mmCAU key is read back protected?

francescosalvat · ‎10-05-2016

Hi,

i'm using mmCAU API on K64 mcu and i have some questions about the AES key storage.

1) If i set key using cau_aes_set_key can i assume that the key will be inaccessible to read-back?

2) The key is stored in a non-volatile memory area? Can i program the key in production-phase and use it without set it any time i reset, power-off and power-on and so on?

Thank you and regards.

cutworth · ‎10-08-2016

Hi Francesco,

You misunderstand what mmcau_aes_set_key can do. When you look at the mmCAU library code in KSDK, you will find the comment for this function as follows.

# AES: Performs an AES key expansion
# arguments
# *key pointer to input key (128, 192, 256 bits in length)
# key_size key_size in bits (128, 192, 256)
# *key_sch pointer to key schedule output (44, 52, 60 longwords)
#
# calling convention
# void mmcau_aes_set_key (const unsigned char *key,
# const int key_size,
# unsigned char *key_sch)

So what it does is part of the AES algorithm for key expansion, and the generated key schedule are used in the rounds for AES algorithm. What you want to store is just the input key, 128bit for AES-128.

And to your question on how you can prevent reading back the 128bit security key, I suppose you mean prevent reading back from JTAG instead of user code running in flash. If that's the case, then you can just secure the flash and put internal flash into NVM special mode. Under this mode, lots of flash commands are not allowed. Also you can stored the security key into the flash IFR area with program once command, the key can only be read back with read once command with user code.

For details on how to enable flash security, you can check the following application note.

http://www.nxp.com/files/microcontrollers/doc/app_note/AN4507.pdf?fasp=1&WT_TYPE=Application%20Notes...

Hao

francescosalvat · ‎10-10-2016

Thank you for your reply. Because i'm using FlashSwap and it's difficult for me to partition the memory for key storage, the only way that i have to save my key in a "secure zone" is to add a Secure Element to my board, alright?

cutworth · ‎10-10-2016

Hi Francesco,

When you use program once command to store security key into flash, it's stored in flash IFR region which is not in the memory map for flash, it's a separate area which is only accessible with flash command. And when you enable flash secure, it will prevent access from JTAG/SWD.

Hao

jeremyzhou · ‎10-08-2016

Hi,

In the set key using cau_aes_set_key function, it doesn't modify the address of data area which is used to store the key.

So it can still be accessible to read-back.

The key can be located in any area of the flash, and I think the non-volatile memory area is good choice.

About programming the key the key in production-phase, do you mean that the NXP play the kind of role to help you program the key ?

I'm looking forward to your reply.
Have a great day,
Ping

-----------------------------------------------------------------------------------------------------------------------
Note: If this post answers your question, please click the Correct Answer button. Thank you!
-----------------------------------------------------------------------------------------------------------------------

mmCAU key is read back protected?

mmCAU key is read back protected?

Kinetis K Series MCUs