Hi!
We are in the process of certifying a product using an nRF52840 against EN18031-1 (RED Cybersecurity) where we need to answer details regarding generation of cryptographic keys. Could you please help us answer the following information:
How is the Diffie Hellman key used for LE Secure connections generated using the SoftDevice controller in nRF Connect SDK version 2.5? We would like details such as which random number generator is used, how it is seeded, and pretty much all details you can provide.
We need to answer the following identifiers from the standard:
[E.Info.CCK-2.Generation]: Description of each generation mechanism for confidential cryptographic
keys, including the following details
[E.Info.CCK-2.Generation.CCK]: Specification of the confidential cryptographic keys the
mechanism generates and whether their generation adheres to best practice cryptography;
and
(if the generation mechanism for CCK relies on a random number source and is used for the
generation of confidential cryptographic key that adhere to best practice cryptography)
[E.Info.CCK-2.Generation.RNSource]:
o specify the best practices followed by the random number source; and
o explain why the random number source provides sufficient security strength; and
o explain how the random number source is configured and initialised; and
o if it is claimed that the CCK is compliant with recognised security standards or
certification schemes, provide evidence to the recognised security standard or
certification schemes the CCK complies to; and
(if the generation mechanism for CCK relies on a random number generator and is used for
the generation of confidential cryptographic key that adhere to best practice cryptography)
[E.Info.CCK-2.Generation.RNG]:
o specify whether it is a deterministic or a non-deterministic random number
generator; and
o specify the best practices followed by the random number generator; and
o specify why the random number generator provides sufficient security strength; and
o explain how the random number generator is configured and initialised; and
o if it is claimed that the CCK is compliant with recognised security standards or
certification schemes, provide evidence to the recognised security standard or
certification schemes the CCK complies to; and
(if the generation mechanism for CCK relies on a derivation mechanism/ establishment
mechanism and is used for the generation of confidential cryptographic key that adhere to
best practice cryptography) [E.Info.CCK-2.Generation.Implementation]:SS-EN 18031-1:2024 (en)
SIS single user license: Dalelven Produktutveckling AB, Ordered by: [email protected]. Date: 2024-09-02
123
o specify the best practices followed by the derivation mechanism/ establishment
mechanism; and
o specify the key derivation/generation algorithm used for that; and
(if the generation mechanism generates confidential cryptographic keys used solely by a
specific security mechanism, where a deviation from best practice cryptography is identified
and justified under the terms of sections ACM or AUM or SCM or SUM or SSM) [E.Info.CCK-
2.Generation.Deviation]:
o reference the corresponding justification and to the required information the
justification is based on.
And just for future note, it would be great if Nordic could supply a document where they detail which parts of EN 18031 are satisfied and how. There are surely a lot of other products out there that will have to answer the same kind of questions.
