Addressing Certification Gaps in Asymmetric Key Generation

🔻Plugging a Certification Hole in Asymmetric Key Generation 🔻John Barry, Marek Zmuda As supply chains become ever more complex, confidence in the security of a system increasingly relies on being able to attest to the authenticity of all the components in that system. This includes low level firmware and even hardware. Standards for robust and cryptographically secure attestation protocols for hardware chips and associated firmware are evolving. However, there is a certification gap. A common element in many of these standards is a requirement for a unique public/private asymmetric key pair to be associated with each device. Many of these devices do not have secure on-board non-volatile storage in which to store the keys, requiring the same key pair to be derived each time the device is powered up. The US National Institute of Standards and Technology (NIST), who define standards used in designing and implementing cryptographic modules, does not define an approved mechanism for deterministic asymmetric key generation. A potential solution to address this certification gap which has been proposed is to allow methods for deterministically deriving asymmetric keys from cryptographic keys.