3.2.3 Diversified Keys

For disposable applications, it may be desirable to use a diversified symmetric key. A diversified key can be generated by Microchip during provisioning or by the host system and directly stored into data slot 3 of the ECC204-TFLXAUTH device. The basic procedure for generating and storing the diversified key is as follows:
  1. The parent key must be stored in the host or provisioning system.
  2. The 9-byte serial number of the ECC204-TFLXAUTH must be read by the host system. The serial number will be unique for each.
  3. The host system must calculate the diversified key by calculating a SHA256 Hash.
  4. The host system must write the calculated diversified key back into Slot 3 of the ECC204-TFLXAUTH.
  5. Authentication process

Authentication Process

The procedure to authenticate an ECC204-TFLXAUTH client device containing a diversified key is as follows:

  1. The parent key must be stored securely in the host device.
  2. The host must read the serial number of the client device.
  3. The host must calculate the diversified key based on the serial number of the client device.
  4. The host calculates the HMAC of the diversified key it would expect.
  5. The host issues a SHA command in HMAC mode to the ECC204-TFLXAUTH to generate an HMAC, then reads the value.
  6. The host compares the value it calculated with the value returned by the ECC204-TFLXAUTH and performs a compare.
  7. If the values match, the device is authenticated and the application can proceed.
    Important: The specific action taken by the host when the authentication fails is determined by the security needs of the system.