ATECC

This chapter describes the implementation of the Microchip ATECC608A inside the SpringCore devices.

Before trying to use the features described here, please verify in the Secure Elements by product listing that your device actually has an ATECC608A chip.

For details regarding the ATECC608A itself, please visit www.microchip.com/wwwproducts/en/ATECC608A.

Use cases

The ATECC is typically used for Apple VAS and Google VAS transactions.

These transactions are run automatically by the device when configured for Smart Reader Operation. Please read the Apple VAS Template and Google VAS (aka 'SmartTap') template chapters for details.

Key mapping

The ATECC608A has 16 key slots. Slots 0 to 9 (00 to 09) are available to store Apple VAS or Google VAS P-256 ECC private keys.

Slots 10 to 13 (0A to 0D) are initialized in factory with 4 keys that are private to the device.

Slots 14 and 15 are reserved and not made available through the host interfaces.

Slot Description Role Remark
00 P-256 private key 0 Free for integrator/user
01 P-256 private key 1 Free for integrator/user
02 P-256 private key 2 Free for integrator/user
03 P-256 private key 3 Free for integrator/user
04 P-256 private key 4 Free for integrator/user
05 P-256 private key 5 Free for integrator/user
06 P-256 private key 6 Free for integrator/user
07 P-256 private key 7 Free for integrator/user
08 P-256 private key 8 Free for integrator/user
09 P-256 private key 9 Free for integrator/user
0A P-256 private key 10 Device key for the Direct protocol Generated in factory
Certified by SpringCore Direct CA, with certificate in slot 0A
Locked by bit 4 of the Fuses register
0B P-256 private key 11 Device key for Secure Messaging Generated in factory
Certified by SpringCore Messaging CA, with certificate in slot 0B
Locked by bit 4 of the Fuses register
0C P-256 private key 12 Device TLS key when running as server Generated in factory
Certified by SpringCore Server CA, with certificate in slot 0C
Locked by bit 4 of the Fuses register
0D P-256 private key 13 Device TLS key when running as client Generated in factory
Certified by SpringCore Client CA, with certificate in slot 0D
Locked by bit 4 of the Fuses register
0E Reserved (SHA Master key)
0F Reserved (RFU)

Host interface

The ATECC608A is exposed to the host through a set of instructions.

  • For PC/SC devices: function calls using the ATCRYPTO class (first byte = 59) in SCardControl,
  • For all devices: function calls starting using the ATCRYPTO class (59) using SpringCore Direct interface. The reference implementation is given by SpringCoreSE.exe command-line utility in the SDK.

The instructions marked Factory only in the List of INStruction table below are reserved for manufacturing stage and permanently disabled (by setting bit 2 "Lock Secure Elements" in the Fuses) when the device leaves the factory.

Note: SpringCard recommends using the SpringCoreSE tool instead of accessing the ATECC608A directly.

List of INStructions

The INS opcodes are defined below:

INS Name Description Remark
00 INIT Initialize the ATECC or ATAES Factory only
01 BLANK Erase all keys in the ATECC or ATAES Factory only
41 SET_PRIVATE_KEY Write an ECC P-256 private key into the SE May be restricted to HostCommAdminKey
42 GENERATE PRIVATE KEY Have the ATECC generate a new (random) private key May be restricted to HostCommAdminKey
43 GET_PUBLIC KEY Read the public key associated to a private key May be restricted to secure channels
46 SIGN Compute an ECC signature over the supplied 32-byte SHA256 hash May be restricted to secure channels
47 HASH AND SIGN Compute an ECC signature over the supplied buffer (SHA256 hash runned internally) May be restricted to secure channels
48 ECDH Run the Diffie-Hellman agreement May be restricted to secure channels
4E GET_CSR Get a certificate signing request (CSR) for the specified key with its default subject May be restricted to secure channels
4F GET_CSR_EX Get a certificate signing request (CSR) for the specified key with an arbitrary subject May be restricted to secure channels