5.7.31. FIDO ECDAA Example

This project demonstrates FIDO ECDAA algorithm which is defined in https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-ecdaa-algorithm-v2.0-id-20180227.html.

Refer - simw-top/demos/se05x/se05x_FIDO_ECDAA/se05x_FIDO_ECDAA.c

SE05x, in this project, is used for:

  • Random number generateion

  • Key management

  • ECDAA sign

  • Scalar multiplication of a (elliptic) curve point

5.7.31.1. Building the Demo

5.7.31.2. Running the Example

If you have built a binary, flash the binary on to the board and reset the board.

If you have built an exe to be run from Windows using VCOM, run as:

se05x_FIDO_ECDAA.exe <PORT NAME>

Where <PORT NAME> is the VCOM COM port.

On Raspberry-Pi or iMX board, run as:

./se05x_FIDO_ECDAA

5.7.31.3. Console output

If everything is successful, the output will be similar to:

App   :INFO :Running FIDO Example se05x_FIDO_ECDAA.c
App   :INFO :EcdaaJoin 1) Get B from Issuer
App   :INFO :EcdaaJoin 1.1) The ECDAA Issuer chooses a nonce BigInteger m
App   :INFO :m (Len=32)
      ED AD 8C AB    6A CD A6 0D    B8 B9 E6 AC    89 57 3A 57 
      02 4D 29 7B    2A 6A EE 59    15 8A 6F 6E    AB 5F 35 23 
App   :INFO :EcdaaJoin 1.2) The ECDAA Issuer computes the B value of the credential as B=HG1(m) and send (sc,yc)=HG1_pre(m) to the authenticator
App   :INFO :B (Len=65)
      04 F7 72 DF    94 09 AC 26    43 EC 10 6D    08 5E 95 A9 
      F8 F4 23 99    6E 1D EB 03    2E A8 C7 13    4A 0D 54 86 
      7C 5C D2 95    60 7B BA 30    88 99 2C 47    29 E5 F2 CD 
      D4 A2 1B 82    6D 20 17 A6    E8 45 19 BC    DC 06 BF 59 
      E3 
App   :INFO :sc index 0x00000000
App   :INFO :EcdaaJoin 2) The authenticator generate secret key (sk) on SE, as a key pair on the BN curve (we only need the private key part).
App   :INFO :EcdaaJoin 3) The authenticator re-calculates B from the data received from backed (and stores on SE). Re-calculated from sc and yc as described in FIDO spec.
App   :INFO :Authenticator B (Len=65)
      04 F7 72 DF    94 09 AC 26    43 EC 10 6D    08 5E 95 A9 
      F8 F4 23 99    6E 1D EB 03    2E A8 C7 13    4A 0D 54 86 
      7C 5C D2 95    60 7B BA 30    88 99 2C 47    29 E5 F2 CD 
      D4 A2 1B 82    6D 20 17 A6    E8 45 19 BC    DC 06 BF 59 
      E3 
sss   :INFO :Public key should be paased without header
App   :INFO :EcdaaJoin 4) The authenticator calculation of Q=ECPointMultiply(sk, B), the ECDAA public key (and attested readback)
sss   :INFO :Public key should be paased without header
App   :INFO :Read Q attested.This is required for FIDO remote provisioning usecase, as opposed to in factory provisioningThe attestation signature over Q would be used as proof that the sk is indeed on the SE.As FIDO specifies no anonymity is required in this one tim
sss   :WARN :Returned is not in DER Format
App   :INFO :Q=B^sk (Len=65)
      04 83 77 C3    5B 49 03 8F    72 0A 60 D9    88 76 99 CE 
      A3 7A FC 9C    72 89 17 64    80 89 6F 11    20 67 A0 DE 
      15 2A 38 D2    9F 89 C8 BA    2C 27 DA 9A    C2 F3 0A 9A 
      75 3B 59 CF    D2 AC 41 29    12 BA B4 62    7B F2 9D 22 
      9B 
App   :INFO :EcdaaJoin 5) The authenticator generate random (r) on SE, as a private key on the BN curve.
App   :INFO :EcdaaJoin 6) The authenticator calculation of U1 = ECPointMultiply(r, B) on SE
sss   :INFO :Public key should be paased without header
sss   :WARN :Returned is not in DER Format
App   :INFO :U1=B^r1 (Len=65)
      04 B0 F0 A3    72 B1 AE 4F    DE 08 72 B9    4C E6 CE C5 
      5A 5F 30 0B    72 AE 5E FC    30 2C DB BA    25 C2 76 BD 
      6F 69 85 6B    86 E5 E5 3E    B4 51 01 11    C3 ED F3 6D 
      17 9E 8A 42    9C 11 D8 A0    5B 1A D9 72    1D AF 8D 3A 
      D4 
App   :INFO :EcdaaJoin 7) The authenticator calculation of the Hash (c_1) on the Host
App   :INFO :c_2=H(U1|P1|Q|m) (Len=32)
      4E 91 CE 70    FD A8 ED 6D    CD D3 B0 AA    EA CA CE E9 
      81 6C 3B 4F    56 7C C6 46    AA 89 37 BA    4D 3E B1 8D 
App   :INFO :n (Len=32)
      F6 FD DE A7    53 AC EC 59    19 76 08 11    CE 62 7B 86 
      0B 7D FF 78    E8 C0 C1 D1    84 FA 00 48    6D C0 81 D1 
App   :INFO :c_1 = H(n|c_2) (Len=32)
      7B CE 04 0F    1A BA 03 6A    74 CD 12 67    20 3A C0 24 
      82 D5 21 EA    B7 73 5E C0    04 12 E1 17    2F 62 CF 89 
App   :INFO :EcdaaJoin 8) The authenticator calculation of the ECDAA signature s1 on the SE and send Q, c1, s1, n to Issuer.
App   :INFO :Do Signing
App   :INFO :digest (Len=32)
      7B CE 04 0F    1A BA 03 6A    74 CD 12 67    20 3A C0 24 
      82 D5 21 EA    B7 73 5E C0    04 12 E1 17    2F 62 CF 89 
App   :INFO :signature (Len=36)
      30 22 02 20    5B 2B 35 08    0F 6B E7 CD    C1 F7 7F 12 
      98 90 C5 3E    C8 13 88 38    E9 CF 38 D1    D7 A0 3B 4D 
      FE 19 A8 CA 
App   :INFO :Signing Successful !!!
App   :INFO :EcdaaJoin 9.1) Verify on the ECDAA Issuer Backend.
App   :INFO :B^s_1 (Len=65)
      04 33 16 03    9D 3B 2C AE    B8 23 F9 C5    EC A2 B0 19 
      93 78 DC 3E    58 34 32 87    42 4C EC D0    27 73 13 17 
      D4 67 25 A8    1B 68 45 4E    E6 AC D4 DC    A6 B9 A0 D8 
      6A 20 4C BC    72 03 80 35    B2 74 4D C2    3F 59 8F 51 
      73 
App   :INFO :Q^c1 (Len=65)
      04 A5 5D D7    78 BD B6 AB    E1 19 5F 73    2B 7E 9A BF 
      AB 88 B3 89    37 D5 9A B7    1B 4B AB 13    30 9F BE B7 
      17 B2 51 E6    01 CA DF FE    4C B5 60 AC    4B AB DE 94 
      19 83 A5 75    E8 3B 73 10    E2 17 95 1B    3A 46 96 95 
      B1 
App   :INFO :U_verify=B^s1-Q^c1 (Len=65)
      04 A5 5D D7    78 BD B6 AB    E1 19 5F 73    2B 7E 9A BF 
      AB 88 B3 89    37 D5 9A B7    1B 4B AB 13    30 9F BE B7 
      17 B2 51 E6    01 CA DF FE    4C B5 60 AC    4B AB DE 94 
      19 83 A5 75    E8 3B 73 10    E2 17 95 1B    3A 46 96 95 
      B1 
App   :INFO :c_2_verify = H(U_verify|P1|Q|m) (Len=32)
      4E 91 CE 70    FD A8 ED 6D    CD D3 B0 AA    EA CA CE E9 
      81 6C 3B 4F    56 7C C6 46    AA 89 37 BA    4D 3E B1 8D 
App   :INFO :c_1_verify = H(n|c_2_verify) (Len=32)
      7B CE 04 0F    1A BA 03 6A    74 CD 12 67    20 3A C0 24 
      82 D5 21 EA    B7 73 5E C0    04 12 E1 17    2F 62 CF 89 
App   :INFO :c_1 (Len=32)
      7B CE 04 0F    1A BA 03 6A    74 CD 12 67    20 3A C0 24 
      82 D5 21 EA    B7 73 5E C0    04 12 E1 17    2F 62 CF 89 
App   :INFO :Verified. H(n|c_2_verify) == c_1
App   :INFO :EcdaaJoin 9.2) The ECDAA Issuer create a credential for the SE.
App   :INFO :isk.x (Len=32)
      61 60 54 A4    DC 84 6B 12    BE A3 EF 4E    88 F9 96 BB 
      3E A7 82 F7    61 1F 91 5D    24 A1 DA A6    6B 63 EA DA 
App   :INFO :isk.y (Len=32)
      07 32 A9 AA    21 9F 67 02    80 33 76 FD    BE 3C 54 30 
      22 9E AC ED    83 0E 7A 77    73 59 8C 50    1B 48 6D 17 
App   :INFO :C = (A + Q)^x
App   :INFO :D = Q
App   :INFO :EcdaaJoin 9.3) The ECDAA Issuer sends A, CA,C to the authenticator. The authenticator still knows BB and DD
App   :INFO :EcdaaJoin 10) The authenticator store the credential on the SE (in real use case these are injected via a confidentiality protected mechanism)
App   :INFO :A = B^(1/y) (Len=65)
      04 05 BA FD    6F 93 08 F1    37 57 BF 1E    20 1E 67 D8 
      69 B3 CF D4    21 B5 42 A0    44 EE A4 B1    A4 0A 42 D4 
      28 50 A2 95    1B CA F2 D5    6E 47 AF E4    6B BD C6 5E 
      2E 9A 4B 1E    93 B2 7C EB    F3 3C AD 49    1A 01 78 C2 
      B6 
App   :INFO :C = (A + Q)^x (Len=65)
      04 3D 4C 15    47 94 18 66    F4 E7 CE 4D    DD 1F B3 EC 
      9C C9 07 0B    9B EF 81 77    3B C5 EA F9    5B F7 F4 53 
      F7 18 C0 50    05 E6 27 DB    8D 08 76 34    86 72 A4 9C 
      A5 9E 16 29    29 9F 17 F1    2A 38 5F FC    06 9B 14 BC 
      CB 
App   :INFO :D = Q (Len=65)
      04 83 77 C3    5B 49 03 8F    72 0A 60 D9    88 76 99 CE 
      A3 7A FC 9C    72 89 17 64    80 89 6F 11    20 67 A0 DE 
      15 2A 38 D2    9F 89 C8 BA    2C 27 DA 9A    C2 F3 0A 9A 
      75 3B 59 CF    D2 AC 41 29    12 BA B4 62    7B F2 9D 22 
      9B 
sss   :INFO :Public key should be paased without header
sss   :INFO :Public key should be paased without header
sss   :INFO :Public key should be paased without header
App   :INFO :EcdaaJoin operation completed!The SE and Backend established trust, from now on the SE can generate anonymous sigantures which the Backend can verify.
App   :INFO :ECDAAsign PRE) Generate KRD
App   :INFO :KRD (Len=100)
      ED 39 04 4D    8D C1 0F F4    5C 64 73 EF    57 BD 00 9D 
      13 93 28 F2    AA 67 8E 40    C9 A0 75 A9    E3 3A 77 45 
      21 16 2C 74    AD F5 44 1B    2A 92 26 3A    74 E9 B4 E2 
      58 93 85 8E    15 AC 6C 4B    C7 B5 23 0B    E6 B5 43 93 
      C4 BC 3D CC    92 BD 3D F5    F3 00 2A 88    5D C5 CC 4E 
      8D F1 2D BF    C8 59 C9 D3    81 8E 48 8B    AD 87 72 FE 
      8C EA 0F F7 
sss   :INFO :Public key should be paased without header
App   :INFO :ECDAAsign Note: From here on the complete operation must be repeatable without NV writes.
App   :INFO :ECDAAsign a) regenerate random l
App   :INFO :l (Len=32)
      C8 26 98 6F    2D 8B 04 80    34 09 D9 BF    49 52 5C C2 
      A6 F4 54 D5    38 48 B1 C7    45 CB AB DD    06 71 34 58 
sss   :INFO :Private key should be passed without header
App   :INFO :R = ECPointMultiply(l, A)
App   :INFO :S = ECPointMultiply(l, B)
sss   :WARN :Returned is not in DER Format
App   :INFO :T = ECPointMultiply(l, C)
App   :INFO :W = ECPointMultiply(l, D)
App   :INFO :ECDAAsign b) Random (r) was already regenerated during the last sign operation.
App   :INFO :ECDAAsign c) Calculation of U on SE
App   :INFO :U = ECPointMultiply(r, S)
App   :INFO :ECDAAsign d) Calculation of the Hash (c) on the Host
App   :INFO :H(KRD) = H(KRD) (Len=32)
      9C D6 3B 62    0B DC B4 23    CA 5D 8B 6C    80 D1 CE AC 
      CA E0 F6 4A    E4 B3 E4 EF    6F 28 86 93    71 B8 F8 BD 
App   :INFO :AppID https://www.nxp.com/se050
App   :INFO :c2 = H(U|S|W|AppID|H(KRD)) (Len=32)
      45 FF 09 54    38 74 89 51    A4 90 53 C3    0B 39 E7 7F 
      54 29 95 2C    DC E2 9A BC    FD 9A E4 6B    83 B6 C3 EA 
App   :INFO :n (Len=32)
      40 F0 56 51    8A 4B AE FA    D4 D2 3D 1C    F6 55 9A 48 
      F6 06 B1 E2    62 45 D7 2F    D7 3D 78 77    4E 57 B2 60 
App   :INFO :c = H(n|c_2) (Len=32)
      24 99 8F C2    81 7D 7C 16    C5 EF 3E AB    4D E2 55 81 
      03 1B 58 CD    E6 03 F5 52    2E 7B 2E 99    0D AF 06 68 
App   :INFO :ECDAAsign e) Calculation of the ECDAA signature on the SE
App   :INFO :Do Signing
App   :INFO :digest (Len=32)
      24 99 8F C2    81 7D 7C 16    C5 EF 3E AB    4D E2 55 81 
      03 1B 58 CD    E6 03 F5 52    2E 7B 2E 99    0D AF 06 68 
App   :INFO :signature (Len=36)
      30 22 02 20    6A 75 8F F2    8D 79 00 66    CE C9 81 08 
      07 CA DD 3F    B0 88 78 86    06 F0 F6 0C    C0 22 35 08 
      3F FB 25 1E 
App   :INFO :Signing Successful !!!
App   :INFO :Raw signature (Len=32)
      6A 75 8F F2    8D 79 00 66    CE C9 81 08    07 CA DD 3F 
      B0 88 78 86    06 F0 F6 0C    C0 22 35 08    3F FB 25 1E 
App   :INFO :ECDAAsign f) Verify the ECDAA signature
App   :INFO :Point R Is On G1 and Not Infinity
App   :INFO :Point S Is On G1 and Not Infinity
App   :INFO :Point T Is On G1 and Not Infinity
App   :INFO :Point W Is On G1 and Not Infinity
App   :INFO :S^s (Len=65)
      04 15 7B 45    DE 81 DF 7E    25 8A A0 45    4E 64 B2 5F 
      A9 21 13 14    0C EA FD E7    6D 11 46 5B    F9 34 71 27 
      F7 92 62 08    3D 33 05 DE    FE 9E 88 D4    05 32 CD 40 
      E9 9E B4 F9    6E 2F 05 B7    C4 5B 65 D1    54 23 56 D2 
      34 
App   :INFO :W^c (Len=65)
      04 71 5C 19    4D 97 0E E0    CF 8C BD E9    8C FD E5 B7 
      4C 3A A5 A0    48 A7 C1 67    C6 BA F4 6C    BC DF 87 B1 
      40 50 3A F9    C8 50 7A 38    15 75 4F 13    34 9A AB 9B 
      71 CE 0A 3A    44 3D 25 00    3D 23 B2 6D    A0 AD 20 FB 
      68 
App   :INFO :U_verify=S^s-W^c (Len=65)
      04 9B 3E CB    E6 9D 2C 74    9C 12 B8 AA    78 0E 1C F3 
      CD 19 C2 43    EF 31 43 8E    99 C6 C0 29    E8 95 2A 11 
      09 5E 9A A8    B6 C9 8B 49    70 24 B8 5E    35 D8 50 E0 
      BE E2 63 FC    EC 77 22 95    19 CD D4 47    B4 22 54 28 
      FC 
App   :INFO :c_2_verify = H(U_verify|S|W|AppID|H(KRD)) (Len=32)
      45 FF 09 54    38 74 89 51    A4 90 53 C3    0B 39 E7 7F 
      54 29 95 2C    DC E2 9A BC    FD 9A E4 6B    83 B6 C3 EA 
App   :INFO :c_verify = H(n|c_2_verify) (Len=32)
      24 99 8F C2    81 7D 7C 16    C5 EF 3E AB    4D E2 55 81 
      03 1B 58 CD    E6 03 F5 52    2E 7B 2E 99    0D AF 06 68 
App   :INFO :c (Len=32)
      24 99 8F C2    81 7D 7C 16    C5 EF 3E AB    4D E2 55 81 
      03 1B 58 CD    E6 03 F5 52    2E 7B 2E 99    0D AF 06 68 
App   :INFO :se05x_FIDO_ECDAA Example Success !!!...
App   :INFO :ex_sss Finished