owned this note
owned this note
Published
Linked with GitHub
# SIOT Hackathon Attestation Projects
We have put together a couple of projects. Please, read through and see which works for you.
## Attested sensor readings
We want a device (D) to provide attested sensor readings to a relying party (RP).
A prerequisite is that D and RP share a Mixing function:
```
M(s, ch) = SHA-256(str(s) || ch)
```
See [below](#Mixing-function) for the implementation details.
At an abstract level the "attested sensor reading" protocol flow is as follows:
```sequence
RP -> RP : ch := RND()
RP -> D : ch
D -> D : s := read_sensor()
D -> D : n := M(s, ch)
D -> D : T := attest(n)
D -> RP : s, T
RP -> RP : verify(T)
RP -> RP : assert(T.nonce == M(s, ch))
```
In practice, LPC55S69 will expose a LwM2M object called "sensor" providing an "attested reading" resource.
This read-only resource yields the most recent sensor reading together with the bound attestation token in a CBOR map:
```
attested-reading = {
s : uint,
T : bstr
}
```
where `s` is the sensor reading, and `T` is the marshalled PSA attestation token.
### Mixing function
* A Python implementation of `M()`:
```python
import hashlib
def M(s, ch):
m = hashlib.sha256()
m.update(str(s).encode("utf-8"))
m.update(ch)
return m.digest()
# example:
s = 1234
ch = b"\xde\xad\xbe\xef"
print(M(s, ch))
```
* A C/C++ implementation, which uses mbedTLS for hashing:
```cpp
static bool M(unsigned int s, const uint8_t *ch, size_t ch_sz,
uint8_t out[32]) {
char sbuf[64] = {0};
mbedtls_sha256_context c;
bool status = true;
if (snprintf(sbuf, sizeof sbuf, "%u", s) <= 0) {
return false;
}
mbedtls_sha256_init(&c);
if (mbedtls_sha256_starts_ret(&c, 0) ||
mbedtls_sha256_update_ret(&c, (uint8_t *)sbuf, strlen(sbuf)) ||
mbedtls_sha256_update_ret(&c, ch, ch_sz) ||
mbedtls_sha256_finish_ret(&c, out)) {
status = false;
goto end;
}
end:
mbedtls_sha256_free(&c);
return status;
}
// example:
uint8_t out[32], ch[4] = {0xde, 0xad, 0xbe, 0xef};
unsigned int s = 1234;
(void) M(s, ch, sizeof ch, out);
```
### Reference material
* [mbed-cloud-client-example](https://github.com/thomas-fossati/mbed-cloud-client-example/tree/LPC55S69) repo
* [LwM2M](https://md2html-tool.com/docs/OpenMobileAlliance/LwM2M/development/8685cd5/) (latest) spec
* [Pelion Device Management Client](https://www.pelion.com/docs/device-management/current/connecting/working-with-the-resources.html) API reference
### Prerequisites
* Install [mbed-cli](https://os.mbed.com/docs/mbed-os/v5.15/tools/manual-installation.html)
* Install the [GNU ARM toolchain](https://developer.arm.com/tools-and-software/open-source-software/developer-tools/gnu-toolchain/gnu-rm) -- the suggested version is `7-2018-q2-update` but if you feel bold enough you could try a more recent version.
* Create an [Mbed account](https://os.mbed.com/account/signup/). Once the account is active you also have access to the [Mbed cloud portal](https://portal.mbedcloud.com/login).
### Setting up a brand new NXP board for usage:
Generic Setup (To be done only once when you get new NXP LPC55S69-EVK + Espressif ESP8266 Wifi chip)
1. Setup, Bring-up and Demo examples Guide: https://www.nxp.com/document/guide/get-started-with-the-lpc55s69-evk:GS-LPC55S69-EVK
2. Update the CMSIS-DAP firmware first before trying out any demo examples (using the link below)
3. mbed on LPC55S69 (First time use ONLY)
On first run, update the device bootloader and firmware to enable drag and drop binary programming on the device
https://os.mbed.com/teams/NXP/wiki/Updating-LPCXpresso-firmware
4. Device bringup and mbed demo examples
https://os.mbed.com/platforms/LPCXpresso55S69/#getting-started-with-mbed
## From IAT to EAT
We want to extend the [IAT verifier](https://git.trustedfirmware.org/trusted-firmware-m.git/tree/tools/iat-verifier), i.e., the tooling around the [PSA attestation token](https://tools.ietf.org/html/draft-tschofenig-rats-psa-token-04), to understand the [EAT](https://ietf-rats-wg.github.io/eat/draft-ietf-rats-eat.html) format. For that to happen, we need to:
* Decouple the data model -- which is, at the moment, PSA specific -- to allow varying the verification policy on different claims' sets; and
* Make the IAT verifier modular on the data model as well, to also allow JWT encodings in parallel with CWT.
*TBD create issues in github to work on.*
### Reference material
* [EAT](https://ietf-rats-wg.github.io/eat/draft-ietf-rats-eat.html) spec
* [IAT verifier](https://github.com/thomas-fossati/eat-verifier) repo
Sign in with Wallet
