Host Library Documentation

The diagram depicts the Host software stack.

OPTIGA Features Curves/Algorithms Trust M V1 Trust M V3
ECC ECC NIST P 256/384 Yes Yes
ECC NIST P 521 Yes
ECC Brain pool P256/384/512 r1 Yes
RSA RSA 1024/2048 Yes Yes
Key Derivation TLS v1.2 PRF SHA 256 Yes Yes
TLS v1.2 PRF SHA 384/512 Yes
HKDF SHA-256/384/512 Yes
AES AES-128/192/256(ECB, CBC, CBC-MAC, CMAC) Yes
Random Generation TRNG, DRNG, Pre-Master secret for RSA Yes Yes
HMAC HMAC with SHA256/384/512 Yes
Hash SHA 256 Yes Yes
Protected Data Update (Integrity) ECC NIST P256/384, RSA 1024/2048 Yes Yes
ECC NIST P521, ECC Brain pool P256/384/512 r1 Yes
Protected Data/Key/Metadata Update (Integrity and-or Confidentiality) ECC NIST P256/384/521, RSA 1024/2048 Yes
ECC Brain pool P256/384/512 r1 Yes
To enable the OPTIGA TRUST M V1 features only, define the macro OPTIGA_TRUST_M_V1. Refer config file optiga_lib_config.h for further details.

OPTIGA Host Libraries:
The OPTIGA host libraries constitutes of multiple layers which provides the following functionalities.

  1. Service Layer - APIs to interact with OPTIGA security chip for various use-case functionalities(optiga_util and optiga_crypt).
  2. Access Layer - Manages the access to the command interface of OPTIGA security chip. It also provides the communication interface to the OPTIGA(optiga_cmd and optiga_comms).
  3. Platform Abstraction Layer - Provides platform agnostic interfaces for the underlying HW and SW platform functionalities used by OPTIGA lib libraries.
  4. Platform Layer - Provides the platform specific components and libraries for the supported platforms.

Provides APIs to perform the following usecases using OPTIGA security chip:

  1. Random Number Generation
  2. Generation of Asymmetric Key pair (Public and Private Key)
  3. ECC ( NIST P256/P384/P521 and BrainPool P256r1/P384r1/P521r1 ) and RSA (1024/2048) Signature Generation and Verification
  4. Asymmetric Encryption and Decryption of data
  5. Pre-Master secret generation
  6. Generation of Symmetric Key
  7. Symmetric Encryption and Decryption of data in AES-128/192/156 in ECB,CBC,CBC-MAC and CMAC mode
  8. Shared Secret Generation
  9. Key derivation using PRF and HKDF
  10. Hashing (Using SHA256 algorithms)
  11. HMAC Generation

Provides APIs to perform the following usecases with OPTIGA security chip:

  1. OPTIGA application open/restore with close/hibernate option
  2. Read/Write general purpose data objects hosted by OPTIGA
  3. Read/Write metadata information of general purpose data objects in the OPTIGA
  4. Protected Update of data, key objects and metadata of data and key objects
  5. Increment counter object

Provides internal functions to form APDU commands based on user inputs, send it to OPTIGA security chip and returns the required response to the service layer(optiga_util and optiga_crypt).
The command library support APDU for the following:

  1. Utility functionalities
  2. Cryptographic Toolbox functionalities

This layer provides the interface to communicate with OPTIGA using Infineon I2C protocol.

PAL (Platform Abstraction layer):
Platform abstraction layer for platform low level drivers like I2C, Timer, GPIO, socket and other platform dependencies. This eases the migration/porting to a different platform.

Platform Layer:

  1. Crypto Library (Third Party Library):
    Third party crypto library from mbedTLS (v 2.16.0).
  2. Infineon DAVE 4.4.2:
    DAVE APPs, XMC Library(v 2.1.18) and Keil DFP Pack(v 2.11.0)for XMC4800 IoT Connectivity Kit HW peripherals.
  3. Keil IDE

Sample Application:
Demonstrates the following usecases with and without communication channel protection:

  1. Read & Write general purpose data
  2. Cryptographic Toolbox
  3. Protected Update of data, key objects and metadata is implemented using either data or key objects