This is the documentation for the latest (main) development branch of the Infuse-IoT platform. If you are looking for the documentation of previous releases, use the drop-down menu on the left and select the desired version.

ECDH Shared Secret Generation

Demonstration of the shared secret generation through Elliptic-curve Diffie–Hellman. Both device and cloud end up with the same shared secret, with only the public keys being known. Device can regenerate local key-pair as often as it wishes, cloud can recalulate the shared secret after only querying the public key.

With a fixed key-pair for the cloud, the device can be sure of the authenticity of the data (has been encrypted by that cloud, and not someone else with the device public key). It does not provide authenticity of the data in the reverse direction (The cloud cannot guarantee that the key-pair was generated by a particular device and not an impersonator).

Note that as this sample regenerates the local key-pair on each run, it will only behave deterministically across multiple runs if using a test entropy source, such as FAKE_ENTROPY_NATIVE_POSIX.

Generate example cloud key pair

Run ecdh_cloud.py to display or generate the simulated cloud public key.

> python3 ecdh_cloud.py
Wrote private key to example.pem
Cloud public key array:
0xc2,0xfc,0x16,0x76,0xa5,0xda,0xf5,0x38,0x8e,0x64,0x26,0x99,0x83,0xbf,0xa6,0x28,0xfd,0x9b,0xf0,0x94,0xca,0x51,0x58,0x78,0xec,0x8f,0xdb,0xdb,0x94,0xb6,0x3b,0x44

Import cloud public key

Import the simulated cloud public key into the application in main.c:

static const uint8_t m_pub_key_cloud[ECDH_PUBLIC_KEY_SIZE] = {
   0xc2, 0xfc, 0x16, 0x76, 0xa5, 0xda, 0xf5, 0x38, 0x8e, 0x64, 0x26,
   0x99, 0x83, 0xbf, 0xa6, 0x28, 0xfd, 0x9b, 0xf0, 0x94, 0xca, 0x51,
   0x58, 0x78, 0xec, 0x8f, 0xdb, 0xdb, 0x94, 0xb6, 0x3b, 0x44};

If using the example key pair (example.pem), this value is already correct.

## Device shared secret

Get the device public key and expected shared secret value from the sample application:

> west build -b native_sim -t run infuse-sdk/samples/crypto/ecdh/
...
Device public key:
   da5c1c64a9ccf32f005a2fae15114e13691dcdab6550c22cec2c91b426fbe01c
Shared secret:
   1c0134cb51032fa3d8872dcd2757214f75ab6e3a030a1c116d43f00db2606925

Cloud shared secret

Calculate the shared secret from the device public key and validate that it matches the value from the previous step:

> python3 ecdh_remote.py --device da5c1c64a9ccf32f005a2fae15114e13691dcdab6550c22cec2c91b426fbe01c
...
Shared secret:
   1c0134cb51032fa3d8872dcd2757214f75ab6e3a030a1c116d43f00db2606925