This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF5340 - private key vault

Hi,

I've read that highly secured IoT devices have a hardware root of trust.
One very important feature of it is a private identity keys to prove identities for mutual authentication when communicating with cloud services.

The private key is used to sign a token of information (or certificate) as a proof of identity and authorization that can be validated by the remote peer against a public key.
Now, the private keys must be unique and can’t be stolen or forged. They must be stored in a hardware-protected vault.
The question is does NORDIC nRF5340 have any means to uniquely generate and securely store the private keys ?

What's in short the correct way to manage at this ?

Gabriele

Top Replies

0 Simon over 5 years ago

Regarding key storage, the KMU and UICR is the way to go for secure key management on the nRF5340. A colleague made a sample demonstrating how to use the KMU peripheral: https://github.com/einarthorsrud/kmu_sample. It was made for nRF9160, but I think it should work for the nRF5340 as well. If you want to learn more about the KMU, just browse DevZone, where you'll find several cases about it.

Regarding generating the key, I need to read up and do some more investigation before coming up with a qualified answer.

Best regards,

Simon
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Simon over 5 years ago

Regarding key generation on chip, I think this case and this answer may be helpful.

Best regards,

Simon
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Gabriele over 5 years ago in reply to Simon

Thank you Simon for the optimal answer.

I have another question.

I know that the QSPI peripheral allows to augment memory by interfacing an external SPI Flash memory.
In addition to the internal memory, does DFU by FOTA support the update of the external memory as well ?

Gabriele
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Simon over 5 years ago in reply to Gabriele

I'm happy to help!

Could you open a new case about this, since it's not related to the initial question? Then we can keep DevZone more organized, and easier for future developers to navigate.

Best regards,

Simon
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel