NXP AN12661 Application note

AN12661

EdgeLockTM SE05x for Wi-Fi Credential Protection

Rev. 1.2 — 7 December 2020 Application note 582911

Document information

Information Content

Keywords EdgeLock SE05x, Wi-Fi credentials, WPA-EAP-TLS

Abstract This application note describes how to leverage EdgeLock SE05x for Wi-Fi

credential protection. It explains how to run a demo setup that showcases the use of EdgeLock SE05x ease of use configuration to authenticate devices to a Wi-Fi network based on WPA-EAP-TLS protocol.

NXP Semiconductors

EdgeLockTM SE05x for Wi-Fi Credential Protection

Revision history

Revision number

1.0 2020-05-14 First version.

1.1 2020-06-12 ssscli compilation instructions updated

1.2 2020-12-07 Updated to the latest template and fixed broken URLs

Date Description

AN12661

Application note Rev. 1.2 — 7 December 2020

582911 2 / 17

NXP Semiconductors

1 Abbreviations

Table 1. Abbreviations

Acronym Description

WSN Wireless Sensor Network

AP Access Point

CA Certificate Authority

RADIUS Remote Authentication Dial-In User Service

PCR Platform Configuration Registers

OEM Original Equipment Manufacturer

ECC Elliptic-Curve Cryptography

MCU Micro Controller Unit

PMK Pairwise Master Key

PTK Pairwise Transient Key

PBKDF Password-Based Key Derivation Function

PSK Pre-Shared Key

EAP Extensible Authentication Protocol

TLS Transport Layer Security

SSL Secure Sockets Layer

AN12661

EdgeLockTM SE05x for Wi-Fi Credential Protection

Application note Rev. 1.2 — 7 December 2020

582911 3 / 17

NXP Semiconductors

EdgeLockTM SE05x for Wi-Fi Credential Protection

2 EdgeLock SE05x for Wi-Fi credential protection

Today’s networks include a wide range of wireless devices, from computers and phones to IP cameras, smart TVs and connected appliances. As such, wireless networks must be secured to protect your devices and your sensitive data from being compromised.

Wi-Fi Protected Access (WPA), and its evolution WPA2, are security standards designed to create secure wireless networks. There are different WPA versions based on the target end-user, method of authentication key distribution and encryption protocol used.

Designed for home networks, WPA-PSK secures wireless networks using Pre-Shared Key (PSK) authentication. The device network traffic is encrypted deriving its key from this shared key, which may be entered as hexadecimal digits or as a passphrase. For instance, if a passphrase is used, the encryption key is calculated by applying the PBKDF2 key derivation function to the passphrase.

Designed for enterprise use, WPA-Enterprise typically secures wireless networks using a Remote Authentication Dial-In User Service (RADIUS) server dedicated to authentication purposes. The device authentication to the network is achieved using variants of the Extensible Authentication Protocol (EAP) protocol. For instance, EAP-TLS (Transport Layer Security) provides certificate-based and mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based keys to secure subsequent communications between the Wi-Fi client and the access point.

AN12661

The EdgeLock SE05x allows us to securely authenticate devices to a Wi-Fi network based on the WPA-EAP-TLS authentication protocol. In this respect, the EdgeLock SE05x offers a tamper resistant platform that allows you to safely store credentials such as the sensitive private key and certificate in the case of WPA-EAP-TLS authentication. If the security of an IoT device is breached, the whole network can be compromised as well. By incorporating the EdgeLock SE05x in your design, it provides a very strong level of security for the network credentials that a regular host could not offer.

Figure 1. EdgeLock SE05x Wi-Fi credential protection

Note: The RADIUS server can also be an integral part of the access point. This simplified setup is especially convenient for the home-gateway use case.

Application note Rev. 1.2 — 7 December 2020

582911 4 / 17

NXP Semiconductors

EdgeLockTM SE05x for Wi-Fi Credential Protection

AN12661

3 EdgeLock SE05x demo setup for WPA-EAP-TLS authentication

To demonstrate the use of EdgeLock SE05x to authenticate devices to a Wi-Fi network based on WPA-EAP-TLS protocol, this section describes how to run the demo setup depicted in Figure 2:

Figure 2. EdgeLock SE05x demo setup for Wi-Fi WPA-EAP-TLS connection

The demo architecture consists of three main elements: the IoT device, the access point and the RADIUS server. The IoT device is represented by a Raspberry Pi connected to the OM-SE050ARD board; the access point is represented by any commercial wireless router or access point with WPA/WPA2 Enterprise capabilities, and the RADIUS server is represented by a FreeRADIUS instance running on a Linux machine.

For authentication of the IoT device to the WiFi network the NXP-pre-provisioned keys and certificates inside EdgeLock SE05x will be used.

To set up the demo, you can follow these steps:

1. Check prerequisites

2. Configure the access point

3. Configure the FreeRADIUS server on a Linux machine

4. Configure the client (Raspberry Pi)

5. Run device network connection

Note: The network settings shown in this example are provided only for demonstration purposes. Therefore, the subsequent procedure must be adapted as required for a production deployment.

3.1 Prerequisites

Check the document AN12570-Quick Start Guide with Raspberry Pi for detailed instructions on how to bring up the hardware and software setup for the Raspberry Pi board.

3.2 Configure the access point

This section explains how to configure the access point to work in cooperation with the FreeRADIUS server. The following instructions are prepared using ASUS RT-AC58U access point as a reference. You might need to check the user manual of your access point vendor to replicate the same network configuration for your access point model.

To configure the access point, follow these instructions using any laptop:

Application note Rev. 1.2 — 7 December 2020

582911 5 / 17

NXP Semiconductors

1. Connect to the access point with an Ethernet cable.

2. Open a browser and log in to the access point (AP). The address of the AP is usually

3. Go to the wireless settings menu and make the following adjustments:

Note: For your convenience, you can set up a static IP address to the Linux machine and the Raspberry Pi. Check the user manual of your AP for instructions.

See Figure 3 as a reference on what the network configuration looks like on ASUS RTAC58U access point.

AN12661

EdgeLockTM SE05x for Wi-Fi Credential Protection

192.168.1.1 or 192.168.0.1, but this might be different for your access point. We will later refer to it as access_point_ip.

a. Give the wireless network name (SSID) an identifiable name. We will later refer to

it as ssid_name. b. Set the wireless security/authentication method to WPA/WPA2 Enterprise. c. Provide the IP address of the linux machine behaving as the RADIUS server. We

will later refer to it as radius_server_ip. d. Set the RADIUS server port to 1812, which is the default for the RADIUS protocol. e. Choose a password in RADIUS server password field. We will refer to this

password as radius_server_password later.

Figure 3. Access point configuration

3.3 Configure the FreeRADIUS server on a Linux machine

This section explains how to install and configure FreeRADIUS server on a Linux computer. The Linux distribution chosen for this demonstration is Ubuntu 16.04 LTS, but

Application note Rev. 1.2 — 7 December 2020

582911 6 / 17

+ 11 hidden pages

NXP AN12661 Application note

Specifications and Main Features

Frequently Asked Questions

User Manual

1 Abbreviations

2 EdgeLock SE05x for Wi-Fi credential protection

3 EdgeLock SE05x demo setup for WPA-EAP-TLS authentication

3.1 Prerequisites

3.2 Configure the access point

3.3 Configure the FreeRADIUS server on a Linux machine