FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Can I use an AES key stored in NVM as the source (IKM) for PBKDF2 without exposing it as plaintext?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can I use an AES key stored in NVM as the source (IKM) for PBKDF2 without exposing it as plaintext?

3 weeks ago
268 Views
sochoi
Contributor III

Hello,

In my S32K3 project, I need to use an AES key stored in NVM as the input key material (IKM) for the HSE PBKDF2 service. 
AES Key usage was possible in HKDF.

However, according to the HSE Service API Reference Manual:
PBKDF2 requires the srcKeyHandle to be of type HSE_KEY_TYPE_SHARED_SECRET.
HSE_KEY_TYPE_SHARED_SECRET keys are only supported in RAM catalogs, not in NVM.

That means my AES key in NVM cannot be directly used as the PBKDF2 input.
To avoid exposing the key in plaintext, I tried:
Exporting the AES key as an enc&auth container,
Importing it into a RAM key slot,
Attempting to convert or copy it to a Shared-Secret slot (so it can be used as PBKDF2 input).

But the documentation does not describe any service to convert or copy an AES key to a Shared-Secret key type.
Key Derive – Copy Key and Import Key both require the same key type.

My question:
Is there any supported method to make an AES key (stored in NVM) usable as a PBKDF2 source without revealing it as plaintext?

Tags (2)
0 Kudos
Reply
3 Replies

2 weeks ago
162 Views
sochoi
Contributor III

Thank you.
I appreciate your support, and I will wait for your update.

0 Kudos
Reply

2 weeks ago
126 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

It should be possible. I am forwarding an answer as I have obtained it:

"You can do this by specifying a key handle to the key derivation service of the HSE. That key handle can point to an AES key that has been provisioned to secure NVM.

Take a look at the HSE_PBKDF2Req_Example(void) function in the HSE demo app. for the source key, instead of specifying a RAM key handle, you can instead refer to the handle of an NVM key."

0 Kudos
Reply

3 weeks ago
213 Views
davidtosenovjan
NXP TechSupport
NXP TechSupport

In my opinion there is no service for such operation but let me discuss it with HSE experts. I will let you know. 

Reply
%3CLINGO-SUB%20id%3D%22lingo-sub-2204143%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3ECan%20I%20use%20an%20AES%20key%20stored%20in%20NVM%20as%20the%20source%20(IKM)%20for%20PBKDF2%20without%20exposing%20it%20as%20plaintext%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2204143%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3EIn%20my%20S32K3%20project%2C%20I%20need%20to%20use%20an%20AES%20key%20stored%20in%20NVM%20as%20the%20input%20key%20material%20(IKM)%20for%20the%20HSE%20PBKDF2%20service.%26nbsp%3B%3CBR%20%2F%3EAES%20Key%20usage%20was%20possible%20in%20HKDF.%3C%2FP%3E%3CP%3EHowever%2C%20according%20to%20the%20HSE%20Service%20API%20Reference%20Manual%3A%3CBR%20%2F%3EPBKDF2%20requires%20the%20srcKeyHandle%20to%20be%20of%20type%20HSE_KEY_TYPE_SHARED_SECRET.%3CBR%20%2F%3EHSE_KEY_TYPE_SHARED_SECRET%20keys%20are%20only%20supported%20in%20RAM%20catalogs%2C%20not%20in%20NVM.%3C%2FP%3E%3CP%3EThat%20means%20my%20AES%20key%20in%20NVM%20cannot%20be%20directly%20used%20as%20the%20PBKDF2%20input.%3CBR%20%2F%3ETo%20avoid%20exposing%20the%20key%20in%20plaintext%2C%20I%20tried%3A%3CBR%20%2F%3EExporting%20the%20AES%20key%20as%20an%20enc%26amp%3Bauth%20container%2C%3CBR%20%2F%3EImporting%20it%20into%20a%20RAM%20key%20slot%2C%3CBR%20%2F%3EAttempting%20to%20convert%20or%20copy%20it%20to%20a%20Shared-Secret%20slot%20(so%20it%20can%20be%20used%20as%20PBKDF2%20input).%3C%2FP%3E%3CP%3EBut%20the%20documentation%20does%20not%20describe%20any%20service%20to%20convert%20or%20copy%20an%20AES%20key%20to%20a%20Shared-Secret%20key%20type.%3CBR%20%2F%3EKey%20Derive%20%E2%80%93%20Copy%20Key%20and%20Import%20Key%20both%20require%20the%20same%20key%20type.%3C%2FP%3E%3CP%3EMy%20question%3A%3CBR%20%2F%3EIs%20there%20any%20supported%20method%20to%20make%20an%20AES%20key%20(stored%20in%20NVM)%20usable%20as%20a%20PBKDF2%20source%20without%20revealing%20it%20as%20plaintext%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2206288%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Can%20I%20use%20an%20AES%20key%20stored%20in%20NVM%20as%20the%20source%20(IKM)%20for%20PBKDF2%20without%20exposing%20it%20as%20plainte%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2206288%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EThank%20you.%3CBR%20%2F%3EI%20appreciate%20your%20support%2C%20and%20I%20will%20wait%20for%20your%20update.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2205279%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%20translate%3D%22no%22%3ERe%3A%20Can%20I%20use%20an%20AES%20key%20stored%20in%20NVM%20as%20the%20source%20(IKM)%20for%20PBKDF2%20without%20exposing%20it%20as%20plainte%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2205279%22%20slang%3D%22en-US%22%20mode%3D%22CREATE%22%3E%3CP%3EIn%20my%20opinion%20there%20is%20no%20service%20for%20such%20operation%20but%20let%20me%20discuss%20it%20with%20HSE%20experts.%20I%20will%20let%20you%20know.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E