Secure element (ATECC608A / SE050)

92 views
Skip to first unread message

Frix

unread,
Nov 8, 2023, 11:27:56 AM11/8/23
to USB armory
Good day, 

I'd like to develop software for the Armory MK2 to be able to use it as an electronic vault. 

To this effect, I'd like the user to set their own pin (password), which is stored on the secure element (ATECC508A or NXP SE050)

A PIN should unlock the device, so the user can read/write their data (keys) to the secure element.
If the PIN was entered incorrectly for a couple of times the device must either wipe the  internal storage or lock itself to prevent a brute force login attempt.
After the device is locked, there must be a way to reset the chip via the I2C so that the 
unit can be set up from scratch again.

The datasheet of the ATECC508 can be downloaded without signing a NDA first, whereas the ATECC608A still seems to be guarded closely. From the ATECC508 datasheet there are round about ways to use a key as a password and tying it to the monolithic counter to limit its use. To overwrite the old password, still requires the MAC to be calculated against the current value in the IC, thus, a 'factory reset' is not possible if the user forgot their PIN. It doesn't appear that the ATECC508 is suitable for what I'd like to accomplish.

Has anybody played with these security elements and know if the SE050 is suitable for the password/PIN management scheme I've outlined above?

Regards,
Frix


Manny Caceres

unread,
Jan 2, 2024, 5:24:39 AM1/2/24
to USB armory
Hello,

Short answer - Yes, but it depends.

For SE050 you could try to get the NXP middleware and their IoT SE Applet to work. It seems that they have a Raspberrypi reference working.

Another path is to use open source tools, which is what I'm interested in. It seems that the SE050 is a GlobalPlatform compliant Secure Element, I was able to get PCSC-lite and GPShell to recognize the SE50 using this driver:  https://github.com/cmuellner/libifdse 

I can select Applets and send APDUs. However - I don't know the ISD Security domain keys.

With the ISD Security keys you can take over the Secure Element and install your own applets (Javacard). This together with TEE + Secure-boot is as secure as it gets!

@Andrej Rosano - Is it possible to get the ISD Security Domain Keys (SCP02 or SCP03,etc) for the SE050 Secure Element?

Thanks
Manny

Andrea Barisani

unread,
Jan 8, 2024, 10:47:45 AM1/8/24
to USB armory
NXP does not provide the ability to install arbitrary applets on the SE050 (I think they do on the SE051).

Kind regards

Reply all
Reply to author
Forward
0 new messages