Menu
▾
▴
Re: [Opensc-devel] Nitrokey HSM - Details of DKEK/key-wrapping algorithm, or key import
|
From: Andreas S. <and...@ca...> - 2015-12-14 12:37:59
|
Dear Evan, if you register at the CDN [1], then I can enable access to the SmartCard-HSM SDK which contains a script to decode the wrapped key container. Andreas [1] http://www.cardcontact.de/cdn/about.html On 12/14/2015 01:00 PM, Evan Anderson wrote: > I recently acquired a Nitrokey HSM for testing for one of my Customers. The > feature-set of the SmartCard-HSM software appears to be quite good and a > nearly perfect fit for my Customer's needs. > > My Customer will be signing firmware for a series of embedded control > devices w/ RSA keys. These devices have a planned 15-20 year lifetime in the > field/market (embedded devices attached to very large, very expensive pieces > of machinery with long service lifetimes). Losing access to the firmware > signing key during the device's supported lifetime would be quite bad > (physically recalling the devices and replacing secure SoC devices w/ public > keys stored in on-chip fuse-protected bootloader flash). > > While the built-in key backup/restore functionality in SmartCard-HSM looks > quite good, I'm concerned that without details of the > key-wrapping/unwrapping algorithm my Customer could find themselves, in the > future, in a situation where SmartCard-HSM is no longer available for > purchase. I am reticent to simply recommend assuming that the Customer > purchase extra devices to hold in storage and hope that they will remain > functional for 10+ years. My Customer is already accustomed to supporting > devices in the field w/ 15+ year lifetimes, so this concern is a very real > one to them. > > Are there details of the DKEK key-wrapping/unwrapping algorithm available > (under NDA and/or for a fee, if necessary) that would enable my Customer to > have confidence that, even if the SmartCard-HSM product were discontinued > and no longer available, they would be able to bring the DKEK shares and > key-backup together to reconstruct their key to load into some new device? > > As an alternative to understanding the DKEK key-wrapping/unwrapping > algorithm, is there functionality to import an externally-generated key into > the SmartCard-HSM product? I see a reference here > <http://www.smartcard-hsm.com/features.html#keyimport> but I've reviewed all > the materials I can find publicly, and on the CardContact Developer Network > website, and I am not finding any examples or documentation showing how to > perform this import. On this mailing list, as recently as October 2015 > (under the thread "Cannot delete imported private key from SmartCard-HSM") I > am seeing statements that make me think that this import functionality may > have difficulties. > > Thank you, > Evan Anderson > Wellbury LLC > Troy, OH, US > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
