Associate II

Solved

STSAFE-A110 Key establishment (NIST P-256)

Forum|Forum|1 month ago
March 20, 2026
1 reply
194 views

Hello,

I'm trying to implement the Key Establishment workflow on my hardware based on STM32U5 MCU and STSAFE-A110 secure chip. The ephemeral key pair generation (StSafeA_GenerateKeyPair) works fine and the establishing key (StSafeA_EstablishKey) with the ephemeral private key and the remote host public key gives me a 48-byte shared secret by using NIST P-256 as curve ID.

In the ST library provided, it is mentioned that the StSafeA_EstablishKey function provides a shared secret. In cryptography, a key agreement should return a shared secret on 32 bytes for NIST P-256 curve ID and then this shared secret may be used to compute a 48-byte shared key using HKDF with SHA-256 for example by providing salt and info.

So what does exactly return the StSafeA_EstablishKey function of library? A shared secret or a shared key?

Remote-side (Linux-OS computer), if I compute a key agreement using the remote private key and the STSAFE ephemeral public key, I get a 32-bytes shared secret (with OpenSSL tool) but nothing matches between the computed secret of remote and stsafe. Do I have to use a stsafe remote-side?

Best regards,

Alex

Best answer by Benjamin BARATTE

Thanks for the I2C dump.

The response of the StSafeA_EstablishKey() is encrypted. As the data is formatted with 2 bytes length + the shared secret, this ciphertext is then padded to 48 bytes.

You need to decrypt the response to get the shared secret.

You have the reference code in the STSAFE-A middleware.

Best Regards,

Benjamin

B

Benjamin BARATTE

ST Employee

Hi @adegrandcourt ,

The StSafeA_EstablishKey() function is using ECDH algorithm to generate a shared secret. The shared secret is the size of the ECC curve used.

Therefore with NIST P-256, the size of the shared secret is 32 bytes.

Generally this is used as a seed to KDF function to derive key material.

You mention you have a 48 bytes value with NIST P-256 curve ID, could you share your code example ?

STSAFE-A110 may return 48 bytes value only with NIST P-384 curve ID.

Best Regards,

Benjamin

A

adegrandcourtAuthor

Associate II

Hi @Benjamin BARATTE

I cannot share my code because I rewrote the library because of library size and integration in my company own OS but I can share i2c frames exchanged.

Note that I didn't share the getting of the host C-MAC sequence counter but it is well done before key establishment.

* Generation of ECDH key pair on ephemeral slot

Tag: STSAFEA_CMD_GENERATE_KEY (0x11)
(Len: 16)
Value: STSAFEA_TAG_PRIVATE_KEY_SLOT (0x13)
Slot number: 0xFF (ephemeral)
Time limit (more significant byte): 0x00
Time limit (least significant byte): 0x01 (will be still 1 for ephemeral key)
Operation mode (more significant byte)): 0x00
Operation mode (least significant byte): 0x01 -> Key Establishment enabled
Curve identifier length (more significant byte): 0x00
Curve identifier length (least significant byte): 0x08 for NIST P-256
Curve identifier -> "\x2A\x86\x48\xCE\x3D\x03\x01\x07" for NIST P-256 OID

CRC16

I2C write
11 13 FF 00 01 00 01 00 08 2A 86 48 CE 3D 03 01 |.........*.H.=..|
07 2C 29 |.,) |

I2C read
00 00 47 04 00 20 CB 54 7C 39 84 94 27 1D 48 C7 |..G.. .T|9..'.H.|
F1 D2 94 C3 87 BD A1 3A B9 18 A1 53 0C 6C 96 A7 |.......:...S.l..|
33 6E 3D 49 D5 A5 00 20 3D 43 3B EC 33 D1 00 33 |3n=I... =C;.3..3|
7C 68 A6 BE D8 8F EC EC E0 6C 34 F3 46 2D 8E 57 ||h.......l4.F-.W|
1B A2 E9 7E 30 D6 E1 36 EF 51 |...~0..6.Q |

The response well provides a public key with format 04[len_of_x][x][len_of_y][y].

x=CB547C398494271D48C7F1D294C387BDA13AB918A1530C6C96A7336E3D49D5A5
y=3D433BEC33D100337C68A6BED88FECECE06C34F3462D8E571BA2E97E30D6E136

* Establishment of a key agreement between the stsafe's private key and the remote host's public key

Tag: STSAFEA_CMD_ESTABLISH_KEY (0x18) | HOST_CMAC (0xA0)
(Length: 70)
Value: Slot number: 0xFF (ephemeral)
STSAFEA_POINT_REPRESENTATION_ID (0x04)

Remote public key X coordinate length: 0x0020 (32)
Remote public key X coordinate: 6e84544bb8724c0b4b9822603369f06cc214b15359fcea36758b2a6b5e9ec397
Remote public key Y coordinate length: 0x0020 (32)
Remote public key Y coordinate: e1954664f30fc2ce7d999456e48d0cd2842609be05a22d48c8f0e55d248e5f76
CMAC

CRC16

I2C write
B8 FF 04 00 20 6E 84 54 4B B8 72 4C 0B 4B 98 22 |.... n.TK.rL.K."|
60 33 69 F0 6C C2 14 B1 53 59 FC EA 36 75 8B 2A |`3i.l...SY..6u.*|
6B 5E 9E C3 97 00 20 E1 95 46 64 F3 0F C2 CE 7D |k^.... ..Fd....}|
99 94 56 E4 8D 0C D2 84 26 09 BE 05 A2 2D 48 C8 |..V.....&....-H.|
F0 E5 5D 24 8E 5F 76 28 16 5F FA 18 78 |..]$._v(._..x |

I2C read
00 00 32 4D B6 F6 54 68 EE 55 90 6B 9D 62 C6 DE |..2M..Th.U.k.b..|
B0 A1 01 47 27 9D 1A 32 21 05 85 85 6A 18 20 98 |...G'..2!...j. .|
3C A1 6C 66 B5 51 B9 FE 3B 64 8A 95 1D 5A FB C4 |<.lf.Q..;d...Z..|
E1 EA 11 C1 05 |..... |

The response gives a status code to 0 (OK) and provides a secret on 48 bytes (0x32 minus the crc length(2)) i.e. 4DB6F65468EE55906B9D62C6DEB0A10147279D1A32210585856A1820983CA16C66B551B9FE3B648A951D5AFBC4E1EA11

Best regards,

Alex

B

Benjamin BARATTEBest answer

ST Employee

Thanks for the I2C dump.

The response of the StSafeA_EstablishKey() is encrypted. As the data is formatted with 2 bytes length + the shared secret, this ciphertext is then padded to 48 bytes.

You need to decrypt the response to get the shared secret.

You have the reference code in the STSAFE-A middleware.

Best Regards,

Benjamin

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded