# 



© 2018 Arm Limited

## Securing IoT Applications with mbed TLS Hannes Tschofenig

Part#3:

July 2018 Munich

### Why should we talk about RNGs?

- The importance of random numbers for security protocols was already discussed in the first webinar.
- As a reminder, watch Paul Bakker talk about "Entropy Requirements in IoT" on the Arm mbed Youtube channel.
- Example code so far did not use an RNG because of the following "development only" settings in the mbedTLS config.h file:
  - #define MBEDTLS\_NO\_DEFAULT\_ENTROPY\_SOURCES •
  - #define MBEDTLS\_TEST\_NULL\_ENTROPY •
- A compile-time warning is the result: THIS BUILD IS \*NOT\* SUITABLE FOR PRODUCTION USE
- We will enhance our code to make use of a hardware-based random number generator.

## Our Hardware



### **Keil Evaluation Board**

- We are still using the <u>Keil MCBSTM32F400 Evaluation Board</u>, which uses the STM32F407IG MCU.
- This MCU uses an Arm Cortex M4 processor and offers a hardware-based random number generator.







### **RNG Availability?**

ST alone offers 410 MCUs with RNG support. This is only ST and other vendors have similar offers. •





| Buy                        |                          | 🕡 STM32CubeMX |                    |  |
|----------------------------|--------------------------|---------------|--------------------|--|
|                            |                          |               |                    |  |
|                            |                          |               |                    |  |
|                            |                          |               |                    |  |
|                            |                          |               |                    |  |
| Flash                      | RAM                      | Ю             | Freq.              |  |
| 512 kBytes                 | 128 kBytes               | 51            | 120 MHz            |  |
| 1024 kBytes                | 128 kBytes               | 51            | 120 MHz            |  |
| 512 kBytes                 | 128 kBytes               | 82            | 120 MHz            |  |
| 1024 kBytes                | 128 kBytes               | 82            | 120 MHz            |  |
| 512 kBytes                 | 128 kBytes               | 114           | 120 MHz            |  |
| 1024 kBytes                | 128 kBytes               | 114           | 120 MHz            |  |
| 512 kBytes                 | 128 kBytes               | 140           | 120 MHz            |  |
| 512 kBytes                 | 128 kBytes               | 140           | 120 MHz            |  |
| 1024 kBytes                | 128 kBytes               | 140           | 120 MHz            |  |
| 1024 kBytes                | 128 kBytes               | 140           | 120 MHz            |  |
| 512 kBytes                 | 128 kBytes               | 82            | 120 MHz            |  |
| 1024 kBytes                | 128 kBytes               | 82            | 120 MHz            |  |
| 512 kBytes                 | 128 kBytes               | 114           | 120 MHz            |  |
| 1024 kBytes                | 128 kBytes               | 114           | 120 MHz            |  |
| 512 kBytes                 | 192 kBytes               | 72            | 168 MHz            |  |
| 1024 kBytes                | 192 kBytes               | 72            | 168 MHz            |  |
| 1024 kBytes                | 192 kBytes               | 51            | 168 MHz            |  |
| 1024 kBytes                | 192 kBytes               | 82            | 168 MHz            |  |
| 1024 kBytes                | 192 kBytes               | 114           | 168 MHz            |  |
| 512 kBytes<br>512 kBytes   | 192 kBytes<br>192 kBytes | 140           | 168 MHz<br>168 MHz |  |
| 1024 kBytes                | 192 kBytes               | 140           | 168 MHz            |  |
| 1024 kBytes<br>1024 kBytes | 192 kBytes               | 140           | 168 MHz            |  |
| 512 kBytes                 | 192 kBytes               | 82            | 168 MHz            |  |
| 1024 kBytes                | 192 kBytes               | 82            | 168 MHz            |  |
| 512 kBytes                 | 192 kBytes               | 114           | 168 MHz            |  |
| 1024 kBytes                | 192 kBytes               | 114           | 168 MHz            |  |
|                            |                          |               |                    |  |

arm

## Accessing the RNG



### **STM32F407IG RNG**

- The STM32F407IG product webpage contains pointers to reference manuals, including **RM0090**.
- Section 24 describes the RNG functionality. In a nutshell:
  - The RNG delivers a 32-bit random number with every access.
  - The peripheral is attached to the AHB2 bus and is memory mapped.
  - The RNG can be operated in two modes; in an Interrupt-driven mode and in a polling mode.
  - There are three registers dedicated to the use with the RNG, namely (1) a control register (CR), a status register (SR), and a data register (DR).



### **RNG Register Map**

|        | Register            | Register size                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |  |  |  |  |
|--------|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--|--|--|--|
| Offset | name<br>reset value | 33           34           35           36           37           38           39           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30           30 |  |  |  |  |
| 0x00   | RNG_CR<br>0x0000000 | Reserved Reserved                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |  |  |  |  |
| 0x04   | RNG_SR<br>0x0000000 | Reserved SISS SOBO                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |  |  |  |  |
| 0x08   | RNG_DR<br>0x0000000 | RNDATA[31:0]                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |  |  |  |  |

### arm

### **Steps for accessing the RNG**



Note: The first random number generated after setting the RNGEN bit should not be used, according to FIPS (Federal Information Processing Standard Publication) PUB 140-2.

Note: Each generated random number has to be compared with the previously generated number. The test fails if any two compared numbers are equal.



Check for errors and random number availability

Perform three checks via the RNG\_SR register:1. Is there a seed error? (SEIS bit)2. Is there a clock error? (CEIS bit)3. Is a random number ready? (DRDY bit)





## Hands-On: **Testing the RNG Hardware**





## NIST SP 800-90A rev 1



### Deterministic random bit generator (DRBG)

NIST SP 800-90A rev1 specifies the generation of random bits using deterministic methods based on either hash functions or block cipher algorithms.







### Mbed TLS Entropy & DRBG API

### **Entropy accumulator implementation**

// Entropy context structure
mbedtls\_entropy\_context entropy;

// Entropy context initialization
mbedtls\_entropy\_init(...)

// Adds an entropy source to poll
mbedtls\_entropy\_add\_source(...)

Add our hardware-based RNG

// Free entropy context
mbedtls\_entropy\_free(...)

### **DRBG Mechanism Based on Block Ciphers**

// CTR\_DRBG context structure
mbedtls\_ctr\_drbg\_context ctr\_drbg;

// Initializes the CTR\_DRBG context
mbedtls\_ctr\_drbg\_init(...)

// Seed the CTR\_DRBG
mbedtls\_ctr\_drbg\_seed(...)

// Turns prediction resistance on or off
mbedtls\_ctr\_drbg\_set\_prediction\_resistance(...)

// Clears CTR\_CRBG context
mbedtls\_ctr\_drbg\_free(...)

// Configure Mbed TLS with RNG callback

mbedtls\_ssl\_conf\_rng(...)

Link with entropy context

Link with CTR\_DRBG context



## Hands-On: Integrating the RNG functionality



### Summary

- Random numbers are important for security.
- Pick the appropriate hardware for your task. For our security application we need a hardware-based random number generator.
- Use your favorite MCU and follow the steps to integrate your RNG into mbed TLS.

