ATECC608 Tools
Command-line tools to work with Atmel Crypto-Authentication (ATCA) library and devices.
See Customize section below to setup and compile the library.
Full article (spanish): Chips criptográficos de usar y tirar
Tools list
Primitives (simple commands)
Asimmetric encryption:
genecckey
: Create an ECC private key, store it in the given slot and return the public parameters.pubkey
: Calculate the public key from an existing private key in a slot.sign
: Sign Tempkey using ECDSA algorithm with the private key in the slot.
Simmetric encryption:
aes_decrypt
: AES128 decrypt a block using a key in a given slot.aes_encrypt
: AES128 encrypt a block using a key in a given slot.derivekey
: Create a new key from a parent, itself and tempkey.
Hash:
gendig
: Issue a gendig-data command with the specified slot.mac
: Generate a MAC of the TempKey + Slot Keysha
: Calculate SHA256 of the message.
Random:
nonce_rand
: Generate a random nonce with a challenge.random
: Retrieve a random number (orFF FF 00 00 ...
if unlocked)
Utilities:
load_tempkey
: Load TempKey with a given value.read_slot
: Read the first 32 bits from a data slot (cleartext)serial
: Get the chip’s serial number.state
: Display device internal state.write_8
: Write data in slot 08.write_enc
: Write data using a writing key.write_slot
: Write 32 bytes of data to any slot.
Use cases (multiple commands)
auth_aes_dec
: Decrypt a block of data using a secret symmetric key that requires Authorizationauth_aes_enc
: Encrypt a block of data using a secret symmetric key that requires Authorizationauthorize.sh
: Performs a Check MAC with an authorization key in order to tell the device we know that key.cbc_decrypt.sh
: Decrypt data using AES-128-CBC mode.cbc_encrypt.sh
: Encrypt data using AES-128-CBC mode.chip_info
: Dump some information about the device.eyc_original.sh
: Verify an Original EyC component and retrieve verified data from a slot.read_encrypted.sh
: Read the contents of any slot encrypted with a Read key.rotate_key.sh
: Rotate a key from a parent key and a randon nonce.setup_608
: Configure ATECC608 with the configuration below.symauth_diversified.sh
: Likeeyc_original.sh
but using device diversified key.
Tools (auxiliary)
xor
: Get two hexadecimal strings and return the xor.
Setup 608 configuration
This is a configuration proposal in order to try multiple things in this chip.
Run setup_608
to set up your device.
Summary
Slot | Key Type | Read | Write | Usage |
---|---|---|---|---|
00 | ECC Private | No | Yes | Device key. No usage restrictions. |
01 | AES | 7 | 7 | Symmetric key. |
02 | AES | 7 | 7 | Symmetric key with limited uses. |
03 | AES | Yes | Yes | Symmetric key for debug. |
04 | SHA | 7 | 7 | Secret. Require random. |
05 | SHA | 7 | 7 | Secret with limited uses. Require random. |
06 | SHA | Yes | Yes | Secret for debug. |
07 | SHA | 7 | 7 | Secret for encrypted I/O. |
08 | Data | Yes | Yes | Info: Date, Model, Trademark, uuid. |
09 | ECC Public | Yes | Yes | Public key for ECC on key 1. |
10 | SHA | 0 | 7 | Secret for Checkmac/Copy source. |
11 | SHA | 0 | 7 | Secret for Checkmac/Copy destination. |
12 | AES | No | 13 | Symmetric key. Secret. Requires authorization by key 13. |
13 | SHA | No | 13 | Secret to protect key 12. Require random. |
14 | ECC Public | Yes | Yes | External key storage. |
15 | Data | Yes | 7 | Secure info (you need to know key 7 to write it). |
All slots are lockable.
Keys 7 and 13 and initialized to a random value generated by the device and only displayed once. You can change them knowing their current value.
Chip Info
This is the output of chip_info
right after locking the config and data zones:
$ ./chip_info
Device type: 0x03
CA: yes
CA2: no
TA: no
Sizes:
Config: 128 (locked: yes)
OTP: 64
Data: 36 (locked: yes)
Config data:
01 23 11 6F 00 00 60 03 3D 78 39 66 EE 61 59 00
C0 00 00 00 87 20 C7 77 E7 77 07 07 C7 77 E7 77
07 07 87 07 07 07 07 07 C0 07 C0 0F 9D BD 8D 4D
07 07 00 47 3F FF 00 00 00 20 00 1F 00 FF 00 00
00 1F 00 1E 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 FF FF 00 00 00 00 00 00
73 00 78 00 78 00 18 00 7C 00 7C 00 1C 00 7C 00
3C 00 30 00 3C 00 3C 00 B8 0D 7C 00 30 00 3C 00
SN: 0123116f3d783966ee
Counter 0: 1000
Counter 1: 1000
OTP Contents: 1.0|2024/03/21|Electronica y Ciencia|www.electronicayciencia.com
Slot 0: <secret>
Slot 1: <secret>
Slot 2: <secret>
Slot 3: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot 4: <secret>
Slot 5: <secret>
Slot 6: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot 7: <secret>
Slot 8: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot 9: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot 10: <secret>
Slot 11: <secret>
Slot 12: <secret>
Slot 13: <secret>
Slot 14: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Slot 15: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
EEPROM
OTP EEPROM value will be like this:
1.0|2024/03/21|Electronica y Ciencia|www.electronicayciencia.com
Counters
Counters 0 and 1 are initialized to 1000.
Detailed keys purpose
Use cases and examples for the keys with above configuration.
Slot 0
Private key to sign with the device.
This key never leaves the chip so whomever uses this key has the chip.
It doesn’t require authentication, so everybody can use it as long as they have the chip.
But it requires random nonce before use, so a replay attack is not possible.
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_EXT_SIG_MASK // External signatures of arbitrary messages are enabled.
| ATCA_SLOT_CONFIG_INT_SIG_MASK // Internal signatures of messages generated by GenDig or GenKey are enabled.
| ATCA_SLOT_CONFIG_ECDH_MASK // ECDH operation is permitted for this key.
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_GEN_KEY_MASK // GenKey may be used to write random keys into this slot.
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_PRIVATE_MASK // The key slot contains an ECC private key
| ATCA_KEY_CONFIG_PUB_INFO_MASK // The public version of this key can always be generated.
| ATCA_KEY_CONFIG_KEY_TYPE(ATCA_P256_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
| ATCA_KEY_CONFIG_REQ_RANDOM_MASK // A random nonce is required.
;
Slot 1
Symmetric AES key for encription/decryption of external input data.
It is readable and writable if you know key 7.
It doesn’t require authentication, so everybody can use it as long as they have the chip.
AES is used only with external input, so a random nonce is not required.
Example:
$ ./aes_encrypt 1 00000000000000000000000000000000
ec85f660317fc53302b54d1fa7dab892
Read contents:
$ ./read_encrypted.sh 1 7 0000000000000000000000000000000000000000000000000000000000000000
Reading data from slot: 1
Read key in slot: 7
Data: c54189118ec12e5691d2b830f19426fd78f218d44f345bf05afb44ab4b92efd6
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_ENC_READ_MASK // Reads from this slot will be encrypted. IsSecret must also be set
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111) // Encrypted write, derive key from parent
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE) // Key type
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
;
Slot 2
Like key 1 but with limited uses.
Counter 0 is increased every time this key is used.
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_ENC_READ_MASK // Reads from this slot will be encrypted. IsSecret must also be set
| ATCA_SLOT_CONFIG_LIMITED_USE_MASK // The key stored in the slot is Limited Use.
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111) // Encrypted write, derive key from parent
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
;
Slot 3
Like key 1, but publicly readable and writable.
You can use it for debug or to store an ephemeral session key.
To read the value:
$ ./read_slot 3
0000000000000000000000000000000000000000000000000000000000000000
To write:
$ ./write_slot 3 0000000000000000000000000000000000000000000000000000000000000000
Ok
To encrypt/decrypt:
$ ./aes_encrypt 3 00000000000000000000000000000000
66e94bd4ef8a2c3b884cfa59ca342b2e
$ ./aes_decrypt 3 66e94bd4ef8a2c3b884cfa59ca342b2e
00000000000000000000000000000000
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0) // Always read/write
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
;
Slot 4
Shared secret for MAC generation.
It is readable and writable if you know key 7.
It doesn’t require authentication, so everybody can use it as long as they have the chip.
A random nonce is required to prevent replay attacks.
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_ENC_READ_MASK // Reads from this slot will be encrypted. IsSecret must also be set
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111) // Encrypted write, derive key from parent
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
| ATCA_KEY_CONFIG_REQ_RANDOM_MASK // A random nonce is required.
;
Slot 5
Like slot 4 but with limited uses.
Counter 0 is increased every time this key is used.
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_ENC_READ_MASK // Reads from this slot will be encrypted. IsSecret must also be set
| ATCA_SLOT_CONFIG_LIMITED_USE_MASK // The key stored in the slot is Limited Use.
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0111) // Encrypted write, derive key from parent
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
| ATCA_KEY_CONFIG_REQ_RANDOM_MASK // A random nonce is required.
;
Slot 6
Like key 1, but publicly readable and writable.
Does not require nonce.
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0) // Always read/write
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
;
Slot 7
Shared secret for I/O. This key can be used to read and write any other key that requires encrypted read or write (except key 12).
Notice this does not provide any security while the slot is unlocked, because this key is writable in cleartext.
Ex. set SHA256("password")
as the new key:
./write_slot 7 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0) // Clear W
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
| ATCA_KEY_CONFIG_REQ_RANDOM_MASK // A random nonce is required.
;
Slot 8
This is the longest slot in the device. It is publicly writable and readable. You can use it to store arbitrary public data.
Use write_8
to write it:
$ ./write_8 "EyC Original. 2024/03/22."
0: 45 79 43 20 4f 72 69 67 69 6e 61 6c 2e 20 32 30 32 34 2f 30 33 2f 32 32 2e 00 00 00 00 00 00 00
32: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
64: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
128: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
192: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
224: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
256: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
288: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
352: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
384: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Ok
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0) // Clear W
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
;
Slot 9
Public key. You can use it to store slot 0’s public part.
Can be clear read and write.
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(7) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0) // Clear W
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_P256_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
;
Slot 10
TBD
Slot 11
TBD
Slot 12
Secret AES. This is a secret key, unkown.
It can be created or rotated using the DeriveKey command. But you cannot directly read or write it.
You must authenticate via key 13 to use this key.
Ex.: key 13 is the sha256 of password
.
$ echo -n "password" | sha256sum | cut -d' ' -f 1
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
$ ./authorize.sh 13 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
Ok
$ ./state
TempKey.NoMacFlag: 0
TempKey.GenKeyData: 0
TempKey.GenDigData: 0
TempKey.SourceFlag: 0
TempKey.KeyID: 0
TempKey.Valid: 0
Auth Key ID: 13
Auth Valid: 1
SRAM RNG: 0
EEPROM RNG: 0
For some reason, authorization does not work as expected for AES keys. So you can’t use this key to directly encrypt/decrypt.
However, you still can use this key to derive a symmetric key into TempKey.
Once authorized, you can load TempKey with a known value (like an IV), then use GenDig with this key to derive the AES encryption key:
$ ./load_tempkey 00000000000000000000000000000000
Ok
$ ./gendig 12
Ok
After this operation, you are no authorized anymore. TempTey is valid, derived from key 12 and a know value.
$ ./state
TempKey.NoMacFlag: 1
TempKey.GenKeyData: 0
TempKey.GenDigData: 1
TempKey.SourceFlag: 1
TempKey.KeyID: 12
TempKey.Valid: 1
Auth Key ID: 0
Auth Valid: 0
SRAM RNG: 0
EEPROM RNG: 0
Now you can encrypt/decrypt with the derived key:
$ ./aes_encrypt TEMPKEY 00000000000000000000000000000000
75e4ca11617b83e442d28fbcdb9210a4
This method is useful to encrypt multiple blocks with a limited use key. Because it only count as one use (the gendig
command).
Like using AES-128-CBC mode:
$ cat LICENSE | ./cbc_encrypt.sh TEMPKEY > LICENSE.aes
To decrypt it:
$ cat LICENSE.aes | ./cbc_encrypt.sh TEMPKEY
Configuration code:
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(13) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_NOMAC_MASK // The key stored in the slot cannot be used by the MAC or HMAC commands.
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_WRITE_KEY(13) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0b1011) // Authorizing MAC required for DeriveKey command. (Create)
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_AES_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
| ATCA_KEY_CONFIG_REQ_AUTH_MASK // To use this key, authorization by AuthKey must be completed
| ATCA_KEY_CONFIG_AUTH_KEY(13) // If ReqAuth is one, this field points to the key that must be used for authorization
;
Slot 13
Secret to use key 12.
A nonce is always required.
To prevent brute force attacks, you must also set limited uses for this key.
You can change this key only if you know its current value. Ex. changing from all zeros to the
sha256 of password
.
$ ./write_enc 13 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 \
13 0000000000000000000000000000000000000000000000000000000000000000 \
0000000000000000000000000000000000000000
Configuration code:
// General Purpose Slot Config (Not ECC Private Keys)
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_READKEY(13) // Use this KeyID to encrypt data read from this slot. 0 only for CheckMac/Copy
| ATCA_SLOT_CONFIG_IS_SECRET_MASK // The contents of this slot are secret
| ATCA_SLOT_CONFIG_WRITE_KEY(13) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0100) // Encrypt write (with itself)
;
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
| ATCA_KEY_CONFIG_REQ_RANDOM_MASK // A random nonce is required.
;
Slot 14
TBD
Slot 15
Data. Public read, encrypt write.
Since you need to know key 7 to write it, you can use it to store public data that the user can read but cannot modify.
$ ./read_slot 15 | xxd -r -p
To write this, you need key 7.
$ ./write_enc 15 546f20777269746520746869732c20796f75206e656564206b657920372e0000 \
7 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8 \
0000000000000000000000000000000000000000
Configuration code:
// General Purpose Slot Config (Not ECC Private Keys)
config_data->SlotConfig[slot] =
ATCA_SLOT_CONFIG_WRITE_KEY(7) // Use this key to validate and encrypt data written to this slot
| ATCA_SLOT_CONFIG_WRITE_CONFIG(0b0100) // Encrypted W
;
// Key Config
config_data->KeyConfig[slot] =
ATCA_KEY_CONFIG_KEY_TYPE(ATCA_SHA_KEY_TYPE) // 4: P256 NIST ECC key / 6: AES-128 key / 7: Not an ECC key
| ATCA_KEY_CONFIG_LOCKABLE_MASK // Slot can be individually locked using the Lock command.
;
Customize
Edit device_cfg.c
for your device. Then edit atca_config.h
to enable proper
things.
Build
Compile the library
Create a directory:
mkdir ~/atca && cd ~/atca
Clone the repository:
git clone https://github.com/electronicayciencia/ATECC608-Tools.git
Enter the main directory and update the library:
cd ATECC608-Tools
git submodule update --init --recursive
Build the library with your preferred options:
cd cryptoauthlib
cmake -DATCA_PKCS11:STRING=ON -DATCA_HAL_I2C=ON .
make
The file cryptoauthlib/lib/libcryptoauth.so
is created.
Applications
Run make
to build all the binaries.
cd ..
make
Run
Export the library path:
export LD_LIBRARY_PATH=$HOME/atca/cryptoauthlib/lib
Optionally, edit ~/.bashrc
to include that line.
To inspect I2C messages, set ATCA_TRACE
env. var.:
export ATCA_TRACE=1