Exploring STM32U3 Security

What is a Keystore? What is Key Wrapping?

Keystore: Protects keys at rest and during execution.

Key Wrapping: The encapsulation of keys and templates with a unique device-dependent key.

Benefits of Key Wrapping:

• Confidentiality: Protects the wrapped key from unauthorized access.
• Integrity: Ensures the wrapped key has not been altered or tampered with.
• Efficiency: Allows for quick wrapping and unwrapping processes.

How Does Key Wrapping Work?

1. Device Hardware Unique Key (DHUK) Provisioning: A unique key is installed on the device during IC manufacturing.
2. User Key Encryption: User keys are encrypted by the DHUK.
3. Secure Storage: Keys can be stored safely.
4. Decryption: Keys can only be decrypted by the device-dependent DHUK.

Key Features of Key Wrapping

• Confidentiality: The primary goal is to protect the wrapped key from unauthorized access. Only entities with the correct DHUK can unwrap and access the original key.
• Integrity: Ensures that the wrapped key has not been altered or tampered with during storage or transmission.
• Efficiency: Key wrapping algorithms are designed to be efficient, allowing for quick wrapping and unwrapping processes.

How Key Wrapping Works: Detailed Process

1. Key in-ST Provisioning: A Device Hardware Unique Key (DHUK) is provisioned by ST on each device and used to wrap other keys.
2. Wrapping Process: The original key is encrypted using the DHUK, potentially with additional steps for integrity (e.g., authentication tags).
3. Storage/Transmission: The wrapped key is stored or transmitted securely, protected by the DHUK.
4. Unwrapping Process: When access to the original key is needed, it is decrypted using the DHUK, restoring the original key.

Key Wrapping Use Cases

Scenario:

1. ST generates a unique secret (Hardware Unique Key - HUK) in a secure environment, installs it on the device, and locks it from application CPU access.
2. OEM generates a secret (e.g., ECC or AES key) in its secure environment, injects it into the device, and wraps it with the HUK. The original key in clear is destroyed.
3. The wrapped secret is stored in application memory, protected from recovery in clear.
4. For encryption/decryption, the user provides the wrapped key to the Secure AES (SAES) and CCB. SAES unwraps the key, protecting its confidentiality, and uses it for encryption/decryption. The key in clear is flushed afterwards, with only SAES internal logic having access.

Key Definitions

• Clear-text Key: Stored or transmitted in an unencrypted, readable format. Vulnerable to interception and unauthorized access.
• Encrypted/Wrapped Key: Encrypted using another key (KEK). Protects the key from unauthorized access until decrypted.
• Device Hardware Unique Key (DHUK): Unique to a specific hardware device, embedded during manufacturing. Used for cryptographic operations tied to the hardware and in secure boot processes.
• Unwrapped/Decrypted Key: A key decrypted from its wrapped form, now in a usable state. Requires careful handling to prevent unauthorized access.
• Boot Hardware Key (BHK): Used during boot to ensure integrity and authenticity of the bootloader and OS. Stored securely and verifies loaded software.
• Root Hardware Unique Key (RHUK): Unique to a specific device, serving as the root of trust. Crucial for ensuring integrity and authenticity of device software and data.

STM32 Key Wrapping Mechanism for SAES

The side-channel protected SAES peripheral uses hardware secret keys (DHUK, BHK) to prevent critical application keys from being visible in clear text to the runtime application or debugger.

• DHUK: Nonvolatile, secret to the application. Derived using a key derivation function (KDF) based on key usage (mode, security).
• Boot hardware key (BHK): Volatile, tamper-protected. Written and locked by the boot application.

SAES can protect 128-bit and 256-bit keys used in SAES or AES peripherals. Use cases include encrypting and decrypting keys using hardware secret keys (key wrapping/unwrapping) and decrypting keys for the AES peripheral (shared key unwrapping).

System Benefits of SAES Key Wrapping

• Enhanced key protection aligned with latest security standards (PSA, SESIP).
• STM32 allows storing cryptographic keys securely, preventing application compromise of data confidentiality.
• Usable for symmetric keys (AES 128/256).

Key Wrapping for AES: Provisioning Step

This process encrypts a key using wrap mode or shared mode.

Steps:

1. Select a hardware secret key (DHUK, BHK, XORK). The Key Derivation Function (KDF) depends on the KMOD & SAES protection (secure or nonsecure).
2. Write the clear text key.
3. Read the encrypted, wrapped key. If DHUK or XORK is selected, only this silicon can decrypt the key.
4. Save the key in any flash memory.

The resulting encrypted key can be stored in any flash memory. The process involves selecting a hardware secret key and wrap mode, writing the clear text key to the SAES DATA IN register, running AES encryption, and reading the encrypted key from the DATA OUT register. For AES peripheral usage, the shared mode must be selected instead of the wrap mode.

Key Unwrapping for Secure Advanced Encryption Standard

Decrypting a key using wrap mode requires using the same mode and correct key. The result is stored in write-only key registers.

Steps:

1. Select the correct hardware secret key (DHUK, BHK, XORK). KDF depends on KMOD & SAES protection.
2. Write the wrapped, encrypted key.
3. The decrypted, unwrapped key is written by SAES into key registers (write-only). DOUT returns zero. If key registers are written by software, the key is automatically erased.
4. The application uses the key as needed.

The unwrapped key is automatically erased when software writes the key registers.

Overview of Public Key Cryptography (PKA): Key Features and Standards

Definition: Cryptographic systems using pairs of related keys: one public key and one private key.

Key Lengths: Supports up to 4160 bits for RSA/DH and 640 bits for elliptic curves.

Standards:

• NIST FIPS186-4
• RSA PKCS#1
• ANSI X9.62
• IETF RFC5639 (Brainpool)
• Chinese SM2 and SEC2 curves

Security Features:

• Side channel protection for secret operations.
• RSA/DSA private modular exponentiation.
• ECC scalar multiplication and signature generation.

Supported Operations:

• RSA/DSA public modular exponentiation with CRT.
• ECDSA signature verification.
• ECC point on curve checks and arithmetic operations.

PKA supports standard algorithms like Modular Exponentiation, CRT exponentiation, RSA, ECC, DSA, and ECDSA through these operations.

Secure PKA Target Use Cases

The security of asymmetric cryptography relies heavily on the protection of the private key. Access to a private key allows decryption of confidential messages and forging of digital signatures.

Key Pair Generation: Involves generating public and private keys (e.g., ECC only).

Secure Key Import: Importing keys, often using RSA method.

Key Agreement: Combining keys to establish a shared secret.

Secure Attestation: Verifying identity or integrity using cryptographic methods (e.g., ECC method).

Wrapped private keys can be stored anywhere as they are only usable on the specific device. Software manipulating wrapped private keys cannot access their clear value, enhancing application robustness against attacks.

STM32 Key Wrapping Mechanism for Public Key Accelerator

The side-channel protected SAES peripheral, in conjunction with the Coupling and Chaining Bridge (CCB), provides a sophisticated security mechanism to protect private keys used in the PKA peripheral. This mechanism is similar to that used for SAES keys.

Use Cases:

• Encrypting keys for PKA peripheral using the CCB.
• Decrypting keys for PKA peripheral using the CCB.

The CCB protects private keys from CPU access, wraps them with unique device keys, and stores them securely.

Encrypting a Key with CCOP in CCB

This process encrypts a key using the CCOP in the CCB peripheral.

Steps:

1. Select a hardware secret key (DHUK, DHUK XOR BHK). KDF depends on the CCOP in the CCB peripheral.
2. Write the clear text key into PKA RAM.
3. Read the clear text key from PKA RAM, which transfers it to SAES DATA IN. This read operation returns zero.
4. Launch an AES encryption.
5. Read the encrypted, wrapped key and save it in flash memory for secure storage.

Key Unwrapping for Public Key Accelerator

This process decrypts a key using the CCOP in the CCB peripheral.

Steps:

1. Select the correct hardware secret key (DHUK, DHUK XOR BHK). KDF depends on the CCOP in the CCB peripheral.
2. Write the wrapped, encrypted shared key.
3. The decrypted, unwrapped shared key is written to write-only PKA by the CCB. DOUT returns zero.
4. Use the key in PKA.

Before unwrapping, select the CCOP code in the CCB corresponding to the desired PKA operation. The process involves selecting the hardware secret key, writing the wrapped key, and the CCB writing the decrypted key to the write-only PKA.

List of Public Key Accelerator Wrapped Key Operations

This section details low-level PKA operations corresponding to high-level asymmetric cryptography use cases.

Table 2: ECDSA Signature Key Blob Usage

• Attestation: X
• Key Import: X
• Key Agreement: -
• Key Generation: X
• Usage in PKA: ECDSA signature, Scalar multiplication

Table 3: ECC Key Blob Usage

• Attestation: X
• Key Import: X
• Key Agreement: X
• Key Generation: X
• Usage in PKA: Scalar multiplication

Table 4: RSA Key Blob Usage

• Attestation: X
• Key Import: X
• Key Agreement: -
• Key Generation: X
• Usage in PKA: Modular exponentiation

Before each blob usage, a blob creation is required.

AES-GCM Usage for Public Key Accelerator Key Wrapping

AES-GCM is a cryptographic method providing confidentiality and data integrity, combining AES encryption with Galois/Counter Mode for authenticated encryption. PKA key wrapping with CCB uses AES-GCM with a 256-bit key.

Under CCB supervision, PKA operation parameters and key material are authenticated and encrypted using AES-GCM. The reference tag, operation parameters, and wrapped key material must be stored. PKA uses the decrypted wrapped key with verified operation parameters only if the reference and computed AES-GCM tags match.

Primary STM32 Product Key Wrapping Property

This overview shows how key wrapping is managed across different STM32 devices using various Keystore IPs (DHUK, BHK, SAES, PKA).

STM32 Product Lineup and Keystore IP Usage:

• STM32U5: DHUK, BHK, SAES, PKA. Key use: TZ.
• STM32N6: DHUK, BHK, SAES, PKA. Key use: TZ.
• STM32WB6: DHUK, BHK, SAES, PKA. Key use: TZ.
• STM32C5 (1M): DHUK, BHK, SAES, PKA, PKA Key Wrapping (CCB). Key use: HDPL.
• STM32H5 (4M): DHUK, BHK, SAES, PKA, PKA Key Wrapping (CCB). Key use: TZ, HDPL, EPOCH.
• STM32U3 (512K, 1M, 2M): DHUK, BHK, SAES, PKA, PKA Key Wrapping (CCB). Key use: TZ.

Each product is optimized for its application, offering tailored security features and robust key management practices.

Documentation and Useful Links

• STM32Trust web page
• AN6205: Introduction to the use of PKA key wrapping with coupling and chaining bridge on STM32 MCUs.
• STM32 MCU Wiki - Security Functions

For further details and implementation guidance, refer to application note AN6205, which covers topics like the need for PKA key wrapping, cryptographic functions involved, and functions proposed by STM32CubeMX.