Crypto: ECDH
The ECDH sample demonstrates how to use the PSA Crypto API to perform an Elliptic-curve Diffie-Hellman key exchange using the ECDH algorithm with two 256-bit ECC key pairs. The sample allows two parties (Alice and Bob) to obtain a shared secret through key exchange.
Requirements
The sample supports the following development kits:
Hardware platforms |
PCA |
Board name |
|
|---|---|---|---|
PCA10153 |
|
||
PCA10090 |
|
||
PCA10171 |
|
||
nRF7120 DK |
nrf7120dk |
|
|
nRF54LV10 DK |
PCA10188 |
|
|
nRF54LS05 DK |
PCA10214 |
nrf54ls05dk |
|
PCA10184 |
|
||
nRF54LC10 DK |
PCA10226 |
nrf54lc10dk |
|
PCA10156 |
|
||
PCA10156 |
|
||
PCA10156 |
|
||
PCA10175 |
|
||
PCA10095 |
|
||
PCA10056 |
|
For more security, it is recommended to use the */ns variant of the board target.
When built for this variant, the sample is configured to compile and run as a non-secure application using security by separation.
Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.
Overview
The sample enables PSA Crypto API and configures the following Kconfig options for the cryptographic features:
CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE,CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,CONFIG_PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT- Used to enable support for ECC key pair types from among the supported cryptographic operations for Key types and key management.CONFIG_PSA_WANT_ALG_ECDH- Used to enable support for the ECDH key agreement algorithm from among the supported cryptographic operations for Key agreement algorithms.CONFIG_PSA_WANT_GENERATE_RANDOM- Used to enable random number generation for key generation from among the supported cryptographic operations for RNG algorithms.
The sample also configures the cryptographic drivers for each board target using Kconfig options in the overlay files in the boards directory.
These Kconfig options are then used by the build system to compile the required cryptographic PSA directives and make the configured cryptographic drivers available at runtime. See Driver selection for more information about this process.
Once built and run, the sample performs the following operations:
Initialization:
The PSA Crypto API is initialized using
psa_crypto_init().Two random 256-bit ECC key pairs are generated using
psa_generate_key()and stored in the PSA crypto keystore. The key pairs are configured with usage flags for key derivation.
ECDH key exchange using the generated key pairs:
Public keys are exported using
psa_export_public_key().ECDH key agreement is performed using
psa_raw_key_agreement()with thePSA_ALG_ECDHalgorithm. This function calculates the shared secret using one party’s private key and the other party’s public key.The calculated secrets are compared to verify that both parties obtained the same shared secret.
Cleanup:
The ECC key pairs are removed from the PSA crypto keystore using
psa_destroy_key().
Building and running
This sample can be found under samples/crypto/ecdh in the nRF Connect SDK folder structure.
For more security, it is recommended to use the */ns variant of the board target (see the Requirements section above.)
When built for this variant, the sample is configured to compile and run as a non-secure application using security by separation.
Therefore, it automatically includes Trusted Firmware-M that prepares the required peripherals and secure services to be available for the application.
To build the sample, follow the instructions in Building an application for your preferred building environment. See also Programming an application for programming steps and Testing and optimization for general information about testing and debugging in the nRF Connect SDK.
Note
When building repository applications in the SDK repositories, building with sysbuild is enabled by default.
If you work with out-of-tree freestanding applications, you need to manually pass the --sysbuild parameter to every build command or configure west to always use it.
Testing
After programming the sample to your development kit, complete the following steps to test it:
Connect to the kit with a terminal emulator (for example, the Serial Terminal app). See Testing and optimization for the required settings and steps.
Build and program the application.
Observe the logs from the application using the terminal emulator. For example, the log output should look like this:
*** Booting nRF Connect SDK v3.1.0-6c6e5b32496e ***
*** Using Zephyr OS v4.1.99-1612683d4010 ***
[00:00:00.251,159] <inf> ecdh: Starting ECDH example...
[00:00:00.251,190] <inf> ecdh: Creating ECDH key pair for Alice
[00:00:00.251,342] <inf> ecdh: ECDH key pair generated successfully!
[00:00:00.251,373] <inf> ecdh: Creating ECDH key pair for Bob
[00:00:00.251,708] <inf> ecdh: ECDH key pair generated successfully!
[00:00:00.251,739] <inf> ecdh: Export Alice's public key
[00:00:00.251,770] <inf> ecdh: ECDH public key exported successfully!
[00:00:00.251,800] <inf> ecdh: Export Bob's public key
[00:00:00.251,831] <inf> ecdh: ECDH public key exported successfully!
[00:00:00.251,861] <inf> ecdh: Calculating the secret value for Alice
[00:00:00.251,892] <inf> ecdh: ECDH secret calculated successfully!
[00:00:00.251,922] <inf> ecdh: Calculating the secret value for Bob
[00:00:00.251,953] <inf> ecdh: ECDH secret calculated successfully!
[00:00:00.251,984] <inf> ecdh: Comparing the secret values of Alice and Bob
[00:00:00.252,014] <inf> ecdh: The secret values of Alice and Bob match!
[00:00:00.252,045] <inf> ecdh: Example finished successfully!