Andrey Ovcharov

Professional Software Engineer and hobbyist Hardware enthusiast

Andrey Ovcharov

Using ATECC508A Cryptographic co-processor with ESP32

The next FIDO2 Authenticator project update is dedicated to the ATECC508A cryptographic chip. I have taken some time and started to write a component library for operating the IC from ESP32 microcontroller.

The ATECC508A communicates via standard I2C protocol and provides many interesting security features used by FIDO2 authentication protocol:

  • Secure storage up to 16 keys. The private key can not be extracted from the device
  • Generation and verification of ECC2 signatures
  • Calculation of SHA256 hash
  • High-quality random number generator
  • Independent counters

One of the chips I have is soldered to my prototype board but, unfortunately, I could not make it work. Probably there is some loose joint in the soldering or the IC itself is broken, I don’t know.

FIDO2 Authenticator prototype featuring ATECC508A chip
FIDO2 Authenticator prototype featuring ATECC508A chip

Luckily I have more of them and soldered next one to the development board and connected to ESP32 module. This one responded from the very first attempt and I could continue with the development of the library for it. Good thing - the ESP32 can use internal pull-up resistors for the I2C bus and I can save some space on the PCB.

Connecting ATEC508A to the ESP32 development board
Connecting ATEC508A to the ESP32 development board

Programming of the security chip is not an easy task as, for example, real-time clock. It involves a complex setup procedure and multiple operations including verification for every command. I tried to follow the datasheet for the IC and the protocol is quite hard to implement from scratch.

However, there is a great library for Arduino written by SparkFun. I have tried to use it in a small test project and was so delighted with the results that I have heavily based my library on their code. Thank you, guys!

One more interesting point. As I said, the security features require special configuration of the chip and this configuration was made by Sparkfun library while I was playing with it. Problem is that the configured chip is locked and the configuration can not be changed anymore (security!). So, if I want to write and debug correct configuration code I need a long long reel of the chips for trial and error as after every wrong attempt the chip will become just useless. That means the configuration part of the library will be left to the very end and I will continue working with other functions. In the meantime, I can continue wiring the ATECC508A code to my FIDO2 implementation.