31 44

// Qy - 0x20 Bytes

22 EA 01 D4 0B 23 B2 45 7C 42 DF 3C FB 0D 33 10

B8 49 B7 AA 0A 85 DE E7 6A F1 AC 31 31 1E 8C 4B

• Example for ECC NIST P-384 Public Key [Values are in hex]

// Bit String tag

03

// Length of Bit string tag

62

// Unused bits

00

// Compression format. Supports only 04 [uncompressed]

04

// Public Key (e.g. ECC NIST P-384, 0x60 Bytes)

// Qx - 0x30 Bytes

1F 94 EB 6F 43 9A 38 06 F8 05 4D D7 91 24 84 7D

13 8D 14 D4 F5 2B AC 93 B0 42 F2 EE 3C DB 7D C9

E0 99 25 C2 A5 FE E7 0D 4C E0 8C 61 E3 B1 91 60

// Qy - 0x30 Bytes

1C 4F D1 11 F6 E3 33 03 06 94 21 DE B3 1E 87 31

26 BE 35 EE B4 36 FE 20 34 85 6A 3E D1 E8 97 F2

6C 84 6E E3 23 3C D1 62 40 98 9A 79 90 C1 9D 8C

The examples for format of ECDSA Signature (referred by Signature generation and verification operations) are given below.

• Example for signature in case of ECC NIST P-256 key [Values are in hex]

// Integer tag for R component

02

// Length

20

// R Component

2B 82 6F 5D 44 E2 D0 B6 DE 53 1A D9 6B 51 E8 F0

C5 6F DF EA D3 C2 36 89 2E 4D 84 EA CF C3 B7 5C

// Integer tag for S component

02

// Length

21

// S Component

00

A2 24 8B 62 C0 3D B3 5A 7C D6 3E 8A 12 0A 35 21

A8 9D 3D 2F 61 FF 99 03 5A 21 48 AE 32 E3 A2 48

• Example for signature in case of ECC NIST P-384 key [Values are in hex]

//Integer tag for R component

02

// Length

31

//R Component

00

C3 6E 5F 0D 3D E7 14 11 E6 E5 19 F6 3E 0F 56 CF

F4 32 33 0A 04 FE FE F2 99 3F DB 56 34 3E 49 F2

F7 DB 5F CA B7 72 8A CC 1E 33 D4 69 25 53 C0 2E

//Integer tag for S component

02

// Length

30

//S Component

0D 40 64 39 9D 58 CD 77 1A B9 42 0D 43 87 57 F5

93 6C 38 08 E9 70 81 E4 57 BC 86 2A 0C 90 52 95

DC A6 0E E9 4F 45 37 59 1C 6C 7D 21 74 53 90 9B

Notes:

• The size of R and S components is based on the key size chosen. (e.g. in case of ECC NIST P256, size is 32 bytes and for ECC NIST P384, size is 48 bytes)

• If the first byte of R or S component is greater than 0x7F (negative integer), then the respective component gets prepended with 0x00.

• The caller must consider the length of buffer for signature accordingly considering the additional encoding information.

The examples for the format of RSA Private key (Private Exponent) exported as part of optiga_crypt_rsa_generate_keypair (export private key = True) are given below.

For RSA 1024, the length of the Private exponent is 128 bytes.

For RSA 2048, the length of the Private exponent is 256 bytes.

• Example for RSA 1024 exponential - Private Key (Private Exponent) [Values are in hex]

// DER OCTET String Tag (Private Exponent)

04

// Length of Tag

81 80

// Private Exponent (0x80 Bytes)

53 33 9C FD B7 9F C8 46 6A 65 5C 73 16 AC A8 5C

55 FD 8F 6D D8 98 FD AF 11 95 17 EF 4F 52 E8 FD

8E 25 8D F9 3F EE 18 0F A0 E4 AB 29 69 3C D8 3B

15 2A 55 3D 4A C4 D1 81 2B 8B 9F A5 AF 0E 7F 55

FE 73 04 DF 41 57 09 26 F3 31 1F 15 C4 D6 5A 73

2C 48 31 16 EE 3D 3D 2D 0A F3 54 9A D9 BF 7C BF

B7 8A D8 84 F8 4D 5B EB 04 72 4D C7 36 9B 31 DE

F3 7D 0C F5 39 E9 CF CD D3 DE 65 37 29 EA D5 D1

• Example for RSA 2048 exponential - Private key (Private Exponent) [Values are in hex]

// DER OCTET String Tag (Private Exponent)

04

// Length of Tag

82 01 00

// Private Exponent (0x100 Bytes)

21 95 08 51 CD F2 53 20 31 8B 30 5A FA 0F 37 1F

07 AE 5A 44 B3 14 EB D7 29 F5 DC B1 5D A7 FA 39

47 AC DD 91 5D AE D5 74 BD 16 DF 88 BF 85 F6 10

60 B3 87 17 2F AE 6E 01 26 2B 38 64 C2 D3 C2 2F

94 E0 4A 81 59 42 2B 4E D2 79 C4 8A 4C 9D 76 7D

49 66 07 1A 5B BF 5D 04 3E 16 FF 46 EC 1B A0 71

6F 00 BB C9 7B FF 5D 56 93 E2 14 E9 9C 97 21 F1

2B 3E C6 28 2A E2 A4 85 72 1B 96 DD CF 74 03 FA

03 7D 0C 57 AB 46 3C 44 8D E5 CC 12 26 5A DD 88

6D 31 1E A8 D8 A5 90 3F A5 6C 5F 1C 9C F2 EB 11

CB 65 7A 1A 7D 3E 41 35 2D C3 E6 86 89 8C 4C E4

30 5E 8B 63 8E 1B 08 A2 A8 6C C9 EB 98 66 F3 49

9A C7 7B 61 36 B8 1C B2 76 D6 14 CF EB 7B 6E D3

F3 BC 77 5E 46 C0 00 66 EB EE E2 CF F7 16 6B 57

52 05 98 94 7F F6 21 03 20 B2 88 FB 4F 2C 3F 8F

E9 7B 27 94 14 EB F7 20 30 00 A1 9F C0 42 48 75

The examples for the format of RSA Public Key (referred by generate key pair, verify signature and asymmetric encryption operations) are given below.

• Example for RSA 1024 exponential public key (modulus and public exponent) [Values are in hex]

// Bit string tag

03

// Bit String tag Length

81 8E

// Unused Bits

00

// SEQUENCE

30

// Length

81 8A

// Integer tag (Modulus)

02

// Length of Modulus

81 81

// Modulus

00

A1 D4 6F BA 23 18 F8 DC EF 16 C2 80 94 8B 1C F2

79 66 B9 B4 72 25 ED 29 89 F8 D7 4B 45 BD 36 04

9C 0A AB 5A D0 FF 00 35 53 BA 84 3C 8E 12 78 2F

C5 87 3B B8 9A 3D C8 4B 88 3D 25 66 6C D2 2B F3

AC D5 B6 75 96 9F 8B EB FB CA C9 3F DD 92 7C 74

42 B1 78 B1 0D 1D FF 93 98 E5 23 16 AA E0 AF 74

E5 94 65 0B DC 3C 67 02 41 D4 18 68 45 93 CD A1

A7 B9 DC 4F 20 D2 FD C6 F6 63 44 07 40 03 E2 11

// Integer tag for Public Exponent

02

// Length of Public Exponent

04

// Public Exponent

00 01 00 01

Notes:

• The size of Modulus component is based on the key size chosen. (e.g. in case of RSA 1024, size is 128 bytes and for RSA 2048, size is 256 bytes)

• If the first byte of Modulus is greater than 0x7F (negative integer), then 0x00 gets prepended while coding as it is in Integer format.

The example for format of RSA Signature (referred by RSA Signature generation and verification operations) is given below.

There is no additional encoding (format) considered for RSA signature. The length of the signature is based on the key length chosen.

For RSA 1024, the length of the signature is 128 bytes.

For RSA 2048, the length of the signature is 256 bytes.

• Example for RSA signature in case of RSA 1024-Exp key [Values are in hex]

5B DE 46 E4 35 48 F4 81 45 7C 72 31 54 55 E8 9F

1D D0 5D 9D EC 40 E6 6B 89 F3 BC 52 68 B1 D8 70

35 05 FC 98 F6 36 99 24 53 F0 17 B8 9B D4 A0 5F

12 04 8A A1 A7 96 E6 33 CA 48 84 D9 00 E4 A3 8E

2F 6F 3F 6D E0 1D F8 EA E0 95 BA 63 15 ED 7B 6A

B6 6E 20 17 B5 64 DE 49 64 97 CA 5E 4D 84 63 A0

F1 00 6C EE 70 89 D5 6E C5 05 31 0D AA B7 BA A0

AA BF 98 E8 39 93 70 07 2D FF 42 F9 A4 6F 1B 00

• Maximum command InData length is 1553. Any attempt to exceed these limit will lead to "Invalid length field" error.

• Maximum response OutData length is 1553. Any attempt to exceed these limit will lead to "Insufficient buffer/ memory" error.

Following are the basic parameter checks performed while parsing the certificate,

• X.509 DER coding and length checks

• Must be v3 only

• Serial number

• The length must be 1 to 20 byes

• Public Key

• Only uncompressed Format is supported

• ECC Curves supported

• ECC NIST P 256/384/521

• ECC Brainpool P256r1/ P384r1 / P512r1

Note: OPTIGA™ Trust M V1 doesn’t support ECC Brainpool and ECC NIST P 521.

• RSA 1024/2048 Exponential

• The public key must be aligned to the key length. In case the public key size is less than the respective key size, then the respective component must be prepended with zeroes before generating the certificate.

• The signature algorithm identifier must not contain the parameters (not even as NULL) in case of ECDSA. (section 2.2.3 in [RFC3279])

AlgorithmIdentifier ::= SEQUENCE {

algorithm OBJECT IDENTIFIER,

parameters ANY DEFINED BY algorithm OPTIONAL }

• Issuer DN must not be Empty.

• Basic Constraints

• CA - Flag to indicate CA certificate (TRUE/asserted for CA)

• Path Length Constraint

• Exists only for CA certificate (if CA flag is TRUE)

• The signature algorithm identifier in tbscertificate and signature tags must be same.

[RFC5280] specifies a number of fields (specified as MUST/SHOULD etc.). All of these will not be validated for correct formation and correctness of data. The fields verified for correctness are explicitly mentioned above.

The security guidance provides useful information how to use and configure the customer solution in a reasonable manner.

Server trust anchor which is stored in a data object can be modified by an attacker. Doing that the attacker can mimic the legitimate server and misuse the services provided or consumed by the nodes.

• After installing the trust anchor, the regarded data object access conditions CHA shall be configured with never allowed (NEV) and the lifecycle state of the data object (LcsO) shall be set to operational (op) to prevent changes to the access conditions.

The shared secret size shall be at least 32 bytes to render a brute force useless.

Firmware update Shared secret, which is stored in one of data objects could be modified and read out by an attacker. By reading the global shared secret, the attacker can create faulty image containing malicious code which could be multicast installed to all nodes of the same type. By writing the global shared secret, the attacker can create faulty image containing malicious code which could be installed on the modified node.

• After setting the shared secret, the respective data object access conditions RD and CHA shall be configured with never allowed (NEV) and the lifecycle state of the data object (LcsO) shall be set to operational (op) to prevent changes to the access conditions.

Platform integrity trust anchor which is stored in a data object can be modified by an attacker. By doing that the attacker can create new metadata which will be accepted by the modified node. This might be used to undermine the rollback prevention of the solution and could lead to installing known security flaws.

After installing the trust anchor, the respective data object access conditions CHA shall be configured with never allowed (NEV) and the lifecycle state of the data object (LcsO) shall be set to operational (op) to prevent changes to the access conditions.

[RFC4108] Security considerations (chapter 6) shall be reviewed and taken as a guideline with regards to:

• Private signature key protection

• Firmware decryption key protection

• Cryptographic algorithms become weaker with time

• Randomly generated keys

• Stale firmware version number

Key usage which is stored in a key object metadata can be modified by an attacker. Doing that the attacker can misuse the key in not intended schemes, which could enable crypto analysis or brute force attacks.

• The respective key object usage shall be configured with the least usage profile (in most cases just one) as required by the target host application

• The shielded connection shall be enforced in the respective key object EXE access condition to enable the restricted usage (only with the respective host).

• After setting the key usage, the lifecycle state of the key object (LcsO) shall be set to operational (op) to prevent changes to the key usage.

The generated key pair and the associated public key certificate are stored in key object and public key certificate data object. The attacker attempts to re-generate the key pair. Doing that the attacker is dropping the identity which was associated to that key pair and could be considered as DoS attack.

Note: A similar result could be achieved in case only the certificate data object gets corrupted.

• After installing the identity, the respective key object and public key certificate access conditions CHA shall be configured with never allowed (NEV) or allow just protected update with integrity and confidentiality protection and the lifecycle state of the key and data object (LcsO) shall be set to operational (op) to prevent changes to the access conditions.

The generated static keys are stored in key objects. The attacker attempts to re-generate a key. Doing that the attacker is dropping the static key for encryption / decryption and could be considered as DoS attack.

• After generating the key, the regarded key object access conditions CHA shall be configured with never allowed (NEV) or allow just protected update with integrity and confidentiality protection and the lifecycle state of the key object (LcsO) shall be set to operational (op) to prevent changes to the access conditions.

• A shared secret (could be pre-shared secret or Authorization reference which gets fed in a key derivation or MAC generation and/or verification (e.g. hmac with sha256) operations, either from the session context or from a data object shall be at least of a size of 16 bytes.

• Restrict the maximum usage of the secret using the monotonic counters to 2048 times is recommended

• EXE access condition tied with Platform Binding shared secret (CONF E140), enforces the shielded connection for the usage of pre-shared secret in OPTIGA™ during the respective critical operations (e.g. key derivation or MAC generation) which doesn’t allow the usage with unknown Hosts.

• If the shared secret gets updated on field either by protected update (integrity and confidentiality) or shielded connection, the regarded usage counter must be updated accordingly to allow the usage of shared secret further for the required number of times

• Without the use of an Integrity and Confidentiality Protected Update, OPTIGA™ cannot support use cases based on PRESSEC that require more restrictive access rights for READ than for CHANGE

• The AUTO state achieved using the respective pre-shared secret (Authorization reference) data object need to be cleared manually as when the respective use case sequence is complete. This can be done using optiga_crypt_clear_auto_state.

• The security level of the Shielded connection is as high as typical microcontroller/Host side hardware security level.

• The recommended length of Platform binding shared secret is 32 bytes or more.

• Updating the Platform Binding shared secret during run-time using the shielded connection is recommended as shown in Figure 14 - Use Case: Update Platform Binding Secret during runtime (Pre-Shared Secret based).

- Update the Platform Binding secret and followed by re-establishing the shielded connection, can also be used by host to validate (to ensure freshness in shielded connection session) when required. But this procedure would lead to NVM write operations (e.g. writing to platform binding secret data object, security events due to the usage of shared secrets in performing the shielded connection). Hence the endurance of the data object and overall endurance as specified in Overview Data and Key Store must be considered accordingly.
- Enable the monotonic counter and reduce the max number of usages to XYZ using monotonic counter and update the secret on chip periodically.
- To enforce this, the write access conditions for the Platform binding data object must be set accordingly.

• Secure binding (using the Platform binding shared secret) and usage restriction using the Monotonic counters enables additional usage restriction for the critical asset (e.g. RSA keys, AES keys and shared secrets) if assets are not intended to use extremely.

• It is recommended to use the shielded connection for EncryptAsym (which uses a session context) command-based operations, which enforces the usage of session context.

• Host can validate OPTIGA™ using the sequence specified in section 6.6.3 Host authenticates OPTIGA™ to ensure the freshness.

• The recommendation is to use RSA 2048 against RSA 1024.

The OPTIGA™ Shielded Connection enables a protected (Integrity and Confidentiality) communication between the OPTIGA™ and a corresponding Host platform as depicted in figure below.

Figure 37 - Overview OPTIGA™ Shielded Connection

This section provides information regarding the set up and usage of Shielded Connection in the target device application.

The OPTIGA™ supports the Shielded Connection using a pre-shared secret (Platform Binding Secret) between the OPTIGA™ and a corresponding host platform. [IFX_I2C] explains internal details of establishing the shielded connection; e.g., negotiation and crypto algorithms used for the protection in the section Presentation Layer.

6. The Shielded connection doesn’t provide an option to add random challenge/nonce from host to ensure the freshness of established shielded connection. This can be achieved with few more additional steps as described in Host authenticates OPTIGA™.

Preconditions to establish the Shielded Connection is to pair the OPTIGA™ with a host. The pre-shared secret is established during first boot/initialization sequence. The Use Case: Pair OPTIGA™ with Host (Pre-Shared Secret based) depicts the pairing process.

The pal_os_datastore_read and pal_os_datastore_write are the abstracted APIs for reading and writing the platform binding secret at host platform. These APIs are to be adapted to the particular host platform needs.

During the Shielded Connection establishment, the optiga_comms_ifx_i2c module invokes pal_os_datastore_read function.

In the OPTIGA™ Host Library, the Shielded Connection feature can be enabled/disabled using the macro (OPTIGA_COMMS_SHIELDED_CONNECTION in optiga_lib_config.h) with the required default protection level (OPTIGA_COMMS_DEFAULT_PROTECTION_LEVEL in optiga_lib_config.h).

For the protected communication (Shielded Connection) between a host and the OPTIGA™, an instance of optiga_util or optiga_crypt needs to be updated with the required protection level before invoking the operations provided by optiga_util or optiga_crypt using OPTIGA_UTIL_SET_COMMS_PROTECTION_LEVEL and OPTIGA_CRYPT_SET_COMMS_PROTECTION_LEVEL respectively.

For example, to enable a full: i.e. command and response, protection for deriving the decryption keys in FW update use case using the pre-shared secret from OPTIGA™

• Invoke OPTIGA_CRYPT_SET_COMMS_PROTECTION_LEVEL (me_crypt, OPTIGA_COMMS_FULL_PROTECTION)

• Invoke optiga_crypt_tls_prf_sha256 (me_crypt, shard_secret_oid, …)

In case of re-establishing the Shielded Connection periodically, the protection_level |OPTIGA_COMMS_RE_ESTABLISH can be set to the instance using above specified. The access layer will take care of rescheduling the shielded connection internally.

For example, to enable re-establishing the shielded connection with response protection for the data object read data operation

• Invoke OPTIGA_UTIL_SET_COMMS_PROTECTION_LEVEL (me_util, OPTIGA_COMMS_RESPONSE_PROTECTION | OPTIGA_COMMS_RE_ESTABLISH)

• Invoke optiga_util_read_data (me_util, oid, …)

Based on the above settings, the access layer activates the Shielded Connection between a host and the OPTIGA™. These settings reset automatically to the default protection level; i.e. OPTIGA_COMMS_DEFAULT_PROTECTION_LEVEL once after the operation is invoked.

The Use Case: Update Platform Binding Secret during runtime (Pre-Shared Secret based) depicts a process of updating the platform binding secret periodically using the shielded connection at runtime.

After shielded connection established, if host intends to validate/authenticate OPTIGA™ (random challenge driven by Host) or to ensure the freshness in the established shielded connection, one of the below specified mechanisms can be performed by local_host_application. This must be performed once (at least), after the shielded connection is established and/or whenever required.

The local_host_application writes generated nonce to OPTIGA™ and reads the same data object to authenticate OPTIGA™ and to ensure the freshness (at host side) in shielded connection.

7. The write operation shown below leads to writing to NVM at OPTIGA™. Hence the endurance of the data object and overall endurance as specified in Overview Data and Key Store must be considered accordingly.

Pre-condition:

• The OPTIGA™ application is already launched and the shielded connection between host and OPTIGA™ is established

• The optiga_util APIs shown in below diagram must be invoked with command and response protection using shielded connection.

Post-condition:

• The local_host_application considers the OPTIGA™ as an authentic member of the target platform.

Figure 38 - Write and read nonce to/from a data object

The local_host_application establishes session with intermediate secrets at OPTIGA™ using respective operations. And host further uses this intermediate secret in session to ensure the freshness (at host side) in shielded connection.

8. With this way, there are no additional NVM writes during the respective operations.

Pre-condition:

• The OPTIGA™ application is already launched and the shielded connection between host and OPTIGA™ is established.

• The optiga_crypt APIs shown in the below diagram must be invoked with command and response protection using shielded connection.

Post-condition:

• The local_host_application considers the OPTIGA™ as an authentic member of the target platform.

Figure 39 - Derive keys using nonce during run time

The local_host_application uses additional pre-shared secret (stored at both sides in NVM) which is already exchanged by local_host_application and OPTIGA™. The local_host_application generates a secret nonce and followed by key derivation using respective operations and uses the same to authenticate OPTIGA™ and to ensure the freshness (at host side) in shielded connection.

9. The key derivation using static shared secret (from a data object) leads to a security event at OPTIGA™, which leads to NVM write operations (if SEC_CREDIT = 0) at OPTIGA™. Hence the endurance of the SEC data object and overall endurance as specified in section Overview Data and Key Store must be considered accordingly.

Pre-condition:

• The local_host_application and OPTIGA™ holds an additional static pre-shared secret and the access conditions (e.g. read disabled) of pre-shared secret at OPTIGA™ are set accordingly.

• The OPTIGA™ application is already launched and the shielded connection between host and OPTIGA™ is established.

• The optiga_crypt APIs shown in the below diagram must be invoked with command and response protection using shielded connection.

Post-condition:

• The local_host_application considers the OPTIGA™ as an authentic member of the target platform.

Figure 40 - Derive keys using nonce and a static (additional) pre-shared secret

This section provides the definition and some useful information of update data sets for data and key objects which are used to update those in a secure/protected way.

The figure below shows the high level structure of the update data set for data or key objects. It consists of a manifest and the connected binary data.

Figure 41 – Protected update – high level structure

The coding of the structure is according to [CBOR]. The [CDDL] format for the manifest and signature structures are provided in the package.

The Manifest is a top level construct that ties all other structures together and is signed by an authorized entity whose identity is represented by a trust anchor installed at the OPTIGA™. The trust anchor is addressed by its unique ID (OID), which is contained in the metadata of the manifest. Manifest consists of the metadata in plain text, the payload binding and the signature over metadata and payload binding.

The Metadata provide information enabling interpretation and manage the update data set by the OPTIGA™. It contains:

• Version number

• Unique identifier (OID) of the trust anchor to be used for verifying the metadata signature.

• Unique identifier (OID) of the object to be updated

• Cipher suite specifying all cryptographic algorithms (signature, encryption, hash, key derivation, ...) used during executing the update.

• In case of encrypted object data, OID of the shared secret to be used for derivation of the decryption key.

• In case of encrypted object data, Additional data used in key derivation

• Offset within the target object and length of the object data.

The Integrity Protection of the object data is based on the hash value of the first block of object data which is protected by the successful verification of the signature over the metadata. Each block of object data, except the last block, carries the hash value of the next block of object data.

The Confidentiality Protection is based on a shared secret installed at OPTIGA™, and additional data used to derive the object data decryption key. The session key gets applied as soon as the integrity of the current block of the object data is successfully verified.

10. OPTIGA™ Trust M V1 doesn’t support confidentiality protection and update of keys & metadata.

As part of protected update, the confidentiality is optional which can be enabled or disabled based on necessity of payload confidentiality requirement. The confidentiality is achieved using the pre-shared secret (protected update secret). The payload encryption key is derived for the respective protected update data set using the “protected update secret”.

Note: The reference details required for the key derivation and encryption algorithm details are specified in the manifest.

Key Derivation

The below figure depicts the derivation of encryption key.

Figure 42 – Protected Update - Derivation for Payload Encryption Key

The key derivation uses the “protected update secret” as input secret and derives the payload encryption key and nonce. The size of the derived encryption key and secret nonce is based on the encryption algorithm chosen.

Encryption & Decryption

The below figure depicts the components (input and output) involved as part of encryption

Figure 43 – Protected Update - Payload Encryption

The below figure depicts the components (input and output) involved as part of decryption

Figure 44 – Protected Update - Payload Decryption

• The fragment number is represented in two bytes in octet string format (e.g. 0x02 is represented as “0x00 0x02”). This is used as part of nonce which gets concatenated with the secret nonce derived using key derivation algorithm.

• AES-CCM-16-64-128 from [COSE], the nonce length to be used is 13 bytes. Hence, we derive 11 bytes secret nonce and concatenate with 2 bytes of fragment number.

• The size of the MAC is based on the encryption algorithm.

• The format of association data is as shown below.

  Associated data = (Payload Version [2] ||

  Offset of payload in fragment [3] ||

  Total payload length [3])

The above data is represented in octet string with the respective specified lengths. E.g. the total payload length of 0x0568 bytes are represented as “0x00 0x05 0x68”.

Here the offset of payload is based on the size of the payload considered in the respective fragment. For example, if the total payload to be encrypted is 1500 bytes and encryption is based on AES-CCM-16-64-128 and fragment digest algorithm is SHA256 then the offset values are 0, 600, 1200 in the fragments 1, 2 and 3 respectively as the size of payload in each fragment is about 600 bytes.

The size of the payload (in the respective fragment) to be encrypted based on the encryption (which defines the size of MAC) and digest algorithms chosen.

As part of protected update data set, the keys (e.g. ECC, RSA, AES, etc.) are provided in specific format as part of payload based on the key type as given below.

Figure 45 – Protected Update – Encoding of keys in Payload

Here Length = 0x120, this will be represented as “01 20”.

• The private key and public key are provided as part of payload with the respective tag.

  • If the target OPTIGA™ doesn’t store the public key, then the public key is optional. If provided, the target OPTIGA™ ignores the provided public key.

  • If the target OPTIGA™ stores the public key, then the public key is must.

• As part of the payload, the length of the key is based on curve type specified in the manifest. For example, in case of ECC NIST P 256, the private key size must be 32 bytes and public key size must be 64 bytes (public key).

  • If the private key or components of public key (x or y) are less than key length of the respective curve type, then the respective component must be prepended with 0x00’s to make it aligned with respective key length.

• The encoding format of keys in the payload is given below. The tags could be in any order in the payload.

The value for private key tag is 0x01.

The value for the public key tag is 0x02.

E.g. The ECC NIST P 256 keys are as given below [value shown below are in hex format].

<01> < 00 20> <29 2E FD 39 …. 4C 74 BC C8>

<02> < 00 40> <91 8A 12 34 …. 8A 98 1A 52 || 1A 1B 1C 1D …. 2A 2B 2C 2D>

E.g. The ECC NIST P 256 keys are as given below with padding if the respective component size less than key size [value shown below are in hex format].

<01> < 00 20> <00 00 FD 39 …. 4C 74 BC C8>

<02> < 00 40> <00 8A 12 34 …. 8A 98 1A 52 || 1A 1B 1C 1D …. 2A 2B 2C 2D>

• In case of RSA, the private exponent, modulus and public exponent must be provided as part of payload with the respective tag.

• The length of the private exponent and modulus must be strictly aligned to the respective key type/algorithm specified in the manifest and the public exponent is always 4 bytes.

  • If any of these components is of lesser size, then the component must be prepended with 0x00’s to align it with the respective length.

• The tag value for the components as specified below. The tags could be in any order in the payload.

The tag value for private exponent is 0x01.

The tag value for the modulus is 0x02.

The tag value for the public exponent is 0x03.

E.g. RSA 1024 keys are as given below [value shown below are in hex format].

Private exponent: <01> <00 80> <data = 1A 2F 3D 37 …. 5A 4B E5 F0>

Modulus: <02> <00 80> <data = 29 2E FD 39 …. 4C 74 BC C8>

Public exponent: <03> <00 04> <data = 00 10 00 01 >

• Only the symmetric key is provided as part of payload.

• The length of the symmetric key must be strictly aligned to the respective key type/algorithm specified in the manifest.

• The tag value for the components as specified below.

The tag value for symmetric key is 0x01.

E.g., the AES 128 key is as specified below [value shown below are in hex format].

Symmetric Key: <01> <00 10> <data = 79 28 49 62 …. 12 58 37 61>

• The payload contains the metadata to be updated in target OPTIGA™ OID metadata.

The following metadata tags must not be part of payload.

• Version [0xC1]

• Maximum size of the data object [0xC4]

• Used size of the data object [0xC5]

• Algorithm associated with key container [0xE0]

• The format of metadata in the payload is as same as in GetDataObject command.

0x20, 0x0B, // TL metadata TLV-Object
0xC0, 0x01, 0x03, // TLV LcsO = in
0xD1, 0x01, 0x00, // TLV Read = ALW
0xD0, 0x03, 0xE1, 0xFC, 0x07 // TLV Change = LcsO < op

• At OPTIGA™,

  • The reset type (F0) tag must be available in metadata of the Target OPTIGA™ OID to be updated and the metadata update descriptor are verified whether to allow the protected update or not.

  • If the new metadata (in payload) contains the LcsO tag, then the LcsO in the target OPTIGA™ OID metadata gets with this value and the LcsO value specified in the metadata update Identifier is ignored.

  • If the new metadata (in payload) does not contain the LcsO tag, then the LcsO in the target OPTIGA™ OID current metadata gets updated with the value specified in the metadata update Identifier of the current metadata.

  • The payload version specified in the manifest gets updated in the target OPTIGA™ OID metadata.

  • The tags which are specified in the new metadata (in payload), gets replaced in the target OPTIGA™ OID metadata and the remaining tags in target OPTIGA™ OID metadata still remain unchanged.

  • If the new metadata (in payload) does not contain any tags (e.g. 0x20 0x00), then the rules as per the metadata update identifier in the current metadata are applied.

  • The protected metadata update allows setting the LcsO of respective data/key object to Termination state. Once the data/key object is set to Termination state, the target OID is not allowed to be used in any read / execute operations.

The details of CDDL tool are provided as part of [CDDL] Appendix.

Additionally, the protected update data set generation tool is available as part of package.

The Glossary provides a consistent set of definitions to help avoid misunderstandings. It is particular important to Developers, who make use of the terms in the Glossary when designing and implementing, and Analysts, who use the Glossary to capture project-specific terms, and to ensure that all kind of specifications make correct and consistent use of those terms**.**

58. Terms of OPTIGA™ Vocabulary