• State Not Answered
  • Replies 3 replies
  • Subscribers 87 subscribers
  • Views 1347 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 271398
Options
This post is older than 2 years and might not be relevant anymore
More Info: Consider searching for newer posts

nRF9160 Secure storage

mglettig

We are building a device where nRF9160 acts as a master that runs Zephyr OS (using NRF Connect SDK). Our device has a 2nd communication interface beside the nRF9160 modem. The 2nd channel is a WiFi modem. Now we would like to store the private key for TLS communication on the nRF9160 SoC. What is the right place to store the key so that it can be used not only by the cellular modem but also for the WiFi modem?

According to this page https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrfxlib/nrf_modem/doc/tls_dtls_configuration.html the private key (and certificates) are normally stored in the modem. But it's not possible to read out the PK again as this would be a security issue. Is there a way to store them on the cryptocell instead? Is this feature somehow already supported by the NRF SDK?

Best regards,

Michael

Parents
  • 0

    Hi Michael, 

    Now we would like to store the private key for TLS communication on the nRF9160 SoC

     Please see the following limitations in the nRF9160 modem, copied from the latest modem firmware (v1.3.0) release notes:

    *** Limitations
***************
- TLS/DTLS
    - Up to three simultaneous TLS/DTLS connections are possible. It is recommended to free the
      modem resources by closing unused network sockets.
    - Maximum server certificate chain size has a limit of 4kB.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.
    - DTLS supports PSK authentication only.
    - 2kB secure socket buffer size.

    Kind regards,
    Øyvind

Reply
  • 0

    Hi Michael, 

    Now we would like to store the private key for TLS communication on the nRF9160 SoC

     Please see the following limitations in the nRF9160 modem, copied from the latest modem firmware (v1.3.0) release notes:

    *** Limitations
***************
- TLS/DTLS
    - Up to three simultaneous TLS/DTLS connections are possible. It is recommended to free the
      modem resources by closing unused network sockets.
    - Maximum server certificate chain size has a limit of 4kB.
    - Server certificate expiry time is not verified.
    - pkcs#8 is not supported.
    - Absolute maximum number of supported credentials is 32. The actual amount depends on size of
      credentials as memory area reserved for credentials may be a limiting factor as well.
    - DTLS supports PSK authentication only.
    - 2kB secure socket buffer size.

    Kind regards,
    Øyvind

Children
  • 0 in reply to Øyvind

    Hi Oyvind

    Thanks for pointing out the limitations of the modem. However this does not answer my question.

    How can I store the TLS/DTLS credentials in the cryptocell so that they can be used by Zephyr to do TLS communication using other interfaces than the cellular modem (e.g. a WiFi or Ethernet Interface that is connected as a shield to Zephyr)? My question points in the direction of how are multiple communication interfaces supported by NRF Connect SDK?

    Kind regards,

    Michael

  • 0 in reply to mglettig

    Hi Michael,

    Sorry for the short answer. I needed to contact our developers to find anything relatable. There is a new sample available in the Zephyr repo (on master branch).

    Note that this is on the master branch, which may be somewhat unstable. 
    But it's not possible to read out the PK again as this would be a security issue. Is there a way to store them on the cryptocell instead?

     Yes, this correct, storing credentials in the modem is not possible to read out.

    Let me know how this works for you.

    Kind regards,
    Øyvind

Related
Terms of service