How to use optiga_util_close_application in case of multiple connections

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
lseg
Level 1
Level 1
10 sign-ins 5 replies posted 5 sign-ins

I have a case of multiple connections: 

2 TLS connections using the Optiga to do the Assymetric key calculation during TLS setup. Problem I have: when 1 of the connections is finished I call optiga_util_close_application (using your library), but that will shutdown the whole Optiga chip (Vdd set low) whilst the other application is still open. How can I make sure that the 1st application is closed (so that another can be started), without shutting down the chip?

Kind regards,

 

Luc

0 Likes
1 Solution
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Yes, you can execute ECC_sign in parallel with an ECC_verify in parallel with an ECC_make_keypair on different threads (each using its own crypto instance).

View solution in original post

0 Likes
15 Replies
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Hi @lseg,

You can execute all the optiga functionalities after one open and then finally close the application i.e., call the optiga_util_open_application -> execute all optiga related functionalities -> call the optiga_util_close_application. 

0 Likes
lseg
Level 1
Level 1
10 sign-ins 5 replies posted 5 sign-ins

What do you mean I can do all the optiga functionalities between an open and a close application. An application is linked to a optiga_util_t instance. I need one of those for each of my TLS connections, to do all crypto stuff for each connection separately (own ephemeral key etc).

I want to have concurrent applications, as much as the Optiga can handle (understood it is 3). 

So In my code I would create let say 3 different ​optiga_util_t instances, one for each independent TLS connection. These TLS connection setup could happen at exactly the same time. So I could have the situation where these 3 different optiga_util_t instances are use to open 3 applications. So calling the optiga_util_open_application 3 times (so no optiga_util_close_application was called yet), from what I understand this should be possible. This way I would have 3 concurrent applications. But with current code, if I now call optiga_util_close_application for one of these instances, the Optiga chip will be shutdown by setting Vdd low. This means that the other 2 applications will be shutdown, although they were still busy. 
2 options here:

1) I misunderstood, there is no way to use applications concurrently. Only one application can be open, and next one can only be opened after the 1st one was closed

2) there is a bug in the optiga_util_close_application, it should release the active application but it should wait to really shutdown the chip until all applications that are active were closed.

kind regards

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

You cannot open 2 applications parallelly, for one open_appliaction a close_application (or a reset) shall follow.

An instance is a thing you create on the host side only, and an application is a term from the optiga. So, before working with the optiga chip you need to open an application.

Another option is you can use independent key/memory/session objects for each TLS session and perform all the optiga functionalities in between one open and close application.

0 Likes
lseg
Level 1
Level 1
10 sign-ins 5 replies posted 5 sign-ins

Thank you for your answer. But I'm not fully understanding how I still can achieve the parallel TLS sessions, let me see if can get it:

I start 3 TLS connections in parallel, nothing connected yet:

1) create 1 util instance and open application with this instance as input

2) create 3 crypt instances on host side and use them in parallel, by using them as input for all optiga_crypt_*** functionalities
3) when all 3 crypt instances are destroyed (because all cryptographic functions where finished), only then close the application.

your remark: "Another option is you can use independent key/memory/session objects for each TLS session and perform all the optiga functionalities in between one open and close application."

How do I make sure that when I e.g. generate an ephemeral key for each of the crypt instances this will be stored in an independent key object on the optiga? These keys are stored in volatile memory on the Optiga right (​optiga_key_id = OPTIGA_KEY_ID_SESSION_BASED;)? Is it enough to call optiga_crypt_ecc_generate_keypair with a different optiga_crypt instance?

kind regards,

Luc Segers

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Thank you for your answer. But I'm not fully understanding how I still can achieve the parallel TLS sessions, let me see if can get it:

I start 3 TLS connections in parallel, nothing connected yet:

1) create 1 util instance and open application with this instance as input

2) create 3 crypt instances on host side and use them in parallel, by using them as input for all optiga_crypt_*** functionalities
3) when all 3 crypt instances are destroyed (because all cryptographic functions where finished), only then close the application.


This type of approach is possible in multithread execution, where you have several threads executing different tasks.
For example, the tasks running on the host can be key generation and hash generation, in this case you can open 2 instances of optiga (one in each thread) and optiga will take care to dispatch the responses from the chip to the respective caller.

 


your remark: "Another option is you can use independent key/memory/session objects for each TLS session and perform all the optiga functionalities in between one open and close application."

How do I make sure that when I e.g. generate an ephemeral key for each of the crypt instances this will be stored in an independent key object on the optiga? These keys are stored in volatile memory on the Optiga right (​optiga_key_id = OPTIGA_KEY_ID_SESSION_BASED;)? Is it enough to call optiga_crypt_ecc_generate_keypair with a different optiga_crypt instance?


You can use a single crypt_instance for multiple crypto functionalities such as key generation, signature generation/verification etc. So, one instance for optiga_util to open/close application, and one more instance for optiga_crypt. Note that this is not for parallel execution but using a single instance for 3 TLS connections. 

0 Likes
lseg
Level 1
Level 1
10 sign-ins 5 replies posted 5 sign-ins

So if I understand correctly:
1. There is only one slot in the optiga RAM to store an ephemeral keypair (OPTIGA_KEY_ID_SESSION_BASED).
2. Hence Crypto operations using different ephemeral keypair MUST be consecutive.
3. Crypto instances on separate threads is possible given that only one thread uses an ephemeral keypair.

Hence, establishing multiple TLS connections simultaneously is not supported by the Optiga.

Is this correct?

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

No, as mentioned in the solution reference manual, there are 4 session context IDs (0xE100 to 0xE103). You can use one for each TLS session. The value 'OPTIGA_KEY_ID_SESSION_BASED = 0x0000' defined in the optiga_lib_common.h means that the first available session context will be taken. You can redefine this to the specific session context ID that you want to use.

 

Multiple TLS connections cannot be implemented simultaneously because neither multiple applications can be created simultaneously on optiga, nor a crypto operation (eg. generate keypair) can be performed parallelly on 2 different threads.

0 Likes

So if I want to keep different TLS session alive I need to make sure:

1) I open the application at the start of the first session and close it when all crypto operations (for all active sessions) are done

2) make sure all crypto operations are being done sequentially. Making sure you do not have 2 sign or 2 make keypair at the same time (or should I even make sure I do not have any operation at the same time?)

3) separate the different ephemeral keypairs by using the 4 different session context id or by making sure that the another TLS session will not overwrite or wrongly use the keypair generated for another session (using semaphores for example).

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Please let us know if your query is resolved.

We will wait for 3 days and then lock this thread. In case your problem is not resolved, please create a new thread and we will be happy to help. 

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

So if I want to keep different TLS session alive I need to make sure:

1) I open the application at the start of the first session and close it when all crypto operations (for all active sessions) are done

-> Yes 

2) make sure all crypto operations are being done sequentially. Making sure you do not have 2 sign or 2 make keypair at the same time (or should I even make sure I do not have any operation at the same time?)

-> If your using multithread execution then you can have different operations on different threads. Otherwise, single operation at a time.

3) separate the different ephemeral keypairs by using the 4 different session context id or by making sure that the another TLS session will not overwrite or wrongly use the keypair generated for another session (using semaphores for example).

-> Yes, you can use different session context id for each TLS session so that you have each session key until the end.

0 Likes

Sorry but now I'm confused:

In your previous answer you mentioned:
"Multiple TLS connections cannot be implemented simultaneously because neither multiple applications can be created simultaneously on optiga, nor a crypto operation (eg. generate keypair) can be performed parallelly on 2 different threads."

Now you are mentioning:

"If your using multithread execution then you can have different operations on different threads."

Do I understand it correctly that operations can be done in parallel, as long as you make sure it is not the same operation? e.g a Sign can be done on 1 thread, in parallel with a verify on another thread. BUT not a sign 1 thread and again a sign on another thread?

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Do I understand it correctly that operations can be done in parallel, as long as you make sure it is not the same operation? e.g a Sign can be done on 1 thread, in parallel with a verify on another thread. BUT not a sign 1 thread and again a sign on another thread?

Yes, you can execute different operations on different threads. Note that each thread should have different optiga instance.
For example, the operations called by the host can be key generation and hash generation, in this case you can open 2 instances of optiga (one in each thread) and optiga will take care to dispatch the responses from the chip to the respective caller.


 

0 Likes
lseg
Level 1
Level 1
10 sign-ins 5 replies posted 5 sign-ins

Ok so I can do a hash in parallel with a ECC key generation if I use a different crypto instance for it. But both of these operations are using completely different blocks in the HW I suppose. 
Can I also do ECC kind of stuff in parallel e.g. and ECC_sign in parallel with an ECC_verify in parallel with an ECC_make_keypair (each using its own crypto instance)?

 

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Yes, you can execute ECC_sign in parallel with an ECC_verify in parallel with an ECC_make_keypair on different threads (each using its own crypto instance).

0 Likes
Karishma_S
Moderator
Moderator
Moderator
50 solutions authored First comment on blog 250 sign-ins

Please let us know if we can close this thread.

0 Likes