AT%KEYGEN Security

Hi,

Using the nRF9151 flashed with ncs-serial-modem v1.0.0 we are using at%keygen to generate a CSR for MQTT. I want to know how the firmware generates the private keys and how they are stored in the hardware to make sure that our application is as secure as possible. E.g. is the KMU being used to store the keys or is it just in the secure-fw.

Thank you,
Vineet

Top Replies

Syed Maysum Abbas Zaidi 16 days ago +1

Hi, When AT%KEYGEN is issued, the nRF9151 modem generates a private key entirely internally, stores it in the modem's own credential storage (NVM) under the specified sec_tag, and returns only the CSR…

Parents

0 Syed Maysum Abbas Zaidi 16 days ago

Hi,

When AT%KEYGEN is issued, the nRF9151 modem generates a private key entirely internally, stores it in the modem's own credential storage (NVM) under the specified sec_tag, and returns only the CSR, the private key never leaves the modem. It cannot be read back by the application and the modem uses it internally for TLS operations.

The modem and application core operate as independent subsystems, so application-side access to modem credentials is not possible. Moreover its recommended to enable AP-Protect in production devices to prevent extraction of keys and sensitive data through debug interfaces.

One point we are still confirming with our engineering team whether the modem uses the KMU internally for its credential storage. We will follow up on this.

Best Regards,
Syed Maysum
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Syed Maysum Abbas Zaidi 16 days ago

Hi,

When AT%KEYGEN is issued, the nRF9151 modem generates a private key entirely internally, stores it in the modem's own credential storage (NVM) under the specified sec_tag, and returns only the CSR, the private key never leaves the modem. It cannot be read back by the application and the modem uses it internally for TLS operations.

The modem and application core operate as independent subsystems, so application-side access to modem credentials is not possible. Moreover its recommended to enable AP-Protect in production devices to prevent extraction of keys and sensitive data through debug interfaces.

One point we are still confirming with our engineering team whether the modem uses the KMU internally for its credential storage. We will follow up on this.

Best Regards,
Syed Maysum
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Vineet.Aggarwal 16 days ago in reply to Syed Maysum Abbas Zaidi

Hi Syed,

Okay that makes sense, thank you!

Best,
Vineet
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Syed Maysum Abbas Zaidi 12 days ago in reply to Vineet.Aggarwal

Hi,

Your Welcome, and we will update you regarding the KMU as soon as we get any response from the relevant Team.

Best Regard,
Syed Maysum
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Syed Maysum Abbas Zaidi 2 hours ago in reply to Syed Maysum Abbas Zaidi

Hi,

Following up with the clarification from our internal team:

When AT%KEYGEN generates a private key, the process is hardware assisted within the modem's secure environment. The private key is then stored encrypted in the modem's internal secure storage and this is a modem domain mechanism, separate from the application side KMU. So to directly answer your question the KMU is not used for modem credential storage.

Best Regards,
Syed Maysum
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel