• State Verified Answer
  • Replies 15 replies
  • Subscribers 75 subscribers
  • Views 2453 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 279344
Options

Calculate CMAC using KMU and nrfx library

GiulianoFranchetto

Hi,

Is it possible to calculate a CMAC using the nrfx security library?

Our keys are stored in the KMU of a nRF9160.

For now, we are using mbedtls function mbedtls_aes_setkey_enc_shadow_key( ) for encryption for example, but I've not found a way to calculate a 4-bytes CMAC.

Regards

Giuliano

Parents Reply Children
  • 0 in reply to GiulianoFranchetto

    Hi

    Just heard back from our developers. There is no way of doing CMAC calculation with a KMU key at the moment.

    Here is a copy from one of my previous answers (to a private case), which might help you choose how you will store your keys:
    "

    What you want is likely either OTP or Internal Trusted Stroage (ITP).
    ITP is showcased in the Crypto: Persistent key storage sample.

    OTP is best for keys that are written once, and will stay the same during the device lifetime.
    ITP is best if you intend to change the keys in runtime. (Delete old and add new)

    "

    Regards,
    Hellesvik

  • 0 in reply to Sigurd Hellesvik

    Hi,

    Great, thanks for the answer.

    With ITP available, when should we use Hardware Unique Key ?

    I'm a bit lost as there are many "keys" entry in the nRFx specification: KMU, HUK, OTP, ITP, nRF9160 has certificate manager...

    Could it be possible to have a small table to know when to use which module? Like taking usual use cases for any device on the field, and recommend which module to use?

    Regards

    Giuliano

  • 0 in reply to GiulianoFranchetto

    Hi

    GiulianoFranchetto said:
    With ITP available, when should we use Hardware Unique Key ?

    For the nRF91 series and nRF53 series, the HUK library use the KMU peripheral.
    The CryptoCell can access keys in the KMU directly, without using the application as a middleman.

    The ITS library stores its keys in secure flash. To learn how these are secured, see  Internal Trusted Storage (ITS) Service.

    Even though both keys should be secure, the ones stored by HUK are more secure, because of the fact that they are separated by hardware.

    Also, remark that TF-M is still under developement, and that for ITS:
    "Currently, the TF-M Secure Storage service implements PSA Protected Storage version 1.0-beta2. There is not yet an implementation of PSA Internal Trusted Storage in TF-M." [1]

    So there you have yet another abbreviation: PSA Protected Storage (PS)

    GiulianoFranchetto said:
    Could it be possible to have a small table to know when to use which module? Like taking usual use cases for any device on the field, and recommend which module to use?

    This is a great idea! I will see if I can make such a "guide". I can not make any guarantees for when this is done, but thanks for the suggestion.

    Regards,
    Sigurd Hellesvik

  • 0 in reply to Sigurd Hellesvik

    Hi,

    Sigurd Hellesvik said:
    This is a great idea! I will see if I can make such a "guide". I can not make any guarantees for when this is done, but thanks for the suggestion.

    Glad you love the idea Slight smile

    Can't wait for that guide, before I'll need to rework all of my security/crypto code!

    Regarding security, I'd prefer to be as secure and efficient as possible.

    If I can be of any help, feel free to ask.

    I'll keep the ticket open if you don't mind, so we can keep track of the progress on either the guide or suggestions/ideas coming from the community.

    Regards

    Giuliano

Related
Terms of service