Secure data storage with authentication

[faboulous1]

We want to securely store some data on the chip, that can only be accessed after valid authentication. The authentication will be perfermed by OPTIGA internally. We are looking for following functionality all together:

1- Secure storage of data in OPTIGA

2- Secure the storage using some authentication mechanism such as a password

3- Log the wrong attempts of password, that after X wrong attempts, we erase the password and the data stored

4- The password shouldnt be able to read from chip and it can be modified after authentication

Is it possible to achieve the above mentioned functionality using existing APIs of OPTIGA X?

Or do we need to modify OPTIGA X firmware to achieve it?

Please advise.

[ayushev]

Hi,

this generation of the security solution cannot cryptographically authenticate attempts to read or write data to/from the memory, follow up our updates to check for new solutions. It is possible though to filter modify attempts using the lifecycle management (so everyone can read, but no one can modify after the lock has been performed) of the chip.

This isn't an official proposal from Infineon, you might want to cross check this functionality in the Solution Reference Manual. I'm expressing my opinion here, this means it can have security flaws. You can establish a shared secret using the Trust X, then derive a symmetric key using this shared secret (I believe you already started to work in this direction), then encrypt your data with this key, store the content in the arbitrary data object, then lock it.

[faboulous1]

Thanks for the reply. May i know what do you mean "lock" it. How can we lock/unlock data. Is there some authentication process we can perform to "lock/unlock" the data?
I am worried, if someone gets physical access to device, unsolder the optigaX, and solder it with his MCU and perform same steps as i did, then he can be able to access locked/unlcoked data if there is no authentication. May be i am missing some stuff here?

[ayushev]

This user will get in this case the access, you are right, but the data stored should be encrypted with the symmetrical key. Steps to what you do with the arduino library, use private key OID, generate a shared secret, then generate a symmetrical AES key, which only the original MCU knows, and this key isn't pre-programmed, you can generate it once per chip.

[ayushev]

By locking I mean this wiki artickle. Here you see in the figure various states Creation(0x01) -> Initialisation(0x03) -> Operational(0x07) -> Termination(0x0F).
Once you bring the object from one stage to antoher it affect read/write access based on the given rules.
It is possible to define for an object and access condition like following: Write is possible only when the lifecycle state is Initialisation(0x03) etc

[faboulous1]

Thats a good idea, as long as the person cannot read the corresponding public key from MCU. As you know general purpose MCUs are not secure, and thats the purpose we are putting data on a secure chip at the first place. Although it will require more effort to get the data but not impossible. Am i right?

[ayushev]

Knowing the public key doesn't give anything reasonable to an attacker.

You can do the following (again, this is only imo):

1. generate a keypair using one of session ids (alternatively you can generate another keypair and store it in a different session id)
2. Generate a shared secret and store the result in the session id
3. Derive a key and export the result (there is a weak point of transmitting it over the unsecured i2c bus)
4. Remove the public key(-s) from the MCU memory
5. Encrypt the required data with the exported key, store it on OPTIGA(TM) Trust X, and lock the object

[faboulous1]

Thanks alot for explaination. Now can you please also tell me the steps how to unlock/decrypt the object

[ayushev]

There are no examples for the arduino libray, but you can use this software framework to add required functions.
So, we are talking about writing data and updating the metadata of the the objects, both examples are available here

Here is the full example on writing the Trust Anchor Object ID.

The sample code which might be interesting for you is here

/**
 * Sample metadata
 */
static uint8_t metadata [] = { 
    //Metadata tag in the data object
    0x20, 0x05,
        //Read tag in the metadata
        0xD1, 0x03, 
            //LcsO < Operation
            0xE1 , 0xFB, 0x03,  
};

0x20, 0x05 means you refer to the metadata section of the object
0xD1, 0x03 you define to which operation you would like to define new rules
0xE1 , 0xFB, 0x03 new access conditions defined for this object (Life cycle state is less than operational)

You also need to update the lifecycle state itself to the operational.

More information you can fine here and here (SRM, pdf)

[faboulous1]

I am not asking exact implementation details. I am asking, how we can decrypt the stored data that is locked? Please tell me same steps as you said before.

[ayushev]

It is locked for follow up writes. You still can read this data. The data can be decrypted using the same symmetrical key you have derived previously.

[faboulous1]

So the symmetric key and encrypted data both are stored on Optiga?
If yes, then anyone with physical access to device can flash our MCU (that is connected to OPTIGA), hence can decrypt the data using the stored key on optiga. No?

[ayushev]

No, if we are still discussing my proposal, then the symmetric key is generated once (step 3 in my message above) an stored on the side of the MCU.
It's is still vulnerable as it is in the MCU memory, but this is a different level of vulnerability. In the end you anyway need to store something on the MCU, be it a pin or a password, unless this is a user given password.
If this is a user given password the flow should be revisited.

[faboulous1]

Thanks. So that means to access the Secure info from the OPTIGA we need to send a key that is stored on an "unsecure MCU". So anyone who can read the key stored on "unsecured MCU" can access the data from OPTIGA.
Having said above, we may can make a more secure system if we use a pin/password that is not stored on MCU. Could you please tell me what steps to do to encrypt/decrypt data using AES on OPTIGA using pin/password?

[ayushev]

This generation of OPTIGA(TM) Trust X doesn't support AES encryption/decryption direct on the chip, this should be performed on the MCU side, on the exact details I can't unfortunately help you.
In my personal opinion you can encrypt your sensitive data using the AES key (derived from the Trust X) combined with the salt in the form of the given password/pin.

[faboulous1]

Thanks alot 👍

[faboulous1]

I just found this on OPTIGA datasheet Key features page 1:

Cryptographic support: ECCNIST P256and P384, AES-128(via DTLS client), SHA-256, TRNG, DRNG

AES 128 is mentioned their.

[ayushev]

You are welcome.
AES as mentioned is supported only via the established DTLS channel, you need to use the on-chip DTLS feature to enable it.

[faboulous1]

Thanks. Is there anyway i can program my own firmware in OPTIGA? or change the existing one? I guess the functionality i am looking for cant be done securely without changing OPTIGA firmware.