Secure Elements ATECC
April 13, 2023 at 2:40 AMATECC
This chapter describes the implementation of the Microchip ATECC608A inside the SpringCore devices.
Before trying to use the features described here, please verify in the Secure Elements by product listing that your device actually has an ATECC608A chip.
For details regarding the ATECC608A itself, please visit www.microchip.com/wwwproducts/en/ATECC608A.
Use cases
The ATECC is typically used for Apple VAS and Google VAS transactions.
These transactions are run automatically by the device when configured for Smart Reader Operation. Please read the Apple VAS Template and Google VAS (aka ‘SmartTap’) template chapters for details.
Key mapping
The ATECC608A has 16 key slots. Slots 0 to 9 (00 to 09) are available to store Apple VAS or Google VAS P-256 ECC private keys.
Slots 10 to 13 (0A to 0D) are initialized in factory with 4 keys that are private to the device.
Slots 14 and 15 are reserved and not made available through the host interfaces.
| Slot | Description | Role | Remark |
|---|---|---|---|
00 |
P-256 private key 0 | Free for integrator/user | |
01 |
P-256 private key 1 | Free for integrator/user | |
02 |
P-256 private key 2 | Free for integrator/user | |
03 |
P-256 private key 3 | Free for integrator/user | |
04 |
P-256 private key 4 | Free for integrator/user | |
05 |
P-256 private key 5 | Free for integrator/user | |
06 |
P-256 private key 6 | Free for integrator/user | |
07 |
P-256 private key 7 | Free for integrator/user | |
08 |
P-256 private key 8 | Free for integrator/user | |
09 |
P-256 private key 9 | Free for integrator/user | |
0A |
P-256 private key 10 | Device key for the Direct protocol | Generated in factory Certified by SpringCore Direct CA, with certificate in slot 0ALocked by bit 4 of the Fuses register |
0B |
P-256 private key 11 | Device key for Secure Messaging | Generated in factory Certified by SpringCore Messaging CA, with certificate in slot 0BLocked by bit 4 of the Fuses register |
0C |
P-256 private key 12 | Device TLS key when running as server | Generated in factory Certified by SpringCore Server CA, with certificate in slot 0CLocked by bit 4 of the Fuses register |
0D |
P-256 private key 13 | Device TLS key when running as client | Generated in factory Certified by SpringCore Client CA, with certificate in slot 0DLocked by bit 4 of the Fuses register |
0E |
Reserved (SHA Master key) | ||
0F |
Reserved (RFU) |
Host interface
The ATECC608A is exposed to the host through a set of instructions.
-
For PC/SC devices: function calls using the ATCRYPTO class (first byte =
59) in SCardControl, -
For all devices: function calls starting using the ATCRYPTO class (
59) using SpringCore Direct interface. The reference implementation is given by SpringCoreSE.exe command-line utility in the SDK.
The instructions marked Factory only in the List of INStruction table below are reserved for manufacturing stage and permanently disabled (by setting bit 2 “Lock Secure Elements” in the Fuses) when the device leaves the factory.
Note: SpringCard recommends using the SpringCoreSE tool instead of accessing the ATECC608A directly.
List of INStructions
The INS opcodes are defined below:
| INS | Name | Description | Remark |
|---|---|---|---|
00 |
INIT | Initialize the ATECC or ATAES | Factory only |
01 |
BLANK | Erase all keys in the ATECC or ATAES | Factory only |
41 |
SET_PRIVATE_KEY | Write an ECC P-256 private key into the SE | May be restricted to HostCommAdminKey |
42 |
GENERATE PRIVATE KEY | Have the ATECC generate a new (random) private key | May be restricted to HostCommAdminKey |
43 |
GET_PUBLIC KEY | Read the public key associated to a private key | May be restricted to secure channels |
46 |
SIGN | Compute an ECC signature over the supplied 32-byte SHA256 hash | May be restricted to secure channels |
47 |
HASH AND SIGN | Compute an ECC signature over the supplied buffer (SHA256 hash runned internally) | May be restricted to secure channels |
48 |
ECDH | Run the Diffie-Hellman agreement | May be restricted to secure channels |
4E |
GET_CSR | Get a certificate signing request (CSR) for the specified key with its default subject | May be restricted to secure channels |
4F |
GET_CSR_EX | Get a certificate signing request (CSR) for the specified key with an arbitrary subject | May be restricted to secure channels |