.. | |||
include/ device_key | 1 year ago | ||
source | 3 years ago | ||
tests/TESTS/device_key/ functionality | 3 years ago | ||
CMakeLists.txt | 1 year ago | ||
README.md | 3 years ago | ||
mbed_lib.json | 3 years ago |
DeviceKey is a mechanism that implements key derivation from a Root of Trust(RoT) key. The DeviceKey mechanism generates symmetric keys that security features need. You can use these keys for encryption, authentication and more. The DeviceKey API allows key derivation without exposing the actual RoT, to reduce the possibility of accidental exposure of the RoT outside the device.
We have implemented DeviceKey according to NIST SP 800-108, section "KDF in Counter Mode", with AES-CMAC as the pseudorandom function.
The RoT key, which DeviceKey uses to derive additional keys, is generated using the hardware random generator if it exists, or using a key injected to the device in the production process.
The characteristics required by this RoT are:
The DeviceKey feature keeps the RoT key in internal storage, using the KVStore component. Internal storage provides protection from external physical attacks to the device.
The root of trust must be created before its first use. Otherwise, the key derivation API fails.
generate_derived_key
: This API generates a new key based on a string (salt) the caller provides. The same key is generated for the same salt. Generated keys can be 128 or 256 bits in length.
device_inject_root_of_trust
: You must call this API once in the lifecycle of the device, before any call to key derivation, if the device does not support TRNG (DEVICE_TRNG
is not defined).
DeviceKey is a singleton class, meaning that the system can have only a single instance of it.
To instantiate DeviceKey, you need to call its get_instance
member function as following:
DeviceKey &deviceKey = DeviceKey::get_instance();
Run the DeviceKey functionality test with the mbed
command as follows:
```mbed test -n drivers-device_key-tests-tests-device_key-functionality
```