KEK to wrap asymmetric keys

todd_nuzum · ‎05-04-2023

There's some indication that a customer can use a KEK to wrap keys

I "inject" into the SE05x keystore. Unfortunately, injecting keys into the part is non-compliant for this customer. Instead, can they use a KEK to wrap asymmetric keys that they generate on the SE05x using the sss_key_store_generate_key() API?

Kan_Li · ‎05-04-2023

Hi @todd_nuzum ,

KEK is just available when you write SymmKey , but to cover all the secure objects injection, you may use the external import method, as mentioned by @msjcard . We have a demo to demonstrate how to prepare a complete raw APDU for that purpose, please kindly refer to simw-top/doc/demos/se05x/se05x_ImportExternalObjectPrepare/Readme.html for details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

TonyMo · ‎05-05-2023

Is it possible to use an AES128 KEK to wrap RSA keys generated within the SE? I'm not allowed to generate the RSA keys outside of the SE and then import them into the SE.

Kan_Li · ‎05-05-2023

Hi @TonyMo ,

KEK is not a valid option for WriteRSAKey APDU command, for such use case, you have to use the external import mechanism, please kindly refer to "3.2.9 Secure Object external import" in https://www.nxp.com/webapp/Download?colCode=AN12543 for details.

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

TonyMo · ‎05-06-2023

Unfortunately "3.2.9 Secure Object External Import" does not satisfy design requirements for me. The secure object must be generated inside of the security entity. Thank you for answering my question.

Kan_Li · ‎05-07-2023

Hi @TonyMo ,

SE050 has an APDU command to generate RSA key pair inside, but there is no KEK option, which is for symmetric keys indeed, while you may set up the policy for the RSA key pair, so that only the specific user may access this secure object and of course the private kay can not be fetched by any means. You may refer to "4.7.1.2 WriteRSAKey" and "3.7 Policies" in AN12543 for more details.

Hope that helps,

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

TonyMo · ‎05-08-2023

This is excellent information. This should satisfy my design requirement. Thank you for your help Kan.

Cheers,
Tony

msjcard · ‎05-04-2023

I'd take a look at AN12413, Figure 5 and section 3.2.9. I'm not sure which middleware calls implement that diagram, but it looks like it is certainly possible to upload a key securely.