Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Hackathon117] Add encrypted personalization data using ES-ECDH #351

Merged
merged 6 commits into from
Nov 4, 2023
Merged

[Hackathon117] Add encrypted personalization data using ES-ECDH #351

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
18c0362
update: use ES-ECDH for encrypted personalization data
kentakayama Jul 24, 2023
4a40ef1
update: remove kid in header
kentakayama Jul 25, 2023
288775c
add: to be decrypted payload as a NOTE
kentakayama Jul 25, 2023
eada985
update: Personalization Example using KDF context
kentakayama Sep 10, 2023
60c5d27
update: encryption parameters note in md
kentakayama Sep 10, 2023
bd68da2
del: old note
kentakayama Sep 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
25 changes: 16 additions & 9 deletions cbor/suit_personalization.diag.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,15 @@
/ authentication-wrapper / 2: << [
<< [
/ digest-algorithm-id: / -16 / SHA256 /,
/ digest-bytes: / h'F8CDE205EA2C63FB23042AAF336BA51C12DBDFAA9714149F42FA0F701490DF43'
/ digest-bytes: / h'DDFC55B9FF63C1A27A7DA1CFB64DC924ACD5EFBAD5D5CAD2E7CFEDEB296C74D5'
] >>,
<< / COSE_Sign1_Tagged / 18([
/ protected: / << {
/ algorithm-id / 1: -7 / ES256 /
} >>,
/ unprotected: / {},
/ payload: / null,
/ signature: / h'34994DB97D120652829B242C9A33AEF892C213BB10550341B9816207EF78E21BE323A8B4C3BF2BD90E3EEE34D749D3AF45C972E3EA96B8FE3D49B3CD27FCF779'
/ signature: / h'7BBA826B1F0F2D3607C239D94D2ECE75629FD56F86E120CC7731531E61C92ABF436B9CCE296F070FAFD94AE8BA3D33EC37256350DB95E3A67C50978563E76389'
]) >>
] >>,
/ manifest / 3: << {
Expand Down Expand Up @@ -55,9 +55,9 @@
/ NOTE: image-digest and image-size of plaintext config.json /
/ parameter-image-digest / 3: << [
/ digest-algorithm-id: / -16 / SHA256 /,
/ digest-bytes: / h'2d62bc330d02054f4028e790a161cf26fce74ae5e05f6165ccbdf23b27faf5c7'
/ digest-bytes: / h'8273468FB64BD84BB04825F8371744D952B751C73A60F455AF681E167726F116'
] >>,
/ image-size / 14: 64
/ image-size / 14: 61
},
/ condition-image-match / 3, 15
] >>,
Expand All @@ -76,31 +76,38 @@
/ directive-set-component-index / 12, 0,
/ directive-override-parameters / 20, {
/ NOTE: encrypted payload and encryption-info /
/ parameter-content / 18: h'48FE0794D291C42700D614FC7EF638A6CF9C6B40CBE172CC0EB2B0ECB9DA6071BE85CACB416090E350354760A463D3D85D7E835B5E48190DBE61F2DA1C1C687062AC556B89B8459FE99D79378158BAF5',
/ parameter-content / 18: h'1A6D7C82357219BF85C334F673FB93E37A7443945A5B4E8E2391668E92B5936AB2B285FB4CEA6EADACC75242CE0B1C779DB36D34E2BDAD74666934778EC534628EFBA31805F5C699F66D7E4A03',
/ parameter-encryption-info / 19: << 96([
/ protected: / << {
/ alg / 1: 1 / AES-GCM-128 /
} >>,
/ unprotected: / {
/ IV / 5: h'5318E31B9825AAF12664796B5DC644EB'
/ IV / 5: h'56255F07A12A0FCD0877D199EBE878DF'
},
/ payload: / null / detached ciphertext /,
/ recipients: / [
[
/ protected: / << {
/ alg / 1: -29 / ECDH-ES + A128KW /
} >>,
/ unprotected: / {
/ alg / 1: -3 / A128KW /,
/ kid / 4: 'kid-1'
/ ephemeral key / -1: {
/ kty / 1: 2 / EC2 /,
/ crv / -1: 1 / P-256 /,
/ x / -2: h'F8D76E4011FAD67E236AFCE61CC2F472706BD08B451FC588EF758E0D4BF5E200',
/ y / -3: h'2D8A9B35903CD560F15DC011AB6398209724C6F41A7E9EBC9F3EB1B7BB30FBB8'
}
},
/ payload: / h'8A788C02AA608BAD1F94BDC4786E6BAFB9D805173A8B66DD' / CEK encrypted with KEK /
/ payload: / h'ABACADEC902D882096A50D88A222644C25E6152B66B96B84'
/ CEK encrypted with KEK /
]
]
]) >>
},

/ decrypt encrypted firmware /
/ directive-write / 18, 15 / consumes the SUIT_Encryption_Info above /
/ NOTE: decrypted payload would be ``{"name":"FOO Bar","secret":"0123456789abfcdef0123456789abcd"}'' /
] >>,
/ uninstall / 24: << [
/ directive-set-component-index / 12, 1,
Expand Down
30 changes: 16 additions & 14 deletions cbor/suit_personalization.hex.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,21 +1,23 @@
A2025873825824822F5820F8CDE205EA2C63FB23042AAF336BA51C12DBDF
AA9714149F42FA0F701490DF43584AD28443A10126A0F6584034994DB97D
120652829B242C9A33AEF892C213BB10550341B9816207EF78E21BE323A8
B4C3BF2BD90E3EEE34D749D3AF45C972E3EA96B8FE3D49B3CD27FCF77903
5901E3A801010203035886A301A101A101844B544545502D446576696365
A2025873825824822F5820DDFC55B9FF63C1A27A7DA1CFB64DC924ACD5EF
BAD5D5CAD2E7CFEDEB296C74D5584AD28443A10126A0F658407BBA826B1F
0F2D3607C239D94D2ECE75629FD56F86E120CC7731531E61C92ABF436B9C
CE296F070FAFD94AE8BA3D33EC37256350DB95E3A67C50978563E7638903
590226A801010203035886A301A101A101844B544545502D446576696365
485365637572654653508D82573A926D4754935332DC29997F7444737569
740281834B544545502D4465766963654853656375726546534B636F6E66
69672E6A736F6E04582D880C0014A20150C0DDD5F15243566087DB4F5B0A
A26C2F0250DB42F7093D8C55BAA8C5265FC5820F4E010F020F05834B5445
45502D4465766963654853656375726546534B636F6E6669672E73756974
075831860C0014A2035824822F58202D62BC330D02054F4028E790A161CF
26FCE74AE5E05F6165CCBDF23B27FAF5C70E1840030F0F5847860C0114A1
075831860C0014A2035824822F58208273468FB64BD84BB04825F8371744
D952B751C73A60F455AF681E167726F1160E183D030F0F5847860C0114A1
15783D68747470733A2F2F6578616D706C652E6F72672F38643832353733
612D393236642D343735342D393335332D3332646332393939376637342E
7375697415021158A48A0C010B000C0014A212585048FE0794D291C42700
D614FC7EF638A6CF9C6B40CBE172CC0EB2B0ECB9DA6071BE85CACB416090
E350354760A463D3D85D7E835B5E48190DBE61F2DA1C1C687062AC556B89
B8459FE99D79378158BAF5135843D8608443A10101A105505318E31B9825
AAF12664796B5DC644EBF6818341A0A2012204456B69642D3158188A788C
02AA608BAD1F94BDC4786E6BAFB9D805173A8B66DD120F18184A880C010B
000C0018210F
7375697415021158E78A0C010B000C0014A212584D1A6D7C82357219BF85
C334F673FB93E37A7443945A5B4E8E2391668E92B5936AB2B285FB4CEA6E
ADACC75242CE0B1C779DB36D34E2BDAD74666934778EC534628EFBA31805
F5C699F66D7E4A03135889D8608443A10101A1055056255F07A12A0FCD08
77D199EBE878DFF6818344A101381CA120A401022001215820F8D76E4011
FAD67E236AFCE61CC2F472706BD08B451FC588EF758E0D4BF5E200225820
2D8A9B35903CD560F15DC011AB6398209724C6F41A7E9EBC9F3EB1B7BB30
FBB85818ABACADEC902D882096A50D88A222644C25E6152B66B96B84120F
18184A880C010B000C0018210F
9 changes: 7 additions & 2 deletions draft-ietf-teep-protocol.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2126,6 +2126,13 @@ bz/m4rVlnIXbwK07HypLbAmBMcCjbazR14vTgdzfsJwFLbM5kdtzOLSolg==
## Example 3: Supplying Personalization Data for Trusted Component Binary {#suit-personalization}
{: numbered='no'}

This example uses the following parameters:

- Algorithm for payload encryption: AES-GCM-128
dthaler marked this conversation as resolved.
Show resolved Hide resolved
- Algorithm id for key wrap: A128KW
- KEK: 'aaaaaaaaaaaaaaaa'
- COSE_KDF_Context.SuppPubInfo.other: 'SUIT Payload Encryption'

### CBOR Diagnostic Notation of SUIT Manifest
{: numbered='no'}

Expand All @@ -2141,8 +2148,6 @@ bz/m4rVlnIXbwK07HypLbAmBMcCjbazR14vTgdzfsJwFLbM5kdtzOLSolg==
{::include cbor/suit_personalization.hex.txt}
~~~~

The Personalization Data above is encrypted with A128KW.
The secret key is h'61616161616161616161616161616161' (0x61 = 'a', and the length is 16).

# F. Examples of SUIT Reports {#suit-reports}
{: numbered='no'}
Expand Down