What is the best way to sign a message using RSA protocol ?

Do you really require RSA? RSA is slow and quirky, NIST recommends at least 3072 bit RSA for good security, which will be really slow on a microcontroller.

Can't you use ECC (elliptic curves) signatures? ST's crypto library provides the ED25519 algorithm which is currently one of the best available options. Alternatively, you can use ECDSA signatures (I'm not sure which curve exactly is ST using for ECDSA).

You can use a third party implementation too, for example micro-ecc for ECDSA (I recommend the secp256k1 curve) or one of many available ED25519 implementations.

Yes, unfortunately, i really need RSA because it is part of a handshake where the device send me a token to be encrypted with a private RSA key.

I'e found the mbed RSA source file and it is also generated using the STM32cubeMX.

When you say RSA is slow, have you already made some tests ? How much time it will take to encrypt 1KB ?

I am just creating/organizing the environment to make some tests.

Thank you !

> How much time it will take to encrypt 1KB ?

It depends on your microcontroller and its running frequency, Cortex-M0 will be much slower than Cortex-M7.

Also, RSA encryption is orders of magnitude faster than decryption. For Cortex-M3/4, very approximately, expect 100-200ms for RSA-2048 encryption or signing, and 1000-2000ms for RSA-2048 decryption or verification. So, multiply it by 4 to get 1KB (2048bits / 8 = 256bytes). But generally there's no need to encrypt/decrypt more than one block of RSA data at a time, and if you are doing it - likely there's something wrong with your crypto-scheme/protocol.