• State Not Answered
  • Replies 8 replies
  • Subscribers 75 subscribers
  • Views 2331 views
  • Users 0 members are here
Attachments (0)
Nordic Case Info
  • Case ID: 296238
Options

nrf9160 Private Key Storage

blasph

How are private keys stored on the nrf9160 modem? I've read in other forum posts and observed that the private key cannot be read out once set in the modem. Where could I find more information/documentation on how the key is securely stored and used? Is there any way I can ensure an attacker cannot read out the private key once the private key is written into the modem?

For a bit of context, I was following through the AWS IoT example (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/samples/nrf9160/aws_iot/README.html) and the AWS IoT Configuration (https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/nrf/libraries/networking/aws_iot.html#lib-aws-iot

Parents Reply Children
  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thank you for getting back to me. I was wondering if there is any further security assurances that the nrf9160 has on storing these keys. It is great that the private key cannot be read out normally. Does the nrf9160 have anything like encrypting the stored key such that only the device can make sense of the stored keys? Are they stored in a similar manner like an HSM?

    Thank you!

  • 0 in reply to blasph

    Hi,

    I think you might mean KMU — Key management unit which enforces access policies to a subset region of user information configuration register (UICR). This subset region is used for storing cryptographic key values inside the key slots, which the CPU has no access to.

    We have an example here, made by a colleague of mine:

    https://github.com/einarthorsrud/kmu_sample

    You also could have a look at this sample Hardware unique key.

    Is that what you are looking for?

    Regards,
    Amanda

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Apologies, I've replied to the wrong thing -- I've copied over the message below

    Thank you for this information, it is quite helpful.

    When certificates are uploaded to the modem either through the LTE Link Monitor or with CMNG, are the managed with something like KMU?

    My question is more specific to once I've uploaded the Certificate and Keys as outlined in the AWS IoT Provisioning Certificates section, what happens to these keys? Are they stored directly on the modem, elsewhere in flash, or some other place? Are they stored in a plaintext format or something encrypted? Is there any certification for the level of protection the nrf9160 has for secure storage of certificates/keys like this? 

    Thank you for your help!

  • 0 in reply to blasph

    Hi, 

    Private keys and PSKs provisioned with an AT command are stored in modem, and encrypted with AES-128-CCM utilising KMU. The secure storage has not been certified. Non-confidential credentials are stored in modem in plaintext.

    Regards,
    Amanda

  • 0 in reply to Amanda Hsieh

    Hi Amanda,

    Thank you for answering this information for me. To confirm my understanding, the private keys are encrypted with AES-128-CCM and stored on the modem (which means they are encrypted at rest), correct?

    This is very helpful, I appreciate you taking the time to help me. Is there somewhere in the Nordic SDK that this covered? I'd love to read up on this more.

    Please also help to confirm my understanding with the KMU: The private keys are stored inside the UICR, which the KMU manages the Key Storage area. The private keys are stored into slots that are marked as not readable, which will return 0xDEADDEAD when attempted to be read. The private key values can be used for cryptography by being transferred with secure APB. 

    Is there anything I'm incorrect about in the above summary? I read through the KMU link and tried to condense down the information, so please forgive any inaccuracies.

    Also, does the KMU and UICR fall under the modem's area?


    Thank you!

Related
Terms of service