-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Experiencing an extended handshake duration on a SAMR21-xpro device. #224
Comments
From the datasheets of the SAMR21 I found, that it's a Cortex M0+ with 48MHz. Several seconds on a Cortex-M33 (without using the ECC HW accelerator, for now not supported) is also my experience. Depending on quite a lot of other topics, using special HW as a ATECC608 would help, but it's also for now not support.
Do you have some benchmark numbers? |
What types of benchmark numbers are you interested in? |
Pretty simple numbers.
Just some number as that. My point is, if it is really faster, e.g. 3s vs. 6s it may be worth. |
Example using ecc from tinydtls/ecc:
Similar example using micro-ecc:
I do agree that it would be better to focus on secure element integration. I am working on SAMR21-xpro for a POC, but my final board has an ATECC608A. |
That's quite fast. |
Did you already have a look at that alternative ECC implementation? |
Yes, definitely. micro-ecc has been evaluated for use with tinydtls a long time ago and also has been used with very good results in other projects as replacement. |
@obgm I'm interested in seeing the results. Is there a fork of projects that use micro-ecc? @boaks, do you plan to work on integrating support for a secure element like ATECC608? I'm working with RIOT OS on my project, and it would be great to integrate both: tinydtls with micro-ecc and tinydtls with ATECC608. With some help, I could do it? |
That will be welcome. Please read CONTRIBUTING. One point ahead, because I know, that quite a lot are "frustrated" by the "speed" the things get integrated into "main", it will be mainly in "develop" for the near future. If you have a look at the open PRs, it takes quite long until we are up to date with them.
I will do my best. I'm in vacation from 13.2. to 24.2., beside of that, feel free to open issues, or, if you prefer, send e-mails. I prefer issues, that will also help others with similar topics.
Unfortunately, I have too many plans ;-). |
Could you please check if PR #228 works for you? |
Thanks, I have made some reviews. Currently, I have started implementing a version that could support micro-ecc (and it seems to work), as well as a version that supports cryptoauthlib (to utilise a secure element such as ATECC608A). However, there are certain aspects that I still don't understand fully. One of them is the ECDH key exchange. I noticed that the pre_master_secret is calculated using the crypto API (micro_ecc or cryptoauthlib). But how is the extended master secret calculated? Why not call the crypto API to calculate a secret using the received one and our secret? |
Hello! I haven't added any documentation yet, but I can explain my point of view briefly: To avoid breaking anything, I have added environment variables like DTLS_MICRO_ECC or DTLS_ATECC608A to allow users to choose which crypto API they would like to use. Then, I have maintained the interface of the crypto API and simply added '#ifdef' to call either ecc, micro-ecc, or cryptoauthlib. Thanks in advance |
I will have a look at it next week when I'm back from vacation. |
I've started with PR #228 to work on this ECC performance improvement. Using zephyr-coaps-client - Cortex-M33/software with the proposed micro-ecc speeds up from 15s with the old ECC implementation to 1. 2s with micro-ecc. That verifies the results from above and is very impressive. I will compare the work in https://github.com/LizzieDE110/tinydtls/tree/micro-ecc with the one in PR #228, hopefully later this day. |
According https://github.com/LizzieDE110/tinydtls/tree/micro-ecc. The idea of micro-ecc: Using a "unsecure random function" opens an side channel attack, because the generated ephemeral key-pair may get reconstructed. Therefore it's recommended to set "uECC_set_rng" with an implementation using "dtls_prng". For example, see PR 288. cryptoauthlib:
I'm not common with the HSM for now. I will need to read the details in the docu. So, not sure, if this really applies: |
Thank you for the review. I will revise the micro-ecc version according to the feedback you provided in the review of PR 288. Regarding cryptoauthlib, to perform certain operations such as new key generation, ECDH operation, signature, and verification, the HSM must be configured correctly. In my configuration, cryptographic operations were functional using the 2nd slot (hence the #define). I refrained from making significant changes to the dtls.c file. Consequently, I didn't alter the function interface to accept slot key ID instead of a private key buffer. I'm uncertain about the best approach between setting the slot key ID at the beginning (using accessors and static variables) or modifying the library to use slot key ID. What would you suggest? |
I need to examine it. But to be frank: I don't have the time for now. I consumed all the time I'm able to spend in open source this month the last two days. So it will take a while ... |
Hello, I am currently working on a project to secure wireless UDP/IP communication between SAMR21-xpro devices using RIOT OS. After some research, I found that using DTLS (with ECDSA keys) was the best solution. Moreover, RIOT has examples that use tinyDTLS.
My problem is that, with SAMR21-xpro, the handshake is extremely long. From the logs and packet analysis, I feel like the problem lies in the key management (generation, signature, and verification). According to tinydtls/ecc/ecc.h, this implementation is supposed to be very efficient for 32-bit CPUs.
I made a quick example on RIOT that just generates a key pair and signs a hashed data. The generation takes ~6 seconds, and the signature also takes 6 seconds. I haven't tested verification, but I assume it also takes many seconds. I am quite confused because initially, when I was trying to run a sock-dtls example from RIOT, I found it would be better to generate a key pair to use, and to do so, I used the micro-ecc library. On SAMR21-xpro, key generation, signature, and verification take barely a second.
Is it normal that the key management is so long on a 32-bit CPU?
Also, I was wondering if it could be a good idea to replace the library used to manage ECC in tinyDTLS with micro-ecc? Or maybe add a patch that could let the user choose what they want to use?
Thanks in advance
The text was updated successfully, but these errors were encountered: