Key management services UM2262
18/94 UM2262 Rev 6
4 Key management services
Key management services (KMS) middleware provides cryptographic services through the
standard PKCS #11 APIs (specified by OASIS) allowing to abstract the key value to the
caller (using object ID and not directly the key value). KMS is executed inside a
protected/isolated environment in order to ensure that key value cannot be accessed by an
unauthorized code running outside the protected/isolated environment.
KMS also offers the possibility to use cryptographic services with keys that are managed
securely outside the STM32 microcontroller, such as by an STSAFE-A100 Secure Element
for example (rooting based on token ID).
KMS only supports a subset of PKCS #11 APIs:
• Object management functions: creation / update / deletion
• AES encryption functions
• AES decryption functions
• Digesting functions
• RSA and ECDSA Signing/Verifying functions
• Key management functions: key generation/derivation
KMS manages three types of keys:
• Static Embedded keys:
– Predefined keys embedded within the code. Such keys can't be modified.
• Updatable keys with Static ID:
– Keys IDs are predefined in the system
– Key value can be updated in a NVM storage via a secure procedure using static
embedded root keys (authenticity check, data integrity check and data decryption)
– Key cannot be deleted
• Updatable keys with dynamic ID:
– Key IDs are defined when creating the keys
– Key value is created using internal functions. Typically, the DeriveKey() function
creates dynamic objects.
– Key can be deleted
To Next Page
Loading...
Need help?
General
