Skip to content

Device key implementation #6642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 18 commits into from
May 24, 2018
Merged

Device key implementation #6642

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
a8febd5
Device key implementation
Feb 21, 2018
206ca6c
Changing methods names, adding NVSTORE_ENABLED check for compilation …
Apr 16, 2018
fd92c99
Fixing the use of trng_get_bytes to include recalls if not all entrop…
Apr 22, 2018
582ee1d
Improving code style
Apr 22, 2018
98e83c2
Implementing KDF in Counter Mode for key derivation function. Moving …
May 8, 2018
9df32d1
Fix README.md grammar mistakes
May 9, 2018
73d1c8d
Fix of error macros
May 14, 2018
789eb04
Changed trng loop condition
May 14, 2018
1cb43fa
Fixing trng_get_bytes return status
May 14, 2018
efc1904
Device key implementation
Feb 21, 2018
d88f4b3
Stricter parameter check
May 16, 2018
13589fd
Merge branch 'yossi-device-key-driver' of github.com:yossi2le/mbed-os…
May 16, 2018
bf9b2cb
Fix for generate_key_by_trng
May 16, 2018
d816937
Remove unnecessary remark
May 16, 2018
492dc9f
Remove uneeded variables
May 16, 2018
b95c5f7
Replace UINT16_MAX with (uint16_t)-1 because of build failure
May 21, 2018
7401aea
Remove reset tests. Small change to cmac claculation in get_derived_key
May 22, 2018
f33f4da
Increase tests timeout to 45 second
May 23, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 46 additions & 0 deletions features/device_key/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
## DeviceKey

DeviceKey is a mechanism that implements key derivation from a root of trust key. The DeviceKey mechanism generates symmetric keys that security features need. You can use these keys for encryption, authentication and more. The DeviceKey API allows key derivation without exposing the actual root of trust, to reduce the possibility of accidental exposure of the root of trust outside the device.

We have implemented DeviceKey according to NIST SP 800-108, section "KDF in Counter Mode", with AES-CMAC as the pseudorandom function.

### Root of Trust

The root of trust key, which DeviceKey uses to derive additional keys, is generated using the hardware random generator if it exists, or using a key injected to the device in the production process.

The characteristics required by this root of trust are:

- It must be unique per device.
- It must be difficult to guess.
- It must be at least 128 bits.
- It must be kept secret.

The DeviceKey feature keeps the root of trust key in internal storage, using the NVStore component. Internal storage provides protection from external physical attacks to the device.

The root of trust is generated at the first use of DeviceKey if the true random number generator is available in the device. If no true random number generator is available, you must pass the injected root of trust key to the DeviceKey before you call the key derivation API.

### Key derivation API

`generate_derived_key`: This API generates a new key based on a string (salt) the caller provides. The same key is generated for the same salt. Generated keys can be 128 or 256 bits in length.

#### Root of Trust Injection API

`device_inject_root_of_trust`: You must call this API once in the lifecycle of the device, before any call to key derivation, if the device does not support True Random Number Generator (`DEVICE_TRNG` is not defined).

#### Using DeviceKey

DeviceKey is a singleton class, meaning that the system can have only a single instance of it.

To instantiate DeviceKey, you need to call its `get_instance` member function as following:

```c++
DeviceKey &deviceKey = DeviceKey::get_instance();
```

#### Testing DeviceKey

Run the DeviceKey functionality test with the `mbed` command as follows:

```
```mbed test -n features-device_key-tests-device_key-functionality```
```
Loading