This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

Usage of RTL and Device root key in Cryptocell

Hello,

While an attempt to develop solid security mode bulded around Root of Trust starting from RTL and Device root key we found that unfortunately, it is mentioned in ssi_aes.h of latest 15.0.0 SDK:

SASI_AES_USER_KEY = 0, /*!< user key.* /
SASI_AES_PLATFORM_KEY = 1, /*!< Kplt hardware key.* / - is it K(RTL)?
SASI_AES_CUSTOMER_KEY = 2, /*!< Kcst hardware key.* / - is it K(DR)?

         /* Currently only SASI_AES_USER_KEY is supported - the key is plaintext and provided in the pKeyData parameter. */

Are there planned dates to implement hardware keys functionality? It provides the good way to build the whole security model with the connection to Root of Trust. Currently used User key is much more less securely stored as I see

Parents
  • Hi artemkkk,

    We do not discuss timelines of features in this forum. Please contact your regional sales manager to know the details of timelines.

  • Aryan thanks! I'll check this out

    Anyway, if any suggestions on this it would be useful:

    SASI_AES_PLATFORM_KEY = 1, /*!< Kplt hardware key.* / - is it K(RTL)?
    SASI_AES_CUSTOMER_KEY = 2, /*!< Kcst hardware key.* / - is it K(DR)?

Reply
  • Aryan thanks! I'll check this out

    Anyway, if any suggestions on this it would be useful:

    SASI_AES_PLATFORM_KEY = 1, /*!< Kplt hardware key.* / - is it K(RTL)?
    SASI_AES_CUSTOMER_KEY = 2, /*!< Kcst hardware key.* / - is it K(DR)?

Children
  • /* Currently only SASI_AES_USER_KEY is supported - the key is plaintext and provided in the pKeyData parameter. */

    This is in SaSi_AesSetKey function, I think the only option is to derive a key using SaSi_UtilKeyDerivation (ssi-util_key_derivation.h) and use that in a subsequent call as an AES user key

    The options  Kplt and Kcst for other types of hardware activities in previous designs (more complex CryptoCell units, catered for Cortex A-type devices)

     

     

  • Aryan, many thanks for reply!

    Just to clarify whether we are talking about the same features, please, advice.

    It is mentioned directly in all documentation for nrf52840 about the availability of the following key types can be selected for cryptographic operations:

    • RTL key KPRTL
    • Device root key KDR
    • Session key

    Check here: http://infocenter.nordicsemi.com/topic/com.nordic.infocenter.nrf52840.ps/cryptocell.html?cp=2_0_0_5_5_3#cc_kdr

    Unfortunatelly we didn't manage to find any mentions in SDK about those keys, other than posted in initial message. Anyway there is HOST_CRYPTOKEY_SEL hardware registers mentioned in datasheet, is there any examples of use and access to this register and keys mentioned in in datasheet?

  • Hi artemkkk,

    unfortunately our SDK examples are not using those key selection features in cryptocell yet. 

  • Hi Aryan! Thanks for feedback

    Anyway, should we consider your answer as a confirmation that those key selection features are available, but not described in SDK? We are now on our own to research how deal with those keys or there are any option how we can request support on that?

  • > should we consider your answer as a confirmation that those key selection features are available, but not described in SDK?

    These key features are available in the ARM Cryptocell 310 but we do not have experience using them yet, so I am not in a position to suggest or give you a direction. Sorry for this.