Child pages
  • ATECC608 Node Authentication Example Walk-through

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


In Figure 1, the CA is the red signer module which securely stores a public/private key pair of its own. The private key is used to sign the 256-bit digest using the Elliptic Curve Digital Signature Algorithm (ECDSA) Sign function. The resulting signature is then appended to the end of the certificate data to complete the certificate. When the time comes to verify the certificate's authenticity, the complementary ECDSA Verify operation will be performed using the signature, the TBS digest, and the signer module's public key; as we will see later in the Device Authentication section.

It should now be clear why forging a signed certificate is no easy task. Creating a counterfeit certificate from scratch would require the CA's private key, which is locked inside the signer module and, thanks to the cryptographic strength of ECDSA, is unattainable given only an existing certificate [5]. Modifying the fields in an existing certificate is also out of the question because doing so would result in a completely different digest at verification time, causing the ECDSA Verify operation to fail.


Recall that, in addition to storing a key pair, the signer module also stores a certificate that was signed by its CA (i.e. the root module). Because in this example we are merely simulating a signer module, we will have to create this certificate before moving onto requesting a device certificate in Step 3. This will not only give our "signer module" permission to issue a certificate to the CryptoAuth device, but it will also allow us to properly validate the certificate chain in the Device Authentication section. The command output (Listing 2) shows the signer's certificate printed in X.509 DER (Distinguished Encoding Rules) format after it is constructed and signed using the private key of the "root module". This data is not what is eventually stored on the ATECC608A, but rather just a binary representation of the certificate. The Client Build section provides details on how to view this information in a human readable form.