Storing ECC private keys in the SpringCore's Secure Element

Devices in the SpringCore family feature on or more Secure Elements (SE) to store the security keys that are involved in your system. This covers both the keys used by the Smart Reader template engine or a PC/SC application for authenticating and validating the user credentials (contactless card or NFC pass) and the keys used for securing the communication between the device and the back-end system (MQTT over TLS to interact with a cloud system, secure BLE, secure UDP or TCP protocols, etc.).

Both Puck and SpringPark feature a Microchip ATECC chip (formerly an Atmel reference) to store ECC private keys (NIST P-256 curve a.k.a. secp256r1 and prime256v1). Such private keys are typically involved in three use cases:

  • To authenticate and decipher (decrypt) an Apple VAS NFC pass (Passkit),
  • To activate, authenticate and decipher (decrypt) a Google VAS NFC pass (Smart Tap),
  • To open a SSL/TLS secure communication channel with a server over a TCP/IP network, providing client-side authentication of the device.

This article shows how-to insert existing ECC private keys into the SpringCore's ATECC.

Read More

Using master cards to configure the SpringCore devices

SpringCore is the umbrella name to the new generation of SpringCard devices (Puck, SpringPark, etc.) that share the same MCU platform and the same overall architecture. All the devices in this family could be configured easily and securely thanks to SpringCard 2nd generation of master cards.

A master card v2 is a Desfire EV1 (or later) contactless card, that contains the configuration parameters you want to apply to many devices. The data are protected by AES128 for authentication and secure communication, and their authenticity is validated by an ECC256 digital signature.

Thanks to this robust security scheme, only your devices can read and accept your master cards, while refusing (and being actually unable to read) master cards created by 3rd parties. Symmetrically, only the devices that you have commissioned with your own key-set are able to read your master cards, thus protecting your assets (secret keys and specific configuration parameters) against any unwanted disclosure, even if the master card is lost or stolen.

This article shows how-to create master cards v2 using springcoremastercard.exe tool and/or SpringCard Companion, and what are the best practices to use them efficiently and securely.

Read More