ESP32 use encrypted private key for AWS IOT certificate

mitipi
Posts: 3
Joined: Mon Jul 17, 2017 9:43 am

ESP32 use encrypted private key for AWS IOT certificate

Postby mitipi » Mon Jul 17, 2017 10:16 am

Hello,

I'm trying to understand if it's possible to use ESP32 for a secured Just-in-time registration with AWS IOT without adding extra chip such as ATECC508A (see attached).

ATECC508A can generate random private key, and Microchip (the manufacturer) can use this key to generate provisional AWS device certs signed by own CA, then ship the chips to us. However, ESP32 already has secured boot & flash encryption, it said will generate random private signing key, however, this key is non-readable from the software. So questions are:
- is it possible to use this generated private signing key (in flash encryption) to generate an AWS certificate (signed by our own CA certs)?
- are there ways to generate provisional certificate with a hardware generated private key in ESP32?
- how would you then generate different private keys per device and securely store them?

Many thanks for the help.
Attachments
02_ATECC508A.pdf
(1.06 MiB) Downloaded 542 times

WiFive
Posts: 3529
Joined: Tue Dec 01, 2015 7:35 am

Re: ESP32 use encrypted private key for AWS IOT certificate

Postby WiFive » Mon Jul 17, 2017 9:43 pm

No you don't want to read or reuse the flash encryption keys. Once flash encryption and secure boot are on, flash storage will be secure. So in your secure manufacturing environment you want to use the aws CLI or your own CA cert to generate the keys and cert and flash them to the device in a flash partition with encryption flag as part of the programming process (before secure boot and encryption are activated).

mitipi
Posts: 3
Joined: Mon Jul 17, 2017 9:43 am

Re: ESP32 use encrypted private key for AWS IOT certificate

Postby mitipi » Tue Jul 18, 2017 10:05 am

Many thanks @WiFive, this helped much to clarify my confusion.

So will we send our CA signing certificate to the manufacturer and they can create provisional device certs in their secured environment? In this case, if the CA Signing Certificate is compromised, can anyone then create a new device?

In the Just-in-time Registration on AWS IOT, they said "If you are a manufacturer, you have purchased CA certificates from vendors like Symantec or Verisign or you have your own CA". It is very expensive to buy CA from vendors, are there drawbacks to use our own CA?

Who is online

Users browsing this forum: No registered users and 73 guests