How to operate RSA in BCM20737S & BCM20737S document

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Anonymous
Not applicable

Hi

May I know any sample code to operate BCM20737S RSA engine?

And there's no document available on the web site, may i know when will it be released?

0 Likes
1 Solution
MichaelF_56
Moderator
Moderator
Moderator
250 sign-ins 25 comments on blog 10 comments on blog

I checked with the software team and the RSA code is included with the ROM, so you are free to use it now on the BCM20737(S).

What little we have in the way of documentation for this feature is available within the  WICED-Smart\bleapp\utils\rsa.h file.

View solution in original post

0 Likes
5 Replies
MichaelF_56
Moderator
Moderator
Moderator
250 sign-ins 25 comments on blog 10 comments on blog

I'm in the process of correctly identifying exactly what we are providing today within the 20737S in terms of RSA support.

My current understanding is that the RSA library will implemented in firmware and is a direct port of the Polar SSL library (version 1.7).

I believe the same library can be obtained (in source) from http://www.polarssl.org(or licensed from them if needed).

As far as its impact on performance, my understanding is that we don’t have the benchmarks in terms of time to encrypt/decrypt yet, but unless connection intervals are relative long, encrypting/decrypting every packet will increase average power consumption significantly.

This SW addition also needs an extra 2.5K of thread stack and ~4K of dynamically allocated buffers, so the application will have ~6.5K less space than regular apps.

0 Likes

Additional note....

The extra RAM needed for RSA can be allocated only by apps that need to use the RSA library. If none of the RSA library functions are needed, then the available RAM on 20736S and 20737S are identical.

The idea has been to provide a path for authentication and other security mechanisms that rely on the capability to run standard security functions (SHA1, MD5 etc).  For instance, you may need to authenticate  a user before opening/unlocking a BLE based device. Or authenticate a secure medical device before granting it access to an iPhone. We provide the functionality to run those and other security mechanisms.  Some of the encrypt/decrypt may not be run continuously, but as an additional step for initial authentication, in which case there will be some additional power consumption at the start of the procedure and post authentication one can revert to standard BT security measures.

0 Likes
MichaelF_56
Moderator
Moderator
Moderator
250 sign-ins 25 comments on blog 10 comments on blog

I checked with the software team and the RSA code is included with the ROM, so you are free to use it now on the BCM20737(S).

What little we have in the way of documentation for this feature is available within the  WICED-Smart\bleapp\utils\rsa.h file.

0 Likes
Anonymous
Not applicable

Is it possible to call MPI library directly from the BCM920737 tag?

In the BCM920737 chipset seems to use the rsa library of polarssl.

I tried to check the rsa.c of polarssl, was using the mpi library.

Please confirm whether it is possible to directly call the mpi library.

(Ex: mpi_read_binary, mpi_write_binary, mpi_exp_mod)

The reason, api defined in rsa.h are unlikely to be used later for generating the key.

I would like to call directly mpi library and must be used in stores already key that is generated.

Or use the rsa_public function by setting the rsa_context direct?

0 Likes

This is an older post, but I provide some clues as it may be helpful for someone else. If you look at the sample code called ota_secure_firmware_upgrade you will see that the mpi_xx read functions are used. In this specific case they are required to load the public key in the RSA context. There are no functions in rsa.h that let you export/reload the public key.

int ws_upgrade_ota_init(void)

{

    ws_upgrade_state = WS_UPGRADE_STATE_IDLE;

    // register memory management function

    brcmcryptoglue_set_allocator(cfa_mm_Alloc);

    brcmcryptoglue_set_deallocator(cfa_mm_Free);

    // initialize padding scheme and hash algorithm

    rsa_init(&rsaCtx, RSA_PKCS_V21, POLARSSL_MD_SHA256);

    mpi_read_binary( &rsaCtx.E, &rsa_pub_key[0], 3);

    mpi_read_binary( &rsaCtx.N, &rsa_pub_key[3], WS_UPGRADE_RSA_SIGNATURE_LEN + 1);

    ws_upgrade_init();

    return TRUE;

}

In the sample above the public key is used to verify the new firmware and the context that created the public key is not available anymore (keys are generated on a distant computer with a binary provided by Broadcom). Thus there is a need to be able to reload the public key in the new created context.