Matter : DAC private key protection

Hi Alex,

In general the Matter Attestation process is described both in the Matter Core specification and in our documentation: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/protocols/matter/end_product/attestation.html 

The cryptographic procedure is described in this section: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/protocols/matter/end_product/attestation.html#device-attestation-procedure

DAC Private Key is used to verify that we are a truth owner of DAC certificate - and it is done according to the Device Attestation Procedure mentioned above.  In factory data module, indeed that DAC Private Key is stored in raw format. You may change this behaviour by modifying/overwriting certain methods: https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/matter/nrfconnect_factory_data_configuration.html#using-own-factory-data-implementation 
For example this one:CHIP_ERROR SignWithDeviceAttestationKey(const ByteSpan & messageToSign, MutableByteSpan & outSignBuffer) override;

Regards,
Amanda H.

Hi, thanks for replying.

So you basically need to supply your own factory data implementation if you want to do this (possibly using cryptocell). An alternative would be to have some form of readback protection, is this possible?

Kind regards and thanks

Hi, 

For the nRF Connect platform, the factory data is stored by default in a separate partition of the internal flash memory. This helps to keep the factory data secure by applying hardware write protection.

Note: Due to hardware limitations, in the nRF Connect platform, protection against writing can be applied only to the internal memory partition. The Fprotect is the hardware flash protection driver, and we used it to ensure write protection of the factory data partition in internal flash memory.

-Amanda H.