• State TI Thinks Resolved
  • Locked Locked
  • Replies 5 replies
  • Answers 3 answers
  • Subscribers 33 subscribers
  • Views 680 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

AM2432: what is role of MPK and MEK in FEK pre-processing in x509 cert generation for HS-SE mode conversion

Hong Zhang
Intellectual 782 points
Part Number: AM2432

Hello TI team, 

What is the role of MPK and MEK in FEK pre-processing in x509 cert generation for HS-SE mode conversion?

Thanks,

Hong 

  • 0
    TI__Guru 55285 points

    Hi Hong,

    Since the experts on this matter is on holiday (11/14 - 11/15), the response may be delayed. Thank you for your patience.

    Meanwhile, refer to 

    AM243x MCU+ SDK: Understanding the bootflow and bootloaders (ti.com) 

    for additional details

    Best regards,

    Ming

  • 0 in reply to Ming Wei
    TI__Mastermind 26145 points

    Hi Hong,

    Hong Zhang said:
    What is the role of MPK and MEK in FEK pre-processing in x509 cert generation for HS-SE mode conversion?

    MEK plays no role in OTP Key Writer x509 cert generation. However, the MPK (private part) is used to sign the certificate.

    Best Regards,
    Aakash

  • 0 in reply to Aakash Kedia
    TI__Expert 4935 points

    Just to add more details.

    Step 1 per user guide is to create a AES-key using RNG to be used to encrypt SMPK/SMEK and BMPK/BMEK.

    Step 2 is actual encryption happening in your KMS system to add confidentiality aspect for SMPK/SMEK and BMPK/BMEK.

    Step 3 is essentially binding the SMPK with AES-Key generated in step 1; and to RSA-encrypt  AES-key from step 1 using FEK.

  • 0 in reply to Amrit Mundra
    Prodigy 60 points

    Hi I am not clear or couple of points

    1. What is the purpose of the AES key? Is it to protect the confidentiality of customer SMEK and BMEK? If yes, I am not able to see how confidentiality is preserved as the AES key itself is encrypted by the FEK, which is managed by TI. This seems that the system which holds the FEK private could decrypt the SMEK and BMEK as it could decrypt the AES key.

    2. For SMPK and BMPK, the AES key seems redundant as the private is held at customer and only the public key hash is being encrypted. 

  • 0 in reply to Venkata Kishore Kajuluri
    TI__Mastermind 26145 points
    Venkata Kishore Kajuluri said:
    1. What is the purpose of the AES key? Is it to protect the confidentiality of customer SMEK and BMEK? If yes, I am not able to see how confidentiality is preserved as the AES key itself is encrypted by the FEK, which is managed by TI. This seems that the system which holds the FEK private could decrypt the SMEK and BMEK as it could decrypt the AES key.

    AES Key is encrypted via FEK (public key) which is delivered as part of OTP Key Writer package. The FEK (private key) is available from TI on the target only for decryption of the AES Key. Then the AES key is used to decrypt the other keys "on-the-target".

    AES Key is a 256-bit random number used for encryption. This reduces the attack surface and the risk of using single 256-bit symmetric key for this operation for every cycle.

    Best Regards,
    Aakash