5.7.31. FIDO ECDAA Example¶
This project demonstrates FIDO ECDAA algorithm which is defined in https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-ecdaa-algorithm-v2.0-id-20180227.html.
Refer - simw-top/demos/se05x/se05x_FIDO_ECDAA/se05x_FIDO_ECDAA.c
SE05x, in this project, is used for:
Random number generateion
Key management
ECDAA sign
Scalar multiplication of a (elliptic) curve point
5.7.31.1. Building the Demo¶
Build Plug & Trust middleware stack. (Refer Building / Compiling)
Project:
se05x_FIDO_ECDAA
5.7.31.2. Running the Example¶
If you have built a binary, flash the binary on to the board and reset the board.
If you have built an exe to be run from Windows using VCOM, run as:
se05x_FIDO_ECDAA.exe <PORT NAME>
Where <PORT NAME> is the VCOM COM port.
On Raspberry-Pi or iMX board, run as:
./se05x_FIDO_ECDAA
5.7.31.3. Console output¶
If everything is successful, the output will be similar to:
App :INFO :Running FIDO Example se05x_FIDO_ECDAA.c
App :INFO :EcdaaJoin 1) Get B from Issuer
App :INFO :EcdaaJoin 1.1) The ECDAA Issuer chooses a nonce BigInteger m
App :INFO :m (Len=32)
ED AD 8C AB 6A CD A6 0D B8 B9 E6 AC 89 57 3A 57
02 4D 29 7B 2A 6A EE 59 15 8A 6F 6E AB 5F 35 23
App :INFO :EcdaaJoin 1.2) The ECDAA Issuer computes the B value of the credential as B=HG1(m) and send (sc,yc)=HG1_pre(m) to the authenticator
App :INFO :B (Len=65)
04 F7 72 DF 94 09 AC 26 43 EC 10 6D 08 5E 95 A9
F8 F4 23 99 6E 1D EB 03 2E A8 C7 13 4A 0D 54 86
7C 5C D2 95 60 7B BA 30 88 99 2C 47 29 E5 F2 CD
D4 A2 1B 82 6D 20 17 A6 E8 45 19 BC DC 06 BF 59
E3
App :INFO :sc index 0x00000000
App :INFO :EcdaaJoin 2) The authenticator generate secret key (sk) on SE, as a key pair on the BN curve (we only need the private key part).
App :INFO :EcdaaJoin 3) The authenticator re-calculates B from the data received from backed (and stores on SE). Re-calculated from sc and yc as described in FIDO spec.
App :INFO :Authenticator B (Len=65)
04 F7 72 DF 94 09 AC 26 43 EC 10 6D 08 5E 95 A9
F8 F4 23 99 6E 1D EB 03 2E A8 C7 13 4A 0D 54 86
7C 5C D2 95 60 7B BA 30 88 99 2C 47 29 E5 F2 CD
D4 A2 1B 82 6D 20 17 A6 E8 45 19 BC DC 06 BF 59
E3
sss :INFO :Public key should be paased without header
App :INFO :EcdaaJoin 4) The authenticator calculation of Q=ECPointMultiply(sk, B), the ECDAA public key (and attested readback)
sss :INFO :Public key should be paased without header
App :INFO :Read Q attested.This is required for FIDO remote provisioning usecase, as opposed to in factory provisioningThe attestation signature over Q would be used as proof that the sk is indeed on the SE.As FIDO specifies no anonymity is required in this one tim
sss :WARN :Returned is not in DER Format
App :INFO :Q=B^sk (Len=65)
04 83 77 C3 5B 49 03 8F 72 0A 60 D9 88 76 99 CE
A3 7A FC 9C 72 89 17 64 80 89 6F 11 20 67 A0 DE
15 2A 38 D2 9F 89 C8 BA 2C 27 DA 9A C2 F3 0A 9A
75 3B 59 CF D2 AC 41 29 12 BA B4 62 7B F2 9D 22
9B
App :INFO :EcdaaJoin 5) The authenticator generate random (r) on SE, as a private key on the BN curve.
App :INFO :EcdaaJoin 6) The authenticator calculation of U1 = ECPointMultiply(r, B) on SE
sss :INFO :Public key should be paased without header
sss :WARN :Returned is not in DER Format
App :INFO :U1=B^r1 (Len=65)
04 B0 F0 A3 72 B1 AE 4F DE 08 72 B9 4C E6 CE C5
5A 5F 30 0B 72 AE 5E FC 30 2C DB BA 25 C2 76 BD
6F 69 85 6B 86 E5 E5 3E B4 51 01 11 C3 ED F3 6D
17 9E 8A 42 9C 11 D8 A0 5B 1A D9 72 1D AF 8D 3A
D4
App :INFO :EcdaaJoin 7) The authenticator calculation of the Hash (c_1) on the Host
App :INFO :c_2=H(U1|P1|Q|m) (Len=32)
4E 91 CE 70 FD A8 ED 6D CD D3 B0 AA EA CA CE E9
81 6C 3B 4F 56 7C C6 46 AA 89 37 BA 4D 3E B1 8D
App :INFO :n (Len=32)
F6 FD DE A7 53 AC EC 59 19 76 08 11 CE 62 7B 86
0B 7D FF 78 E8 C0 C1 D1 84 FA 00 48 6D C0 81 D1
App :INFO :c_1 = H(n|c_2) (Len=32)
7B CE 04 0F 1A BA 03 6A 74 CD 12 67 20 3A C0 24
82 D5 21 EA B7 73 5E C0 04 12 E1 17 2F 62 CF 89
App :INFO :EcdaaJoin 8) The authenticator calculation of the ECDAA signature s1 on the SE and send Q, c1, s1, n to Issuer.
App :INFO :Do Signing
App :INFO :digest (Len=32)
7B CE 04 0F 1A BA 03 6A 74 CD 12 67 20 3A C0 24
82 D5 21 EA B7 73 5E C0 04 12 E1 17 2F 62 CF 89
App :INFO :signature (Len=36)
30 22 02 20 5B 2B 35 08 0F 6B E7 CD C1 F7 7F 12
98 90 C5 3E C8 13 88 38 E9 CF 38 D1 D7 A0 3B 4D
FE 19 A8 CA
App :INFO :Signing Successful !!!
App :INFO :EcdaaJoin 9.1) Verify on the ECDAA Issuer Backend.
App :INFO :B^s_1 (Len=65)
04 33 16 03 9D 3B 2C AE B8 23 F9 C5 EC A2 B0 19
93 78 DC 3E 58 34 32 87 42 4C EC D0 27 73 13 17
D4 67 25 A8 1B 68 45 4E E6 AC D4 DC A6 B9 A0 D8
6A 20 4C BC 72 03 80 35 B2 74 4D C2 3F 59 8F 51
73
App :INFO :Q^c1 (Len=65)
04 A5 5D D7 78 BD B6 AB E1 19 5F 73 2B 7E 9A BF
AB 88 B3 89 37 D5 9A B7 1B 4B AB 13 30 9F BE B7
17 B2 51 E6 01 CA DF FE 4C B5 60 AC 4B AB DE 94
19 83 A5 75 E8 3B 73 10 E2 17 95 1B 3A 46 96 95
B1
App :INFO :U_verify=B^s1-Q^c1 (Len=65)
04 A5 5D D7 78 BD B6 AB E1 19 5F 73 2B 7E 9A BF
AB 88 B3 89 37 D5 9A B7 1B 4B AB 13 30 9F BE B7
17 B2 51 E6 01 CA DF FE 4C B5 60 AC 4B AB DE 94
19 83 A5 75 E8 3B 73 10 E2 17 95 1B 3A 46 96 95
B1
App :INFO :c_2_verify = H(U_verify|P1|Q|m) (Len=32)
4E 91 CE 70 FD A8 ED 6D CD D3 B0 AA EA CA CE E9
81 6C 3B 4F 56 7C C6 46 AA 89 37 BA 4D 3E B1 8D
App :INFO :c_1_verify = H(n|c_2_verify) (Len=32)
7B CE 04 0F 1A BA 03 6A 74 CD 12 67 20 3A C0 24
82 D5 21 EA B7 73 5E C0 04 12 E1 17 2F 62 CF 89
App :INFO :c_1 (Len=32)
7B CE 04 0F 1A BA 03 6A 74 CD 12 67 20 3A C0 24
82 D5 21 EA B7 73 5E C0 04 12 E1 17 2F 62 CF 89
App :INFO :Verified. H(n|c_2_verify) == c_1
App :INFO :EcdaaJoin 9.2) The ECDAA Issuer create a credential for the SE.
App :INFO :isk.x (Len=32)
61 60 54 A4 DC 84 6B 12 BE A3 EF 4E 88 F9 96 BB
3E A7 82 F7 61 1F 91 5D 24 A1 DA A6 6B 63 EA DA
App :INFO :isk.y (Len=32)
07 32 A9 AA 21 9F 67 02 80 33 76 FD BE 3C 54 30
22 9E AC ED 83 0E 7A 77 73 59 8C 50 1B 48 6D 17
App :INFO :C = (A + Q)^x
App :INFO :D = Q
App :INFO :EcdaaJoin 9.3) The ECDAA Issuer sends A, CA,C to the authenticator. The authenticator still knows BB and DD
App :INFO :EcdaaJoin 10) The authenticator store the credential on the SE (in real use case these are injected via a confidentiality protected mechanism)
App :INFO :A = B^(1/y) (Len=65)
04 05 BA FD 6F 93 08 F1 37 57 BF 1E 20 1E 67 D8
69 B3 CF D4 21 B5 42 A0 44 EE A4 B1 A4 0A 42 D4
28 50 A2 95 1B CA F2 D5 6E 47 AF E4 6B BD C6 5E
2E 9A 4B 1E 93 B2 7C EB F3 3C AD 49 1A 01 78 C2
B6
App :INFO :C = (A + Q)^x (Len=65)
04 3D 4C 15 47 94 18 66 F4 E7 CE 4D DD 1F B3 EC
9C C9 07 0B 9B EF 81 77 3B C5 EA F9 5B F7 F4 53
F7 18 C0 50 05 E6 27 DB 8D 08 76 34 86 72 A4 9C
A5 9E 16 29 29 9F 17 F1 2A 38 5F FC 06 9B 14 BC
CB
App :INFO :D = Q (Len=65)
04 83 77 C3 5B 49 03 8F 72 0A 60 D9 88 76 99 CE
A3 7A FC 9C 72 89 17 64 80 89 6F 11 20 67 A0 DE
15 2A 38 D2 9F 89 C8 BA 2C 27 DA 9A C2 F3 0A 9A
75 3B 59 CF D2 AC 41 29 12 BA B4 62 7B F2 9D 22
9B
sss :INFO :Public key should be paased without header
sss :INFO :Public key should be paased without header
sss :INFO :Public key should be paased without header
App :INFO :EcdaaJoin operation completed!The SE and Backend established trust, from now on the SE can generate anonymous sigantures which the Backend can verify.
App :INFO :ECDAAsign PRE) Generate KRD
App :INFO :KRD (Len=100)
ED 39 04 4D 8D C1 0F F4 5C 64 73 EF 57 BD 00 9D
13 93 28 F2 AA 67 8E 40 C9 A0 75 A9 E3 3A 77 45
21 16 2C 74 AD F5 44 1B 2A 92 26 3A 74 E9 B4 E2
58 93 85 8E 15 AC 6C 4B C7 B5 23 0B E6 B5 43 93
C4 BC 3D CC 92 BD 3D F5 F3 00 2A 88 5D C5 CC 4E
8D F1 2D BF C8 59 C9 D3 81 8E 48 8B AD 87 72 FE
8C EA 0F F7
sss :INFO :Public key should be paased without header
App :INFO :ECDAAsign Note: From here on the complete operation must be repeatable without NV writes.
App :INFO :ECDAAsign a) regenerate random l
App :INFO :l (Len=32)
C8 26 98 6F 2D 8B 04 80 34 09 D9 BF 49 52 5C C2
A6 F4 54 D5 38 48 B1 C7 45 CB AB DD 06 71 34 58
sss :INFO :Private key should be passed without header
App :INFO :R = ECPointMultiply(l, A)
App :INFO :S = ECPointMultiply(l, B)
sss :WARN :Returned is not in DER Format
App :INFO :T = ECPointMultiply(l, C)
App :INFO :W = ECPointMultiply(l, D)
App :INFO :ECDAAsign b) Random (r) was already regenerated during the last sign operation.
App :INFO :ECDAAsign c) Calculation of U on SE
App :INFO :U = ECPointMultiply(r, S)
App :INFO :ECDAAsign d) Calculation of the Hash (c) on the Host
App :INFO :H(KRD) = H(KRD) (Len=32)
9C D6 3B 62 0B DC B4 23 CA 5D 8B 6C 80 D1 CE AC
CA E0 F6 4A E4 B3 E4 EF 6F 28 86 93 71 B8 F8 BD
App :INFO :AppID https://www.nxp.com/se050
App :INFO :c2 = H(U|S|W|AppID|H(KRD)) (Len=32)
45 FF 09 54 38 74 89 51 A4 90 53 C3 0B 39 E7 7F
54 29 95 2C DC E2 9A BC FD 9A E4 6B 83 B6 C3 EA
App :INFO :n (Len=32)
40 F0 56 51 8A 4B AE FA D4 D2 3D 1C F6 55 9A 48
F6 06 B1 E2 62 45 D7 2F D7 3D 78 77 4E 57 B2 60
App :INFO :c = H(n|c_2) (Len=32)
24 99 8F C2 81 7D 7C 16 C5 EF 3E AB 4D E2 55 81
03 1B 58 CD E6 03 F5 52 2E 7B 2E 99 0D AF 06 68
App :INFO :ECDAAsign e) Calculation of the ECDAA signature on the SE
App :INFO :Do Signing
App :INFO :digest (Len=32)
24 99 8F C2 81 7D 7C 16 C5 EF 3E AB 4D E2 55 81
03 1B 58 CD E6 03 F5 52 2E 7B 2E 99 0D AF 06 68
App :INFO :signature (Len=36)
30 22 02 20 6A 75 8F F2 8D 79 00 66 CE C9 81 08
07 CA DD 3F B0 88 78 86 06 F0 F6 0C C0 22 35 08
3F FB 25 1E
App :INFO :Signing Successful !!!
App :INFO :Raw signature (Len=32)
6A 75 8F F2 8D 79 00 66 CE C9 81 08 07 CA DD 3F
B0 88 78 86 06 F0 F6 0C C0 22 35 08 3F FB 25 1E
App :INFO :ECDAAsign f) Verify the ECDAA signature
App :INFO :Point R Is On G1 and Not Infinity
App :INFO :Point S Is On G1 and Not Infinity
App :INFO :Point T Is On G1 and Not Infinity
App :INFO :Point W Is On G1 and Not Infinity
App :INFO :S^s (Len=65)
04 15 7B 45 DE 81 DF 7E 25 8A A0 45 4E 64 B2 5F
A9 21 13 14 0C EA FD E7 6D 11 46 5B F9 34 71 27
F7 92 62 08 3D 33 05 DE FE 9E 88 D4 05 32 CD 40
E9 9E B4 F9 6E 2F 05 B7 C4 5B 65 D1 54 23 56 D2
34
App :INFO :W^c (Len=65)
04 71 5C 19 4D 97 0E E0 CF 8C BD E9 8C FD E5 B7
4C 3A A5 A0 48 A7 C1 67 C6 BA F4 6C BC DF 87 B1
40 50 3A F9 C8 50 7A 38 15 75 4F 13 34 9A AB 9B
71 CE 0A 3A 44 3D 25 00 3D 23 B2 6D A0 AD 20 FB
68
App :INFO :U_verify=S^s-W^c (Len=65)
04 9B 3E CB E6 9D 2C 74 9C 12 B8 AA 78 0E 1C F3
CD 19 C2 43 EF 31 43 8E 99 C6 C0 29 E8 95 2A 11
09 5E 9A A8 B6 C9 8B 49 70 24 B8 5E 35 D8 50 E0
BE E2 63 FC EC 77 22 95 19 CD D4 47 B4 22 54 28
FC
App :INFO :c_2_verify = H(U_verify|S|W|AppID|H(KRD)) (Len=32)
45 FF 09 54 38 74 89 51 A4 90 53 C3 0B 39 E7 7F
54 29 95 2C DC E2 9A BC FD 9A E4 6B 83 B6 C3 EA
App :INFO :c_verify = H(n|c_2_verify) (Len=32)
24 99 8F C2 81 7D 7C 16 C5 EF 3E AB 4D E2 55 81
03 1B 58 CD E6 03 F5 52 2E 7B 2E 99 0D AF 06 68
App :INFO :c (Len=32)
24 99 8F C2 81 7D 7C 16 C5 EF 3E AB 4D E2 55 81
03 1B 58 CD E6 03 F5 52 2E 7B 2E 99 0D AF 06 68
App :INFO :se05x_FIDO_ECDAA Example Success !!!...
App :INFO :ex_sss Finished