nrf9160 Private Key Storage

Hi, 

All we have is the note here, saying that reading private keys (and some other types) are not allowed. There is nothing you need to do in the application, and there is also nothing you can do.

You might also be interested in TLS/DTLS configuration. It has a bit more information on how the credentials are actually used. 

Regards,
Amanda

Hi Amanda,

Thank you for getting back to me. I was wondering if there is any further security assurances that the nrf9160 has on storing these keys. It is great that the private key cannot be read out normally. Does the nrf9160 have anything like encrypting the stored key such that only the device can make sense of the stored keys? Are they stored in a similar manner like an HSM?

Thank you!

Hi,

I think you might mean KMU — Key management unit which enforces access policies to a subset region of user information configuration register (UICR). This subset region is used for storing cryptographic key values inside the key slots, which the CPU has no access to.

We have an example here, made by a colleague of mine:

https://github.com/einarthorsrud/kmu_sample

You also could have a look at this sample Hardware unique key.

Is that what you are looking for?

Regards,
Amanda

Hi,

I think you might mean KMU — Key management unit which enforces access policies to a subset region of user information configuration register (UICR). This subset region is used for storing cryptographic key values inside the key slots, which the CPU has no access to.

We have an example here, made by a colleague of mine:

https://github.com/einarthorsrud/kmu_sample

You also could have a look at this sample Hardware unique key.

Is that what you are looking for?

Regards,
Amanda

Hi Amanda,

Apologies, I've replied to the wrong thing -- I've copied over the message below

Thank you for this information, it is quite helpful.

When certificates are uploaded to the modem either through the LTE Link Monitor or with CMNG, are the managed with something like KMU?

My question is more specific to once I've uploaded the Certificate and Keys as outlined in the AWS IoT Provisioning Certificates section, what happens to these keys? Are they stored directly on the modem, elsewhere in flash, or some other place? Are they stored in a plaintext format or something encrypted? Is there any certification for the level of protection the nrf9160 has for secure storage of certificates/keys like this? 

Thank you for your help!

Hi, 

Private keys and PSKs provisioned with an AT command are stored in modem, and encrypted with AES-128-CCM utilising KMU. The secure storage has not been certified. Non-confidential credentials are stored in modem in plaintext.

Regards,
Amanda

Hi Amanda,

Thank you for answering this information for me. To confirm my understanding, the private keys are encrypted with AES-128-CCM and stored on the modem (which means they are encrypted at rest), correct?

This is very helpful, I appreciate you taking the time to help me. Is there somewhere in the Nordic SDK that this covered? I'd love to read up on this more.

Please also help to confirm my understanding with the KMU: The private keys are stored inside the UICR, which the KMU manages the Key Storage area. The private keys are stored into slots that are marked as not readable, which will return 0xDEADDEAD when attempted to be read. The private key values can be used for cryptography by being transferred with secure APB. 

Is there anything I'm incorrect about in the above summary? I read through the KMU link and tried to condense down the information, so please forgive any inaccuracies.

Also, does the KMU and UICR fall under the modem's area?

Thank you!

Yes. 

Maybe this Write Ecc key or Rsa key to kmu  issue contains also some useful information.