How to Securely Store Secret Data on a MCU/MUP

Key is the foundation for system security 

The foundation of a security system is at the keys that it owns used to provide the authenticity of the system ID and ensure the confidentiality of system information. The most basic keys that the system must have include: 

  • Hardware Unique Key (HUK) Exclusive key owned by each physical equipment; it has both uniqueness and secrecy. It generates the keys needed for different applications and exclusive encrypted data for connected devices. 
  • Root of Trust Public Key (ROTPK) Public key used to verify signatures; during the secure boot process of devices, it ensures that only software that passed the verification can be executed on the device. 

To ensure the system's security, whether it is HUK or ROTPK, it must not be modified. 

In addition, in response to different applications, keys with other functions might also exist in the system, including the AES key used for encryption and decryption and the RSA key or ECC key used to verify signatures. 

These key structures are based on cryptography to provide system ID verification, data protection, transmission encryption, and other functions. They are the foundation of all security in the system. Therefore, the storage and protection of the keys themselves are also the most crucial thing in the entire system. We call the place used to store the keys Key Store. 

Features of Key Store 

To ensure the security of keys, Key Store must be equipped with the following features 

  • All stored keys must be a whole that cannot be split 

Every key in Key Store must be created, changed, and deleted as of a whole. Therefore, if a key has the chance of having part of its contents replaced by known values, it can easily be attacked by divide and conquer brute-force attacks. 

  • Different storage types are provided based on the key type, including: 
  • Static storage 

Keys in static storage must have the feature of being unable to be changed; this is usually achieved by using the features of ROM or Fuse. However, even though static storage keys cannot be changed, they must still be revoked. Revoked keys can no longer be accessed or used to ensure the security of key usage. 

  • Short-term storage 

Keys in short-term storage have shorter life spans; this could be existing only during the current connection period, existing during the current power connection cycle, or existing during the current registration period of the device. These features can usually be achieved by using Flash or SRAM as the storage media. 

  • Set key attributes to limit the usage range of keys 

The usage range of keys can be limited based on the usage of the key and the corresponding cryptographic algorithm, including restricting it so that it can only be used for AES encryption and decryption, ECC signature and authentication, etc. Reasons for such restrictions are mainly based on the following: 

  • Restrict the access of the keys from the CPU; this can prevent exposure of keys due to software vulnerabilities.
  • Restricting the usage range of keys can reduce the scope of loss when keys are cracked.
  • When a key is used for different algorithms, attack risk will increase.
  • Using one key for other usages may cause conflict in the length of key duration, therefore needing to extend its duration and causing the key to last longer than its best duration in practice. 
  • Prevent physical attacks 

The keys stored in Key Store are the foundation for the entire system security. Not only must the risk of exposure from software vulnerabilities be prevented, but they must also be protected against physical attacks, including side-channel attacks that utilize physical features and attacks that open the package and measure the contents stored in the chip directly. 

Key Store cases 

Take Nuvoton M2354 as an example. It includes the Key Store hardware unit, provides the key storage function, and saves keys from 128 bits to 4096 bits in length. It writes, deletes, and revokes keys using complete keys as the unit; it also has an integrity check. Once there is anything wrong with any bit of a key, that key will become invalid and can no longer be used. 

Three types of storage media are provided for Key Store: OTP, Flash, and SRAM in response to the duration needs of different keys, in which OTP can be used to store keys that cannot be modified, such as HUK and ROTPK. Furthermore, flash can be used to store keys used for the authentication of cloud connections, and SRAM can be used to keep the randomly encrypted keys used during cloud connection. 

In addition, when Key Store creates keys, related attributes can be specified to restrict the key to only be used by the CPU or specific encryption engines to restrict the use of keys further and strengthen the security of the keys. 

Key Store supports the Silent Access function to reduce information leakages caused by physical features when performing storage operations when it comes to side-channel attacks. And for attacks that open the package and use physics to measure stored contents, Data Scrambling is provided to protect against them. Furthermore, Key Store can be set so that when Tamper Detection is triggered, the hardware link will also be enabled to clear and revoke all keys in Key Store to make sure the keys will not be leaked. 

Conclusion

Modern security systems rely on cryptography protection, and no matter how good the cryptography algorithm is, it still relies on the secure storage of keys to achieve results. Once the keys are exposed, all secrets structured on that key will no longer be secure; therefore, having a Key Store that is secure enough to store keys is essential for the entire system.