12.2.5 Encryption, Decryption and Authentication

All customer secret keys are stored securely (wrapped using the PUF feature) in a regular packet. The customer’s AES Initialization Vector read from the OTP User area and the first key are used by the AES-CBC algorithm, whereas the second is dedicated to the AES-CMAC computation.

Encryption and decryption are processed using the NIST-recommended AES-CBC mode defined in NIST Special Publication 800-38A [NIST_MODE_OP].

When selected, the Message Authentication Code is processed using the NIST-recommended CMAC. The CMAC used as a Message Authentication Code (MAC) is the CMAC based on the AES. The AES-CMAC outputs a 128-bit digest.

Otherwise, the authentication is secured by an RSA signature. The public key cryptographic implementation then relies on X.509 certificates. These certificates are chained and stored right after the boot file and its signature in the NVM.

The first certificate in the chain (at the lowest address in memory) is called the “root certificate”. The modulus and the exponent are extracted from the public key stored in the root certificate. A SHA-256 digest is computed on the concatenation of the modulus and the exponent. This 256-bit digest is compared to the “RSA hash” to validate the root certificate.

Then, except for the root certificate, every certificate is signed by the private key associated with the previous certificate in the chain. So, its previous certificate is used to validate a certificate in a recursive process.

Finally, the boot file is signed with the private key associated with the last certificate. So, the last certificate is used to validate the boot file signature.