3.2.3 Diversified Keys
For disposable applications, it may be desirable to use a diversified symmetric key. A
diversified key can be generated by Microchip during provisioning or by the host system
and directly stored into data slot 3 of the ECC204-TFLXAUTH device.
The basic procedure for generating and storing the diversified key is as follows:
- The parent key must be stored in the host or provisioning system.
- The 9-byte serial number of the ECC204-TFLXAUTH must be read by the host system. The serial number will be unique for each.
- The host system must calculate the diversified key by calculating a SHA256 Hash.
- The host system must write the calculated diversified key back into Slot 3 of the ECC204-TFLXAUTH.
- Authentication process
Authentication Process
The procedure to authenticate an ECC204-TFLXAUTH client device containing a diversified key is as follows:
- The parent key must be stored securely in the host device.
- The host must read the serial number of the client device.
- The host must calculate the diversified key based on the serial number of the client device.
- The host calculates the HMAC of the diversified key it would expect.
- The host issues a SHA command in HMAC mode to the ECC204-TFLXAUTH to generate an HMAC, then reads the value.
- The host compares the value it calculated with the value returned by the ECC204-TFLXAUTH and performs a compare.
- If the values match, the device is authenticated and the application can
proceed. Important: The specific action taken by the host when the authentication fails is determined by the security needs of the system.