Add a secure element ATECC508

A project log for Gesture/Pattern Recognition Without Camera : TOF !

Grumpy Hedgehog is a connected device that allows you to read and interact with movements. Its LCD screen displays the Hedgehog's expression

jeanperardeljean.perardel 11/07/2021 at 19:290 Comments

In order to protect its data, the Arduino MKR 1010 implements an ATECC508. With a good implementation, this small device allows the integration of almost infallible security in the communication.

After some research, I found 2 Arduino libraries (ArduinoECCX08 and Sparkfun) allowing to integrate some functions of the ATECC508. WARNING: the configuration of the device is permanent. If you accept the default configuration of these libraries, you will never be able to change it again.

There are many ways to use this module, but these libraries focus on generating Public/Private key pairs and certificates to ensure the integrity of messages. There are already several tutorials to use these functions, I tested this one which worked well to connect to Google Cloud IOT with my Arduino MRK 1010. There is also this example to connect to Azure IOT Hub (but I didn't test it on MKR).

In our case, we would like to use ATECC508 to store private information (a pattern and a password). The SAMD21 would have to send Patterns to it and the ATECC508 would have to compare them with the one in memory. If this one matches, ATECC508 will send the password. (This part isn't finished yet !)

To integrate this, you must already understand the notion of configuration. Fortunately, the ATECC508 Datasheet is available on the internet (which is not the case for all secure elements, check for the complete datasheet with 109 pages). What we need is to set the correct configuration in "SlotConfig" (Section 2.2.1 SlotConfig (Bytes 20 to 51)) to enable "CheckMac" command (See section 3.2.7 Password Checking).

To use Password checking we need to configure ReadKey in the target SLOT to 0 (bit 3-0 of SlotConfig). This enable "CheckMac/Copy". If we check the default configuration of ArduinoECCX08 we have :

SLOT<0> : 0x83, 0x20, // External Signatures | Internal Signatures | IsSecret | Write Configure Never. This mean we have 0011 (0x3) as ReadKey instead of 0. So we need to configure a Slot with 0xX0, 0xXX

On datasheet we have "If the password is to be mapped to a secondary value (using the third option above), then the target slot containing this value is located in the next higher slot number (i.e. the password’s slot number plus one);"

So we can use

I will not have time to test this part before the contest deadline. So I will finish this article after the contest.

The SAMD21 and the ATECC508 communicate with SPI on PA8 (SDA) and PA9 (SCL) or with One Wire with PA8 (SDA). We will use the SPI as it's the default configuration.

But the idea would be to use a PCB version so that you can continue to use the main controller you want. Here is an interesting guide

From Arduino MKR 1010 Schematic