Blog Datasheets Home About me Clients My work Services Contact

G2Labs Grzegorz Grzęda

Developing secure applications with the nRF52: cryptography and secure boot

January 18, 2024

Developing Secure Applications with the nRF52: Cryptography and Secure Boot

The nRF52 series of microcontrollers are widely used in a variety of applications, ranging from wearables to IoT devices. In today’s increasingly connected world, security is a critical aspect of application development. In this blog post, we will explore how to develop secure applications with the nRF52, focusing on cryptography and secure boot techniques.

Cryptography in the nRF52

Cryptography is at the heart of many secure applications. The nRF52 provides hardware acceleration for various cryptographic operations, including symmetric and asymmetric encryption, hashing, and random number generation. Let’s dive into some examples.

Symmetric Encryption with AES

The Advanced Encryption Standard (AES) is a widely-used symmetric encryption algorithm. To use AES in the nRF52, we can leverage the nrf_crypto library. Here’s an example of encrypting and decrypting data using AES-128 in CBC mode:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

// Encryption
nrf_crypto_aes_context_t ctx;
nrf_crypto_aes_init(&ctx, NRF_CRYPTO_KEY_SIZE_128);
nrf_crypto_aes_crypt(&ctx, NRF_CRYPTO_ENCRYPT, iv, key, plaintext, ciphertext);
nrf_crypto_aes_deinit(&ctx);

// Decryption
nrf_crypto_aes_init(&ctx, NRF_CRYPTO_KEY_SIZE_128);
nrf_crypto_aes_crypt(&ctx, NRF_CRYPTO_DECRYPT, iv, key, ciphertext, decrypted);
nrf_crypto_aes_deinit(&ctx);

Asymmetric Encryption with ECC

Elliptic Curve Cryptography (ECC) is commonly used for asymmetric encryption and key exchange. The nRF52 supports ECC-based operations using the nrf_crypto library. Here’s an example of generating an ECC key pair, encryption, and decryption:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

// Key pair generation
nrf_crypto_ecc_key_pair_generate_context_t ecc_ctx;
nrf_crypto_ecc_private_key_t private_key;
nrf_crypto_ecc_public_key_t public_key;
nrf_crypto_ecc_key_pair_generate(
    &ecc_ctx,
    NRF_CRYPTO_ECC_SECP256R1,
    &private_key,
    &public_key
);

// Encryption
nrf_crypto_ecc_public_key_t recipient_public_key;
nrf_crypto_ecc_public_key_from_raw(
    NRF_CRYPTO_ECC_SECP256R1,
    recipient_public_key_data,
    sizeof(recipient_public_key_data),
    &recipient_public_key
);
nrf_crypto_ecc_shared_secret_compute(
    NRF_CRYPTO_ECC_SECP256R1,
    &private_key,
    &recipient_public_key,
    shared_secret
);

// Decryption
nrf_crypto_ecc_shared_secret_compute(
    NRF_CRYPTO_ECC_SECP256R1,
    &recipient_private_key,
    &sender_public_key,
    shared_secret
);

These examples demonstrate how to leverage the nrf_crypto library to perform various cryptographic operations in a secure manner.

Secure Boot in the nRF52

Secure boot is an essential technique for ensuring the integrity and authenticity of firmware during the boot process. The nRF52 provides support for secure boot using the bootloader and the Nordic Secure DFU (Device Firmware Update) mechanism.

To enable secure boot, the firmware image needs to be signed using a trusted private key. The nRF52 bootloader verifies the signature before executing the firmware. If the signature is valid, the bootloader allows the firmware to run; otherwise, the boot process is halted.

The process of configuring and enabling secure boot involves several steps:

  1. Generate a private-public key pair using a trusted cryptographic tool.
  2. Sign the application firmware using the private key.
  3. Configure the bootloader to require signed firmware images.
  4. Flash the signed firmware image and the associated public key into the nRF52.

Detailed instructions for configuring secure boot can be found in the nRF5 SDK documentation.

Conclusion

Developing secure applications with the nRF52 microcontrollers requires careful consideration of cryptography and secure boot techniques. The nRF52 provides hardware acceleration for cryptographic operations, making it efficient and secure. Leveraging the nrf_crypto library, developers can perform symmetric and asymmetric encryption with ease.

Incorporating secure boot techniques ensures the integrity and authenticity of the firmware during the boot process. The nRF52’s bootloader and Nordic Secure DFU mechanism enable secure boot for applications, protecting against malicious firmware modifications.

By understanding and implementing these security measures, developers can confidently build secure applications on the nRF52 platform, safeguarding sensitive data and ensuring the long-term reliability of their devices.

➡️ Ownership and borrowing in Rust

⬅️ Rust basic syntax

Go back to Posts.