Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

p-rimes
Posts: 89
Joined: Thu Jun 08, 2017 6:20 pm

Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

Postby p-rimes » Sat Oct 14, 2017 12:43 am

This is perhaps a naive question or my information is incorrect, but I would like some opinions on the matter.

Suppose that flash encryption is eventually supported for the NVS partitions, is that a safe place to store our private keys?

What would be the advantages of using an external crypto IC (e.g. Microchip ATECC508A) in this case? Some I can think of:
  • Dedicated ECC processing offload, since ESP32 does not have ECC H/W accelerated?
  • Stronger security in the case of remote code execution? (since the private key cannot be read from the crypto chip into RAM, only crypto operations are allowed)
  • Maybe easier for manufacturing, to get the crypto ICs pre-programmed?
Or, does ESP32 flash encryption obsolete the need for a separate IC (and using one would be overkill)?

vateriim
Posts: 4
Joined: Thu Jan 25, 2018 6:11 pm

Re: Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

Postby vateriim » Tue May 01, 2018 6:07 pm

Did you found your answers @p-rimes?
I am curious about the ESP32 making cryptochips obsolete too.

ESP_Angus
Posts: 2344
Joined: Sun May 08, 2016 4:11 am

Re: Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

Postby ESP_Angus » Wed May 02, 2018 12:10 am

Hi p-primes,
p-rimes wrote:
  • Dedicated ECC processing offload, since ESP32 does not have ECC H/W accelerated?
  • Stronger security in the case of remote code execution? (since the private key cannot be read from the crypto chip into RAM, only crypto operations are allowed)
  • Maybe easier for manufacturing, to get the crypto ICs pre-programmed?
Or, does ESP32 flash encryption obsolete the need for a separate IC (and using one would be overkill)?
The advantages you list are all valid ones. (One small note: ESP32 can accelerate most of the "big number" operations used in ECC, but it's likely not as fast as a dedicated HSM where the full operation is done in hardware).

It really depends on the threat/security model for your firmware:
  • If you're concerned about someone with physical access being able to easily dump your private key, both ESP32 flash encryption and an external ECC HSM chip offer protection against this.
  • If you're concerned about someone exploiting a remote code execution or information leak bug to read flash contents from the running firmware and obtain a private key, only the external HSM offers protection against this. (Of course, maybe an attacker will find a way to bypass the HSM's protection, but this is a higher bar especially without physical access.)

Who is online

Users browsing this forum: Google [Bot] and 36 guests