4.4 Key Rotation of Code Signing Public Keys

Key rotation refers to the use of an updatable key store, where cryptographic keys used for secure operations – such as firmware authentication, secure boot or encrypted communications – can be securely updated as needed. Section 3.5.1 of NIST SP 800-193 specifies that compliant devices must provide “provisions to recover from a key compromise.” Not every application needs to support this level of security. This section will discuss how the dsPIC33A hardware features can support key rotation in applications that need it.

For applications that only require public key storage, the dsPIC33A can be used to implement a key store and support key rotation. Unlike the fixed signature verification key, this approach allows for the keys to be updated in the case of a key compromise event.

For more details on key management guidance, refer to NIST SP 800-57 Part 1 – Recommendation for Key Management: Part 1 – General.