logo slogan

Segger emSecure RSA

 

emLib

emSecure-RSA is the default version of emSecure, based on RSA asymmetrical encryption.
The RSA cryptosystem has proven robust for decades against attacks on the algorithms. For the default of 2048-bit key sizes, it is considered well beyond the capability of governments to recover a properly generated RSA private key before 2030, and most probably well beyond that.
emSecure-RSA is a fast solution to verify data on a microcontroller. Data can be verified in less than 30 ms using a default key. With smaller keys verification can even be done in less than 10 ms without using additional hardware.

 

  • Proven over decades
    Fast signature verification
    Low ROM requirements

 


Using emSecure


All emSecure products are created to be simple but powerful, and easy to integrate. It can be used in new products and even extend existing ones as emSecure is a software solution and no additional hardware is required. The code is completely written in ANSI C and can be used platform- and controller-independent.
The required key pairs can be generated with the included tool. A pass-phrase can be used to be able to regenerate the keys. The generated keys can be exported into different formats to be stored on the application code or loaded from a key file. This allows portability and exchangeability between different platforms.
Signing data, for instance firmware images, can be done with the included tool. It is also possible to integrate the signing process directly into a production application running on any PC or even on a microcontroller.
Once a signature is generated, the signed data can be verified by its signature in an embedded application or on an external application communicating with the device. Verifying data takes less than 40 ms on a Cortex-M4, running at 200 MHz, which is not significantly more time for a bootloader to start a firmware.

 

Performance

 

emSecure-RSA aims for portability and is designed to fit speed and size requirements for different targets.
The process of verifying data is technically split up into two steps:

Compute the hash of the data.
Decrypt the signature and compare the hash values.

Step 1, the computation of the hash, depends on the size of the data, whereas step 2 is dependent on the key length and takes the same time to verify any data.

 

Step

Performance

SHA-1
Hash computation

9.30 MB/sec

RSA 512 bit
Signature decryption and verification

3.20 ms

RSA 1024 bit
Signature decryption and verification

8.50 ms

RSA 2048 bit
Signature decryption and verification

24.63 ms

RSA 512 bit
Signature generation and encryption

41.53 ms

RSA 1024 bit
Signature generation and encryption

192.95 ms

RSA 2048 bit
Signature generation and encryption

1026.00 ms

 

Verifying data

 

The following table shows some total values to verify different amounts of data.

 

Data size

Key length

Decryption and
verification

Hash
computation

Total time

1 kByte

512 bit

3.20 ms

0.11 ms

3.31 ms

100 kByte

512 bit

3.20 ms

11.30 ms

14.50 ms

1 kByte

1024 bit

8.50 ms

0.11 ms

8.61 ms

100 kByte

1024 bit

8.50 ms

11.30 ms

19.80 ms

1 kByte

2048 bit

24.63 ms

0.11 ms

24.74 ms

100 kByte

2048 bit

24.63 ms

11.30 ms

35.93 ms

 

Signing data

 

The following table shows some total values to sign different amounts of data.

 

Data size

Key length

Generation and
encryption

Hash
computation

Total time

1 kByte

512 bit

41.53 ms

0.11 ms

41.64 ms

100 kByte

512 bit

41.53 ms

11.30 ms

52.83 ms

1 kByte

1024 bit

192.95 ms

0.11 ms

192.06 ms

100 kByte

1024 bit

192.95 ms

11.3 ms

204.25 ms

1 kByte

2048 bit

1026.00 ms

0.11 ms

1026.11 ms

100 kByte

2048 bit

1026.00 ms

11.30 ms

1037.30 ms

 

Memory Footprint

 

 

ROM

Static RAM

Stack

1024 bit key

2048 bit key

Verification only:

4.6 KByte

0 KByte

1.9 KByte

2.6 KByte

Verification & Generation:

5.8 KByte

1.6 KByte

2.3 KByte

 

 

Included Applications


emSecure includes all basic applications needed for securing a product. Additional applications for benchmark and validations are part of emSecure, too. The applications' source-code is included and provides an easy to use starting point for modifications and integration into other applications.

 

Application name

Target platform

Description

emKeyGen

 Windows

Generates a key pair with a given key length, either random or from a given seed.

emSign

 Windows

Digitally signs a file with your private key.

emVerify

 Windows

Verifies the signature of a digital asset with its public key.

emPrintKey

 Windows

Exports keys and signatures into C source format, to be included into any application.

emBenchmark

 Windows

Tests the speed of operations with different key lengths.

emValidate

 Windows

Validates the modules of emSecure.

The sign and verify tools are available for evaluation.
For more information contact us at info@phaedsys.com.

 

 

Utilities


The utilities are PC applications, ready-to-use for the setup step to secure your product.


Key generation
emKeyGen generates a public and a private key. The generation parameters can be set with command line options. The keys are saved in a common key file format and can be published and exchanged.
Usage: emKeyGen.exe [<Options>]

 

Exporting keys
emPrintKey exports key and signature files into a compileable format. The output can be linked into your application, so there is no need to load them from a file at runtime. This is especially useful for embedded applications.


Signing data
emSign digitally signs the file content, usually the data to be secured, with a given (private) key file and creates a signature file.

 

 

Verifying data
emVerify decrypts a signature file and verifies if the corresponding data file matches the signature.

 

 

Speed tests

emBenchmark tests the speed performance of the most common used functions like signing and verifying and prints the results.


Validation tests
emValidate tests the implementation of the algorithms and modules in emSecure with defined test vectors and parameters.

 

 

Technical Background


The emSecure signing operation starts by using a secure hash algorithm (SHA1) to generate a hash from the original data. Using the 2kBit RSA private key along with the hash, a digital signature is generated using RSA encryption.
emSecure Signing Technical Details:

]

The emSecure verification process starts with the data one wishes to verify and the digital signature which was created from the original file. A hash file is generated for the unverified data. The public key and RSA decryption is used to generate the original hash and then compared to verify whether the data file is genuine.


emSecure Verification Technical Details: