Is there any secure memory for storing private keys for authentications?
I think it is stored in STM32 MCU flash memory. So theoretically it could be read by any user application.
But probably it would be sufficient if user won’t install any third party untrusted applications and there will be any device locking feature (disallowing to use device without password) and mcu readout protection is enabled so flash could not be dumped with programmer, only erased and reprogrammed.
Some MCUs have secured memory partitions for storing private keys or something else, so even APP have no access to them. These partition can only be accessed by security modules. I don’t know which exactly MCU will be used, but if it’s not determined at this moment - would be nice to select that one, which will have security modules. Or at least external IC with such ability.
AFAIK that’s STM32L4 series MCU, and according to this presentation it has some kind of memory protection unit, so maybe it’s possible to protect secret key with this feature. It also has TRNG & AES accelerator but it isn’t useful for secp256r1 public key encryption.
Example of such security module with secure key storage in MCU: https://www.nxp.com/design/training/benefit-from-csec-peripheral-module-in-s32k-mcus:TIP-S32K-CSEC
But as far as I know, same can be done by external IC.
I think if this Flipper function designed to provide more security for users, it should be done properly. And private keys should not be stored at flash or EEPROM.
Example of external IC with elliptic curves support: https://www.microchip.com/wwwproducts/en/ATECC508A
But it’s not recommended for new designs.
Is U2F uses ECDH?
Newer version of this IC:
At 1000pcs it costs about €0.50
Oh, another idea. It should be possible with such an IC to implement SmartCard functionality for the device, for example to sign git commits/store and use SSH RSA keys/protect your mail/etc.
Similar ICs from other vendors:
https://www.st.com/content/st_com/en/products/secure-mcus/authentication/st33tphf20i2c.html#overview - priceless
Oh, this one supports both RSA and ECC keys, cool
there is an open source code for U2F and FIDO2