On TKey Key Generation

Digital keys is how information and communication on the Internet is protected. We all use them every day. Hence, generating those keys is crucial aspect of security. This is how it’s done on TKey.

Three factors for key generation

When TKey generates keys, three factors are needed:
UDS, Unique Device Secret. This is unique for each TKey produced and part of the hardware design.
USS, User Supplied Secret. This is a secret the user chose (know) for every application loaded.
– The TKey device app (that is loaded to the TKey via USB-C) is hashed at reception by the TKey. We write it like this:
hash(TKey device app).

All three factors are hashed again, i.e.;
hash(UDS, hash(TKey device app), USS).

The result of this hash is called CDI, Compound Device Id and is a unique identity. If you change any of the three factors, you will get a new CDI, i.e. new identity.

CDI is stored so it’s accessible for the TKey device app.

The hardware guarantees that the UDS is only read-once per power cycle. It lives for a very brief time and is then not available in the memory map anymore, not even for the firmware.

Read more about TKey memory here.




Cover image: Anja