ESP32 Forum

ESP32 Official Forum
http://forum.esp32.com/

Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

http://forum.esp32.com/viewtopic.php?f=12&t=3334

Page 1 of 1

Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

Posted: Sat Oct 14, 2017 12:43 am
by p-rimes
This is perhaps a naive question or my information is incorrect, but I would like some opinions on the matter.

Suppose that flash encryption is eventually supported for the NVS partitions, is that a safe place to store our private keys?

What would be the advantages of using an external crypto IC (e.g. Microchip ATECC508A) in this case? Some I can think of:
  • Dedicated ECC processing offload, since ESP32 does not have ECC H/W accelerated?
  • Stronger security in the case of remote code execution? (since the private key cannot be read from the crypto chip into RAM, only crypto operations are allowed)
  • Maybe easier for manufacturing, to get the crypto ICs pre-programmed?
Or, does ESP32 flash encryption obsolete the need for a separate IC (and using one would be overkill)?

Re: Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

Posted: Tue May 01, 2018 6:07 pm
by vateriim
Did you found your answers @p-rimes?
I am curious about the ESP32 making cryptochips obsolete too.

Re: Benefits of external crypto IC (e.g. ATECC508A) vs flash encryption

Posted: Wed May 02, 2018 12:10 am
by ESP_Angus
Hi p-primes,
p-rimes wrote:
  • Dedicated ECC processing offload, since ESP32 does not have ECC H/W accelerated?
  • Stronger security in the case of remote code execution? (since the private key cannot be read from the crypto chip into RAM, only crypto operations are allowed)
  • Maybe easier for manufacturing, to get the crypto ICs pre-programmed?
Or, does ESP32 flash encryption obsolete the need for a separate IC (and using one would be overkill)?
The advantages you list are all valid ones. (One small note: ESP32 can accelerate most of the "big number" operations used in ECC, but it's likely not as fast as a dedicated HSM where the full operation is done in hardware).

It really depends on the threat/security model for your firmware:
  • If you're concerned about someone with physical access being able to easily dump your private key, both ESP32 flash encryption and an external ECC HSM chip offer protection against this.
  • If you're concerned about someone exploiting a remote code execution or information leak bug to read flash contents from the running firmware and obtain a private key, only the external HSM offers protection against this. (Of course, maybe an attacker will find a way to bypass the HSM's protection, but this is a higher bar especially without physical access.)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/