Local Chip-to-chip Security

Overview

Chip-to-chip is a mechanism to establish a secure channel between the MCU and the module (available only on SARA-R5) to protect AT-Commands and data. It is a unique cryptographic pairing/binding solution, between the MCU of the hosting device and the module, providing confidentiality, integrity and authenticity for their communication channel.

AT-Commands, parameters and command outputs as well as all data are encrypted using an encryption key previously generated in production by RoT and sent to MCU.

The pairing is done once at device production and RoT-derived keys can be used on each session. The key provided must be stored safely by the MCU. Re-pairing can be authorized via REST API if required.

Please note:

Local C2C security is composed by 4 steps:

The relevant AT commands related to each step are summarized in the following table:

Feature activation

If the module has already completed the bootstrap, the feature shall be enabled before the usage accessing to the u-blox Thingstream platform. 

You are anyway suggested to activate Local C2C feature in your production line, before the bootstrap. Activation before the bootstrap is possible even if the feature has not been activated in the platform. In this case, when the module performs the bootstrap the feature is automatically disabled unless you have enabled it in u-blox Thingstream portal during Device Profile configuration.


C2C encapsulation and encryption protocol

C2C binary encapsulation format

The frame structure of C2C packet exchanged between the MCU and the module is:

C2C encryption protocol

The communication process with the C2C encapsulation and encryption through SEND / RECEIVE is presented below.

Send:

Repeat STEPS 2. 3. 4. 5. for every chunk in CHUNKS

Receive:

Key pairing

It is the process used by MCU to obtain the keys. In this section we will take a look at the process, command s and the functional requirements of local C2C key pairing.

Local C2C key paring process:

Each MCU (if more than one) has its own encryption key obtained as described below:

Local C2C Key paring commands:

Local C2C key paring functional requirements:

Although the guideline is that key pairing should happen in production phase and in a sanitize environment (so before bootstrap) please note that this process can happen in 3 different scenarios:

(Please note that ISEP is a component of the u-blox Thingstream platform.)

Host MCU --> AT+USECC2C=0, <te_secret>

                    <--  +USECC2C:0,0, <c2c_encryption_key>

MCU is responsible to store the te_secret and encryption_key.

 

Host MCU -->  AT+USECC2C=0, <te_secret>

                       <--  NOT_ALLOWED

MCU can try again after device has been claimed.

 

Host MCU --> AT+USECC2C=0, <te_secret>

                    <-- +USECC2C:0,0, <c2c_encryption_key>

MCU is responsible to store the te_secret and encryption_key.

Open secure session

Open C2C channel:

C2C Secure session open

The +USECC2C=1, <te_secret> command opens a secure channel.

There is no guideline or recommendation when to open a secure session.  This can happen in three different scenarios.

Host MCU --> AT+USECC2C=1, <te_secret>

                    <-- PLAIN_TEXT_AT_OK

                    --> ENCRYPTED_AT_COMMAND

                    <-- ENCRYPTED_AT_OK

Having the right c2c_encryption_key (obtained in c2c key pairing phase) now MCU can decrypt the ENCRYPTED_AT_OK message and get the AT_OK.

You only need to pay attention to the grace (or evaluation) period.

Grace period < registered to isep.

Grace period allows execution of localDPR 100 times.

Grace period allows execution of C2C open (-1)/close (-1) 100 times.

 

Host MCU --> AT+USECC2C=1, <te_secret>

                    <--  NOT_ALLOWED

MCU can try again after device has been claimed.

 

Host MCU --> AT+USECC2C=1, <te_secret>

                   <--  PLAIN_TEXT_AT_OK

                    --> ENCRYPTED_AT_COMMAND

                    <-- ENCRYPTED_AT_OK

Having the right c2c_encryption_key now MCU can decrypt the ENCRYPTED_AT_OK message and get the AT_OK.

Close secure session

The +USECC2C=2 command closes a secure channel.

You can close a session at any time (of course if you have already opened one).

(Please note that ISEP is a component of u-blox Thingstream platform.)

Host MCU --> AT+USECC2C=2

                    <-- ENCRYPTED_AT_OK

Having the right c2c_encryption_key (obtained in c2c key pairing phase) now MCU can decrypt the ENCRYPTED_AT_OK message and get the AT_OK.

 

Host MCU should first retrieve the c2c_encryption_key using the te_secrect. Then using the right key encrypt AT+USECC2C=2

Host MCU --> ENCRYPTED AT COMMAND (AT+USECC2C=2)

                    <-- ENCRYPTED_AT_OK

Having the right c2c_encryption_key (obtained in c2c key pairing phase) now MCU can decrypt the ENCRYPTED_AT_OK message and get the AT_OK.

Rekeying

The +USECC2C=3 command triggers a rekeying of the current secure session. This can only be called during a secure session.

The re-keying can only be executed within a C2C session. The session used for rekeying is closed.

Host MCU should first retrieve the c2c_encryption_key using the te_secrect. Then using the right key encrypt AT+USECC2C=3

Host MCU -->ENCRYPTED AT COMMAND (AT+USECC2C=3)

                    <-- ENCRYPTED_AT_OK

Having the right c2c_encryption_key (obtained in c2c key pairing phase) now MCU can decrypt the ENCRYPTED_AT_OK message and get the AT_OK.

Use case

The Chip-to-Chip process includes two stages:

R5<->MCU C2C key pairing example:

R5<->MCU C2C usage example:

Availability

The Local C2C Security feature is available from the following FW version an subsequent releases:

Other features

You might be interested also in