Microchip’s (formerly Atmel’s) ATECC508A is a small IC with a cryptographic co-processor and secure, hardware-based key storage. It uses hardware acceleration to implement the ECDSA signature protocols, ECDH key agreement, and SHA-256 hashing. Each device has a unique 72-bit serial number, enough storage for up to 16 keys, 10Kb EEPROM, and a high-quality FIPS random number generator. Like all chips in the CryptoAuthentication family, system integration is easy due to the low pin count, low current consumption, and wide supply voltage range. The ATECC508A is well suited for many applications, including secure download and boot, message security, secure data storage, password checking, etc. However, the application of interest for this article is node authentication (and a bit of anti-counterfeiting) .
Node authentication occurs between two devices in a host-client configuration when the client’s identity must be verified before its connection to the host can be established. The term “node” in this context refers to the device being authenticated, i.e. the client. Common examples of nodes are end devices in IoT networks and device accessories such as batteries, printer cartridges, etc . The concept of node authentication goes hand in hand with anti-counterfeiting because counterfeit (and possibly malicious) clients will fail the node authentication procedure and not be allowed to connect to the host.
Microchip’s only example project for the ATECC508A is an excellent all-in-one node authentication demonstration utilizing one SAM D21 Xplained Pro Evaluation Kit and one CryptoAuth Xplained Pro Evaluation Kit. These kits are first used to simulate a typical provisioning process before being used as both the host and client in the node authentication procedure. The project firmware along with an accompanying application note  can be found on Microchip’s website here (login required). This application note provides a good overview of the example project as well as a summary of each authentication step. Unfortunately for those just starting out, Microchip assumes a certain level of proficiency in cryptography and public key infrastructure. Therefore, the purpose of this article is not to replace the application note, but rather to supplement it by reviewing any relevant cryptography basics and illustrating how they are used to implement this realistic example. Before reading on, however, be sure to review the application note as it provides detailed information on hardware and software perquisites as well as how to get the example up and running.
Before the crypto device can be used in its intended application, it must be provisioned. This is the process of modifying the appropriate configuration data and loading security keys, certificates, and other application specific data . Provisioning is a one-time step that is typically done before the end product is assembled, during the actual assembly, or during testing with the help of a Hardware Security Module (HSM) for large volumes or a provisioning toolkit for low volumes . Once the process is complete, the device’s configuration and data zones will be locked to prevent changes and to keep the secrets safe.
To fully understand the way provisioning is implemented in this example, we will first consider how a device would be provisioned using Microchip’s provisioning toolkit. The overall process used by the toolkit to achieve a provisioned device is the same as that used by the example project, but since the toolkit is not an “all-in-one” implementation, it is easier to visualize how the individual components work together. Before we dive in, though, it will be helpful to quickly review some cryptography basics that are not only relevant in this section, but the following sections as well.
Once provisioned, the keys and certificates loaded into the device act as its identification. Not only are they unique to the device, but they are also signed by a trusted authority (typically the manufacturer) which attests to the device’s legitimacy. Let’s take a closer look at these constructs in a bit more detail.
The ATECC508A utilizes Elliptic Curve Cryptography (ECC), which is a public key cryptosystem. This means that each crypto device must have at least one pair of keys associated with it, one private and one public. Any cryptographic operation done with the private key can only be undone with the corresponding public key and vice versa. As the names suggest, the private key is known only by the device whereas the public key can be freely distributed to other clients or hosts in the system. In fact, since the ATECC508A can implement all necessary ECC cryptographic operations with integrated hardware acceleration, there is no reason for the private key to ever leave the device. Therefore, once the key pairs are generated, the private key slots are permanently locked and cannot be read .
The reason public key cryptosystems work is because it is not computationally feasible to determine the private key knowing only the public key. ECC is the optimal cryptographic scheme to use on a small device like the ATECC508A because it allows smaller keys to be used without compromising security. On the ATECC508A, the keys are 256-bits long and provide far better security than a similar RSA cryptosystem using 2048-bit long keys .
When using a public key cryptosystem, we must address the problem of how to associate a given public key with the device it belongs to. After all, these keys are public. What’s to stop a counterfeit device from using a legitimate device’s public key to masquerade as said legitimate device? One solution is for a trusted source to issue the legitimate device a certificate that vouches for its ownership of the public key. Then, when the counterfeit device presents a public key without a certificate (or an invalid certificate), the host will know it is not legitimate. The issuers of these public key certificates are called certification authorities (CAs)  and they are known and trusted by every host in the network of devices.
A certificate is simply a data structure that contains at least a public key, some naming information, and a digital signature . The ATECC508A utilizes X.509 certificates that are stored on the device in a compressed format. Table 1 outlines the fields present in these certificates and what information they store.
Table 1: X.509 Certificate Fields 
X.509 version in use
A serial number for the certificate
Algorithm used to digitally sign the certificate
Name of the certificate issuer
The date the certificate becomes valid and the date it expires
Name of the owner of the certificate
Subject Public Key Info
The certificate owner’s public key (and corresponding algorithm, length, etc.)
Issuer Unique Identifier
Optional information about the issuer of the certificate
Subject Unique Identifier
Optional information about the owner of the certificate
More optional information
A digital signature that conforms to the ‘Algorithm ID’ field
Digital signatures must be included with certificates to prevent forgery. By understanding the signing process, we can see how they accomplish this. Figure 1 provides an overview of the entire procedure. It starts with the certificate data that needs to be signed, often called the To Be Signed (TBS) Data, being passed as input into the SHA-256 function. SHA-256 is a cryptographic hash function that takes an input of arbitrary length and outputs a fixed length number (in this case 256 bits) often referred to as a digest. Note that if so much as one bit of the input were to be changed, an entirely new digest would be created. What makes this function ‘cryptographic’ is the fact that it is very easy to compute the digest given the input, but practically impossible to compute the input given only the digest .
In Figure 1, the CA is the red signer module containing a public/private key pair. The private key is used to sign the 256-bit digest using the Elliptic Curve Digital Signature Algorithm (ECDSA) Sign function. The resulting signature is then appended to the end of the certificate data to create a complete certificate. When the time comes to verify the certificate’s authenticity, the complementary ECDSA Verify operation will be performed using the signature, TBS digest, and the signer module’s public key; as we will see later.
It should now be clear why forging a signed certificate is no easy task. Creating a counterfeit certificate from scratch would require the CA’s private key, which is locked inside the signer module and, thanks to the cryptographic strength of ECDSA, is unattainable given only an existing certificate . Modifying the fields in an existing certificate is also out of the question because doing so would result in a completely different digest at verification time, causing the ECDSA Verify operation to fail.
Figure 1: Device Certificate Signing Procedure
When provisioning devices to be used in some network or system, one CA is usually not enough. Typical systems will include nodes manufactured at different facilities or even produced by different manufacturers. Using a single CA would then require multiple copies of its private key do be distributed to every provisioning facility, which greatly increases the likelihood of a security breech. A better solution is to use multiple CAs and organize them into a Public Key Infrastructure (PKI). In the case of the X.509 standard, a hierarchical model is used to create a chain of certificates that extend trust from a globally trusted root CA to the end device . To accomplish this, the root CA will issue certificates to a set of intermediate CAs, allowing them to issue certificate to end devices (or possibly other CAs) on the root CA’s behalf. This avoids undesirable decentralization of the root CA and further improves security by allowing the root CA to revoke certificates of intermediate CAs should they become compromised.
This PKI structure is employed by the AT88CKECCPROVISION provisioning kit (Figure 2), which is simply a combination of one AT88CKECCROOT kit and one AT88CKECCSIGNER kit. It comes with 3 USB root modules (one primary and two backups) which act as the root CA and 3 USB signer modules (again, one primary and two backups) which act as the intermediate CA. Microchip provides all the necessary software and documentation to get started with these modules and use them to provision the end devices. The first step, of course, is to generate the root module’s private/public key pair and lock the private key into the module. The public key is generally distributed to all nodes requiring it in the form of a self-signed certificate, which is the only kind that the root module can have since there is no CA more trusted then it. Next, the root module provisions the signer module by telling it to generate its own private/public key pair and assigning it a special certificate granting it CA privileges. The signer is then free to provision regular devices, as shown in Figure 3.
Figure 2: AT88CKECCPROVISION Kit
Figure 3: Provisioning Process Overview 
The provisioning process is controlled by a provisioning client, which is a piece of software that interacts with the ATECC508A device. The client connects to a provisioning server, which is another piece of software that interacts with the signer module. The implementation of the client and server components may vary from application to application. They may both be running on the same machine or running on different machines communication over a network. The client may even be embedded on the end node’s MCU, allowing the device to be provisioned after the product is assembled . Regardless, the provisioning process outlined in Figure 3 will not change. Once the client is connected to the server and establishes communication with the ATECC508A, the process can begin.
- The first thing the client must do is modify the configuration zone as required by the application and then lock it. This may include changing the I2C address, customizing the slot configurations, setting up monotonic counters, etc. Once the configuration zone is locked, the client will be allowed to modify the data zone in the following steps .
- Now that the data zone can be personalized, the client instructs the ATECC508A to generate its private/public key pair(s). Recall that the device is capable of generating a random private key internally, storing it in a protected slot, and returning only the calculated public key to the client, keeping the private key completely secret .
- With the public key in hand, the client is free to request a certificate from the provisioning server. Using a template of the certificate, the device’s public key, and all other device information send by the client; the server constructs the device certificate’s TBS data .
- The TBS data is sent to the signer module to be signed. We can refer back to Figure 1 to recall how this works. The signer module first uses its internal SHA-256 algorithm to obtain the TBS digest. It then uses its internal ECDSA signature generation element and private key to create a signature based on the TBS digest. Finally, this signature is returned to the server.
- The server completes the device’s certificate by appending the signature to the TBS data. It then completes the client’s request by sending it not only the device’s certificate, but the signer’s certificate as well.
- The client will store both the device and signer certificates on the ATECC508A in a compressed format. The compressed certificates include the public keys, certificate elements, and signatures. This information can later be recombined with the certificate templates to construct the original certificates .
- If any other data required by the application needs to be written to the device, it will be done now before the data zone is locked. Once the appropriate slots in the data zone are locked (which may or may not include the certificate slots), the provisioning process is complete.
Now that we have a good idea of how provisioning works and what it accomplishes, we can return our focus to the example project. The main hardware components required to run this example are the SAM D21 MCU and the ATECC508A crypto device, but notice there is no signer or root module. This is because on top of providing cryptographic services for the node, the ATECC508A is also acting as the root module and the signer module by creating and storing two extra sets of keys. We can see this by executing the
client-provision command in the serial terminal. After completing the first step by writing and locking the configuration zone, three private/public key pairs are generated and each of the public keys is shown as output. As the labels indicate, one key belongs to the device, another belongs to the signer, and the last belongs to the signer’s CA (i.e. the root CA). Since the root, signer, and device modules are all implemented on the same crypto device, there is no need to have separate threads acting as the provisioning client and provisioning server on the MCU. Instead, the project code contains only a single function that combines these two processes into a single thread of execution.
The next step then, according to Figure 3, is to build and sign the device certificate. However, this cannot be done until a certificate has been issued to the “signer module” by the “root module” giving it the authority to issue device certificates. Therefore, the signer certificate is first built and singed by the root CA’s private key before the device certificate is built and signed by the signer CA’s private key. Once these certificates are constructed, they are printed to the serial terminal in X.509 DER (Distinguished Encoding Rules) format as shown below. This data is not what is stored on the ATECC508A in the next step, but rather just a binary representation of the certificate. The compressed certificate is created by extracting the variable data that changes from certificate to certificate and storing it on the crypto device. The static data is stored in the MCU memory as a template that can be used to reconstruct the original certificate. Since both the device and signer certificates are stored on the ATECC508A, the application must have templates for both the device and signer certificates in order to reconstruct them.
Once provisioning is complete, the configuration and data zones will be locked. So, what happens if we run the
client-provision command a second time? As the output below shows, the slot used to store the root CA’s private key is not accessible. As a workaround, the application will only generate the signer’s and device’s private/public key pairs and the root CA will use the signer’s keys for signing and verification. As a result, the signer’s certificate will be self-signed and its link in the certificate chain will be redundant. As far as the rest of the example is concerned, though, these are perfectly valid certificates and will pass the node authentication procedure without a problem.
With provisioning out of the way, the application can change gears and take on two new roles: client and host. Whereas in the previous step the MCU acted as a provisioner (provisioning server and provisioning client combination) and the ATECC508A was being provisioned, from this point forward these two components will work together to simulate both a client device and a host device. The client is the actual node being authenticated while the host is the device performing the authentication. Microchip’s favorite example is that of a printer and a printer cartridge. Both devices will have an MCU and an ATECC508A IC. The cartridge is the client requesting authentication by the host, which in this case is the printer. Since our example project plays both roles concurrently, the labels on the command output will begin with either “CLIENT:” or “HOST:” so we can tell which entity is responsible for the operation performed.
Authenticating the client is done in two stages. The first is verifying the validity of the certificate chain that was created during provisioning. If the root CA is not the “root of trust” for the client, then the client will fail authentication. The second stage is verifying the client’s public key. Since the certificates in this example were not locked into their slots, it is possible that they may be stolen, allowing a counterfeit device to pass the first authentication step. We combat this by asking the client to sign a random number, often called a challenge or nonce, with its private key. If the host is then able to verify the signature with the client’s public key, it can be confident that the certificates indeed belong to the device they came from.
Verify the Certificate Chain
This stage is divided into two steps. First the certificates are retrieved from the client and then they are verified.
Before it sends the certificates to the host, the client must rebuild them from the compressed certificates stored on the ATECC508A. It does this by combining the compressed certificate data with certificate templates stored locally on the MCU. We can see it is indeed successful because after executing the
client-build command, the certificate data printed to the serial output is the same certificate data shown during the provisioning step. Notice that this time the output has the “CLIENT:” label, indicating that this operation was performed on the client device.
In order to view this certificate data in a human readable format, it must first be written to a binary file. The easiest way to do this with a hex reader program like HxD (but it would also be easy to do with a scripting language like Python). Simply create a new file within the program, copy and paste the hexadecimal data from the serial terminal to the file, and save it with the .crt extension. You should then be able to open on the file from a file browser and view the certificate details. Another option is to use CertUtil on the Windows command line to dump the certificate data like so:
CertUtil <filename>.crt. Listing 1 and Listing 2 show the output of this command for the signer certificate and device certificate respectively.
Inspecting these certificates, we see that required fields mentioned in Table 1 are present and accounted for. We also see that the public keys match what was shown in the provisioning step (disregarding the leading 0x04) and that the signer certificate has two extra extensions distinguishing it as a CA. Note that everything after the signature (starting at “Non-root Certificate”) is additional output from the CertUtil command and not part of the certificate.
Once these certificates are passed along to the host, it will verify their signatures in a process that closely resembles the signature generation procedure (Figure 1). The main difference is the use of the ECDSA Verify function rather than the ECDSA Sign function. ECDSA Verify requires three inputs: the same 256-bit digest used during provisioning, the certificate’s signature, and the public key of the CA that signed the certificate. Just as in the provisioning step, the certificate’s TBS data is hashed using the SHA-256 algorithm to create the 256-bit digest. The signature is extracted from the certificate being verified and the public key is extracted from the CA’s certificate. The output is a simple pass or fail depending on the validity of the certificate.
Figure 4 outlines the authentication of the certificate chain starting with the signer’s certificate and ending with the device’s certificate. The root CA’s self-signed certificate is shown in this diagram even though in this example project, the host only knows the root CA’s public key. The example still works, but just know that it is more typical for the entire certificate to be stored locally on the host. Once the signer’s certificate is proven to be authentic, it can be used to verify the signature on the device’s certificate, thereby proving that the device’s certificate is not a forgery. For simplicities sake, this example does not consider the certificates’ expiration dates which normally would also be used during validation.
Figure 4: Verifying the Certificate Chain
host-chain-verify command is executed, this entire process runs behind the scenes on the host. The command’s output simply conveys the results of the ECDSA Verify function in the order performed. If both the signer and device certificates are verified, the host will know that the client’s public key is a trustworthy one. Whether or not the client actually owns said public key is another matter.
Verify Public Key
The second node authentication stage is to verify that the client possesses the private key that corresponds to the public key in its certificate. Since private keys can never leave the ATECC508A, this stage provides sufficient evidence that the client is the true owner of the public key that was deemed trustworthy in the previous stage. Public key verification is typically done in a three-step challenge-response-verify model .
Host Generate Challange
This first step is the most straightforward. The host simply generates a 256-bit random number using the high-quality random number generator in the ATECC508A and sends it to the client. It is important that this number be random so the client cannot send back a pre-calculated signature in the next step. The output of the
host-gen-chal command is the generated random number.
Client Generate Response
Using the ECDSA Sign function, the client will sign the random challenge with its private key. This is very similar to the certificate signing procedure in Figure 1, except the challenge takes the place of the TBS digest and the signature is sent back to the host as a response. The signature is also printed as output when this step is executed via the
Host Verify Response
Finally, the host uses the client’s response, the public key it extracted from the client’s certificate, and the random challenge as inputs to the ECDSA Verify algorithm. If the signature passes verification, the host can be confident that the client owns the certified public key and is, therefore, authentic. Performing this final step using the
host-verify-resp command shows the extracted public key in the output along with the result of the ECDSA Verify function.
Microchip’s node authentication example is an excellent resource for getting started with the CryptoAuthenentication family of devices. However, security topics in general tend to have rather large learning curves and this node authentication example is no exception. The overview provided by the example’s application note is very concise and does not address every question a security novice may have. To help fill in the blanks, device provisioning and two stage authentication were discussed in greater detail to supplement said application note. After reviewing the basic concepts of keys, certificates, and signatures; we were able to better illustrate a typical provisioning process utilizing a public key infrastructure. By doing so, it became easier to understand what it means to verify a certificate chain and verify public key ownership in stages one and two of the node authentication procedure respectively.
 Atmel Corporation, "Atmel CryptoAuthentication Device," ATECC508A Summary Datasheet, Feb. 2015 [Revised Oct. 2015].
 Atmel Corporation, "Node Authentication Example Using Asymmetric PKI," Appl. Note 8983, pp. 1-10.
 Atmel Corporation, "Compressed Certificate Definition," Appl. Note 8974, pp. 3-5.
 E. Asanghanwa, "More Secure, Less Costly IoT Edge Node Security Provisioning," Nov. 9, 2015. [Online]. Available: . [Accessed Nov. 4, 2017].
 R. Oppliger, Contemporary Cryptography. Norwood, MA: Artech House, 2011.
 Atmel Corporation, "Production Provisioning Guide," Appl. Note 8971, pp. 3-14.
 Atmel Corporation, "CryptoAuthentication Personalization Guide," Appl. Note 8845, pp. 1-3.