Key pair generation for RFM


#1

Hello all,

I have concern for generating the key pair.

Q) Which algorithm should I use for key pair generation ECC or RSA?


#2

Hi Hiren,

For provisional testing tool of NPNT compliance, we are generating key pairs using RSA with SHA-256. The verification code is verifying using the same.


#3

Are you generating key pair in RFM ?


#4

I am working on Ardupilot firmware for key genaration. I have genarated RSA2048 key and transfer to our GCS software and also tested all npnt flow from log file genaration , signing and upload to NPNT testing tool. Problem we are facing here is RSA2048 key genaration takes up 5-10 min to complete key genaration on Pixhawk 2.4.8( stm32F4). we also tested keygenaration usign ECE (using MBEDTLS_ECP_DP_BP384R1 safe curve) it taske only 20 sec to genarate 384 bit key. We get App ID using this drones public key, but when we try to upload log file to NPNT testing tool it responce is with error json. Can any one help with this? do we have Option to use ECE key for actual DGCA API?


#5

As per RPAS Guidance Manual rev.1.1, you can generate key pair on another device and transfer it to drone.


#6

Hi @abhiroop.bhatnagar Thanks for reply. I have some doubts please help me with this.

1) According to following points, do we have to encrypt mavlink chanel with AES128 ?

If keypair is not generated at RFM, it should be generated within a zone that
has the same security requirements as RFM and has to be transported to the
RFM on a communication channel secured using or equivalent of 128bit
symmetric key (minimum).

2) How This process exactly take place? Here it is mention “may be” so is it depends on us to sign new genarated keys or dont? What specific API we have to use here for key rotation?

If key rotation is required, the generated key may be signed using previous key
pair and sent for updation to DigitalSky.


#7

Hi…It would be helpful to know at what point specifically it freezes and what is displayed on the screen. Reseating the prism cards in those games fixes a good majority of the reset issues.
I would be hesitant to recommend any parts without knowing more. But replacement ram for that old PC is relatively cheap. Pc100 I believe it is.

order pcb


#8

Hello guys…
I have a big confutions with key pairs RFM public and private keys.
My very first thinking was those key pairs are provided by digital sky.
But those keys need to genarated in RFM itself.
*So how I will genrate private and publick keys - from X509 certificate comes with PA or by using openssl functions.
*After genarting will I need to sign it with dsc token or somthing else?

Please help,
Thanks


#9
  1. comp 0 implementation needs key generation on drone Hardware(we are using it). Here you need to add SSL library like OpenSSL, wolfssl, mbedtls etc. whichever compatible with your flight controller CPU. Here you have to generate Public and Private keys on Drone hardware.
  2. Which algorithm for the key generation? DGCS guidelines suggest EC key with the safe curve(http://safecurves.cr.yp.to/index.html) or RSA2048(most secure).
  3. Transfer that key to GCS. Then GCS will use that keys and drone ID(Unique Hardware ID) to get PA
  4. Download PA
  5. Extract X509 certificate
  6. Extract DGCA public key from X509 certificate (for reference https://stackoverflow.com/questions/17143606/how-to-save-public-key-from-a-certificate-in-pem-format). most of software SDK comes with OpenSSL library inbuilt use that.
  7. Verify Valid PA (1(randomly) out of 5) (later for download report you need to DGCS API which is a valid one)
  8. Use that PA Allowed area from valid PA to plan a flight.
  9. After the flight, completion Ask drone for logs with a signature using drones generated private key.
  10. Upload that logs to DGCA.

For all the above you need your own GCS, Yor own Flight Controller, and Your Management Servers(other compliance requirements).


#10

Okey thanks for the reply. So I cleared with my doubts.
I have another question - for signing the log file I’m going use private key that generated in drone/RFM itself. So it’s mendetory to sign that key with manufacturers private key? If yes please tell me how.

Thanks.


#11

Yes I missed that point. Here as drone generates key pair. The public key of the drone needs to signed by your management server, so you have to send that key to the management server it will signed and send you a certificate that you need to store in the drone Keystore. (reference DGCA guideline 3.2.2 Functionality of Flight Module Management Server point 9, 11).