Dear community,

My target is to establish a shared secret key between the PC application (master) and (various, different, but always limited to 1 at a time) peripheral devices.

*Each device has*:

- Device specific ECC 256-bit private key, in PEM format, well parsed with mbedtls_pk_parse_key function when required. - Device specific certificate that belongs to the private key. Certificate is signed by the *TrustCA*. Parsing works well with mbedtls_x509_crt_parse - TrustCA’s certificate, used to validate the master device during communication, also used to check firmware signature in a secure boot part of the application

*PC application has*:

- Master application certificate, signed by *TrustCA* - Private key of the PC application that belongs to master application certificate, in PEM format - *TrustCA*’s certificate, used to validate device certificate during communication

Aim is to establish AES shared secret, by doing:

- Master sends authentication requests, random challenge, device performs hash + signs with private key. Returns certificate + signature of the challenge. - Master uses *TrustCA*'s certificate to check device's certificate and then checks the signature of the hash(challenge) - Master sends its certificate to the slave, now both hold X509 certificates. At this point, device could also request authentication of the PC application - A computation with its respective private key is needed on both sides, and we have common secret.

What is the correct way in mbedTLS, to get a public key from *X509*, that can be used in the ECDH module?

The way the ECDH module inside mbedTLS seems to be designed, there is no straight-forward way to export X5090’s public key, get its parameters and use them in ECDH module.

Instead, ECDH expects that random keypair will be generated every-time we want key exchange. Doing this, we risk *man in the middle* attack, since the other party doesn’t know where the key is actually coming from.

For the moment, the solution I see (which is not THAT elegant, or is it?), and to avoid man in the middle attack::

- Devices still exchange certificates, but only for authentication reason + certificate verification - Every message that is sent between devices (for instance public keys exchange), must also be hashed & signed, so that another party can be sure message is coming from the device which shared the certificate just before (and certificate is signed by TrustCA) - We need one exchange more to get shared secret.

Is this the *proposed* solution in this case? Is there a more elegant solution with the mbedTLS library for this problem?

Thanks -- Tilen Majerle, mag.inž.el. Tušev Dol 11 8340 Črnomelj Slovenia www: http://majerle.eu e-mail: tilen@majerle.eu Mobile: +386 40 167 724

https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free.www.avast.com https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#m_-5461752537485879190_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>