User ECC Keys (KUP and KUPE)

There are two key modes, which are based on user ECC key. These key modes are defined using the device EC capabilities, which allow secure bitstream programming without requiring the user to have first programmed any secret keys into the device.

The ECC key modes use ECDH to derive a shared secret between device and Microchip HSM, which can then be used as root key either for encrypting/authenticating a bitstream (such as for injecting User symmetric keys and security settings in a new device), or for authenticating the device using the key confirmation challenge-response protocol. After the user ECC key is used to load the User's symmetric keys, it is automatically disabled for loading any further bitstreams without any action required for the User. However, it can still be used for device authentication purposes using the key confirmation protocol.

The devices support JTAG and SPI instruction that can create and/or retrieve the user ECC public key associated with the user EC private key (KUP). When the public key is exported, it is signed by the private key (KFP) of the device's factory-certified ECC key pair. This provides a verifiable method of creating a NIST ECC P-384 key pair and securely exporting the public key in a way that can avoid man-in-the-middle attacks on it. Thus, the device can be enrolled in a user public key infrastructure (PKI) by having a certificate authority (CA) sign (certify) the exported public key. After it has been verified, the device provides proof-of-possession (PoP) of the private key of the key pair, and any other steps deemed necessary by the CA or local registration authority (LRA).