3.2.1.1 Private Keys

ECC P-256 private keys are the fundamental building blocks of ECC Security for the ECC608-TMNGTLS. These keys are private and unique to each device and cannot be read. ECC private keys are randomly generated by the secure element's TRNG and are securely held in slots configured as ECC private keys.

Primary Private Key

This is the primary authentication key and is stored in Slot 0. Each device has its own unique private key. The key can be modified unless Slot 0 is locked.

This key is enabled for two primary elliptic curve functions:

  • ECDSA Sign for authentication
  • ECDH for key agreement. If encryption of the ECDH output is required, the I/O protection key needs to be set up first. See I/O Protection Key for setup details.

This private key is the foundation for the generation of the corresponding public key and the X.509 Certificates.

Key Attestation

The private key in Slot 1 is configured as an internal sign-only key, which means it can only sign messages generated internally by the GenKey or GenDig commands and cannot be used to sign arbitrary external messages. This feature allows the internal sign key to be used to attest to what keys are in the device and their configuration/status to any system that knows (and trusts) the internal sign public key.