ECC204 TFLXAUTH SECURE PROVISIONING PROCESS

Microchip offers Secure Provisioning Services for its security solutions before shipment. To leverage this service, secure exchange process is required between customers and Microchip Hardware Secure Modules (HSM). The process starts with requesting a unique custom Part Number, a manufacturing ID (MAN-ID), and the HSM encryption keys (unique per project) through the Microchip Technical Support Portal. Refer to the Secure Provisioning Guide for detailed steps of the secure sub-system configuration and secure exchange process.

Select Use Cases :

ECC204 TFLXAUTH XML Generator

Device Configuration
Device Address: (7 Bit Hex Value)
Device interface:
Enable IO Levels to fixed reference:
Enable RNG Health Test Auto Clear:
Enable Compliance Mode:

Serial Number
SN[0:1]
SN[8]

Monotonic Counter Configuration
Allowed counts:
Limited Key Use:
IMPORTANT NOTE: The above User settings cannot be changed once its written and locked by this configurator.
So, it is recommended to set higher counts for Monotonic Counter and correct Limited Key Use setting.

Data Slots

Click on individual slots for more info.

Slot Number Slot Use-case Description Slot Property
Slot 0 Primary private key Primary authentication key Permanent, Ext Sign, ECDSA Elliptic Curve Digital Signature
Slot Description:
It's permanent to support a "factory reset" option where the original credentials are always available. It also prevents Denial-Of-Service attacks where the key is changed, either intentionally or by accident.

Provisioning:
Private key is generated and locked, no further modifications can be made to the slot.

Slot 1 Device and Signer compressed certificate Certificate primary public key in the Crypto Authentication compressed format Clear read, Always write
Slot Description:
Device and Signer compressed certificates are stored in this slot. This slot is written with certificate signed by Microchip signers and root.

It's permanent to support a "factory reset" option where the original credentials are always available. It also prevents Denial-Of-Service attacks where the cert is changed, either intentionally or by accident.

Provisioning:
The slot is provisioned by Microchip based on Customer Root CA and Microchip signers. Customer will be allowed to define some of the certificate elements like name and data.



Custom certificates are currently supported only for prototype provisioning and not for generating provisioning package.

Notes on Custom Device and Signer Certificates
  1. Due to the way the certificates are stored/retrieved from the NextGen-ECC device, using Custom certificates will require some knowledge on compressed certificates and certificate templates.
  2. The issue date only has a resolution of hours. Minutes and seconds are assumed to be zero. Refer to Compressed Certificate Definition for further details on the compressed certificates.
  3. The custom definition files (.c, .h) being generated assumes the size of Organization and Common Names matches with MCHP standard certificates.
  4. The Distinguished Names, both for the Issuer and for the Subject in all certificates must be comprised of an Organization Name and a Common Name entry, in that order.
  5. The Organization Name entered here gets padded and spaces replaced with '_' to match with MCHP standard certificates sizes.
  6. It is recommended to use default CommonName i.e. device serial prefixed with sn. If this needs to be different, its size would be matched to MCHP standard certificates with spaces replaced by '_'
  7. For the Device certificate Basic Constraints come before the Key Usage, following is the order of extensions:
    1. Basic Constraints: critical, CA:FALSE
    2. Key Usage: critical Digital Signature, Key Agreement
    3. Subject Key Identifier
    4. Authority Key Identifier
  8. The Subject Common Name in the Signer certificate resp. the Issuer Common Name in the Device certificate gets padded and spaces replaced with '_' to match MCHP standard certificates sizes.
  9. The Signer certificates must contain exactly the following extensions in exactly the same order:
    1. Key Usage, critical: Digital Signature, Certificate Sign, CRL Sign
    2. Basic Constraints, critical: CA: TRUE, PATHLEN: 0
    3. Subject Key Identifier
    4. Authority Key Identifier
Populate below to customize device and signer certificate fields:

 







Disable slot write:

Slot 2 General data General public data storage (64 bytes) Clear read, Always write, Lockable
Slot Description:
This slot is used for public data storage, data can be written/read in clear text(Not encrypted). This slot should not be used for storing secrets.

Provisioning:
The data entered in the below step will be stored into the device slot during provisioning.

Provisioning data input method:



Disable slot write:

Slot 3 Secret key Storage for a secret key No read, Always write, Lockable, AES key
Slot Description:
This slot provides a storage location for a symmetric key to use with the NextGen-ECC's symmetric key commands. The primary use case is to support symmetric authentication for Accessory / Disposable authentication. If the Configuration Zone is set as locked at provisioning, Slot cannot be updated. If the slot in the Data Zone is set as unlocked, then Slot can be updated. If the slot in the DataZone is set as locked, you will need to encrypt the updated key and execute a NONCE command

Provisioning:
The data entered in the below step will be stored in the device slot during provisioning.

Provisioning data input method:



Key Diversification Function:
Disable slot write:

Custom root (or intermediate CA) Information





Custom root (or intermediate CA) public key is needed to verify the full certificate chain (device-signer-root) during production.
Choose provisioning data input method(Provide public key):




Part Number details
Provide the Part Number received from MCHP in the support system. For prototyping, one can leave these blank.



Prototyping

PROTOTYPE package is meant only for understanding and prototyping. It should NOT be shared as secrets are available in plain text. Alternatively, you may use dummy secrets.
Click here to provision the ECC204-TFLXAUTH-PROTO with the data/information provided in the above slots.

Production

Production package must be used to generate the Secure Provisioning Package to be sent to Microchip Provisioning Service (through Microchip Technical Support Portal). You will be prompted to add the HSM encryption keys when starting the generation process.
Both "Generate Provisioning Package" buttons compile all the data provided in the above slots into a zip package containing .ENC.xml/.xml, files.
  1. '.xml' file contains device configuration and user data to be loaded into the ECC204-TFLXAUTH slots. In the prototyping package, all user data are in unencrypted plain text whereas in the production package, user data are encrypted.

MICROCHIP

This text will be replaced