Why signer validity of ESP crypto auth utility is so short ?

joel69100
Posts: 8
Joined: Sun Jun 07, 2020 1:21 pm

Why signer validity of ESP crypto auth utility is so short ?

Postby joel69100 » Sun Oct 01, 2023 10:08 pm

Hello,

I'm trying to understand the full process to perform provisioning of an ATECC608B. I particularly checked at https://github.com/espressif/esp-crypto ... /README.md and this looks really simple.

I wonder bout one thing there: why the signer certificate validity should be 365 days only? Is it a good practice only or is there a technical reason ? What append / what is the risk if the signer certificate has a longer validity, let say 10 years for example ?

Thanks
Joel

joel69100
Posts: 8
Joined: Sun Jun 07, 2020 1:21 pm

Re: Why signer validity of ESP crypto auth utility is so short ?

Postby joel69100 » Wed Oct 04, 2023 6:23 am

Hello again,

Just to develop a bit this question: the topic behind this is that my devices will expose their public key to a server to perform authentication. Server should be able to validate the authenticity of the device. I would like to achieve verification of the public key using the signer (I don't know how I can technically do that for the moment !)

If the signer validity period is 1 year, that means probably I will not be able to validate this after the expiry period ? And additionally, if adding some devices later, I will need a new signer, so the server should be able to validate devices with several signers.

Not sure if what I'm saying here is correct to be honest !

Joel

MicroController
Posts: 1750
Joined: Mon Oct 17, 2022 7:38 pm
Location: Europe, Germany

Re: Why signer validity of ESP crypto auth utility is so short ?

Postby MicroController » Wed Oct 04, 2023 11:13 am

joel69100 wrote:
Wed Oct 04, 2023 6:23 am
If the signer validity period is 1 year, that means probably I will not be able to validate this after the expiry period ?
The signer certificate must be valid at the time the signature is created; validation of the signature should be possible forever irrespective of the expiration date of the signer's certificate.
if adding some devices later, I will need a new signer, so the server should be able to validate devices with several signers.
Yes, that will be the case.

The reason for limiting certificates' validity is usually for security reasons, kind-of enforcing key renewal policies.
Depending on your expected threat level, it is probably perfectly fine to use a long-term certificate for key signing in your case.

joel69100
Posts: 8
Joined: Sun Jun 07, 2020 1:21 pm

Re: Why signer validity of ESP crypto auth utility is so short ?

Postby joel69100 » Wed Oct 04, 2023 8:11 pm

Thanks, this confirms my understanding that the signer is temporary used I start to have a better understanding of the global process.

On the other hand I have used the esp crypto auth utility successfully, very simple to use.

One details maybe you know : I have not found the sources of the utility running on the esp32. Only binaries are provided. Anyone knows where to find this ?

Joel

joel69100
Posts: 8
Joined: Sun Jun 07, 2020 1:21 pm

Re: Why signer validity of ESP crypto auth utility is so short ?

Postby joel69100 » Wed Oct 04, 2023 8:14 pm

Answering my question at the same time I'm writing, the source code of the esp32 firmware utility is on the same repo, on a separated branch :lol:

ESP_flying_raijin
Posts: 25
Joined: Tue Aug 13, 2019 2:03 pm

Re: Why signer validity of ESP crypto auth utility is so short ?

Postby ESP_flying_raijin » Mon Oct 09, 2023 3:04 am

Hi Joel,
I see a couple of questions answered already, I will add my thoughts on them as well.
I wonder bout one thing there: why the signer certificate validity should be 365 days only? Is it a good practice only or is there a technical reason ? What append / what is the risk if the signer certificate has a longer validity, let say 10 years for example ?
That is a sample signer certificate just for showcasing the usability. Typically the signer certificate should be valid for the lifetime of the product. It means that the device should not have to change its device certificate till its lifetime. This also follows that the device cert private key and Signer cert private key is not leaked in the meantime. In that case it is okay to have signer validity for 10 years. (Or even more than that)

If you change the signer certificate after 1 year to reduce vulnerability then you also need to update the device certificate for each device which might be already on field. It's a tricky job to do that. So generally this is not done. If your product needs has a very stringent security requirements then maybe this option should be considered.
If the signer validity period is 1 year, that means probably I will not be able to validate this after the expiry period ? And additionally, if adding some devices later, I will need a new signer, so the server should be able to validate devices with several signers.
Extending the signer validity as explained above should fix this. Alternatively, Registering multiple signer certificates is supported on most of the cloud servers so it should not be a problem.
Just to develop a bit this question: the topic behind this is that my devices will expose their public key to a server to perform authentication. Server should be able to validate the authenticity of the device. I would like to achieve verification of the public key using the signer (I don't know how I can technically do that for the moment !)
So in this case what happens is that you form a chain of trust with the signer being at the top of the hierarchy.
First you register the signer certificate with cloud services such as AWS. Then you shall use that signer to sing the device certificate.

When the device shall connect with the server it shall send its device certificate and signer certificate with the server. The server shall verify that the device certificate is indeed signed using the signer certificate and ask device cert to prove ownership of the device private key. Once that is done the server will trust the device and perform further communication.

I hope I have added enough details.
Please let me know if you would like me to elaborate on any point.
Thanks,
Aditya

Who is online

Users browsing this forum: No registered users and 106 guests