mirrors/pico-hsm
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-hsm.git synced 2026-01-17 09:28:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Adding clarification on setting PKA and PIN with SCS3.

Browse source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos 2022-08-09 00:26:35 +02:00
parent 157923decc
commit 30d3270e1d
No known key found for this signature in database
GPG key ID: C0095B7870A4CCD3
1 changed files with 21 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
doc/public_key_authentication.md
View file

@ -65,19 +65,33 @@ Pico HSM uses the PIN to protect the DKEK, which is lately used to protect priva
Authenticated privileges are granted when PKA succeeds, regardless of PIN, which is optional. Authenticated privileges are granted when PKA succeeds, regardless of PIN, which is optional.
Nevertheless, **it is extremely recommended to combine PKA with PIN**. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification. Nevertheless, **it is extremely recommended to combine PKA with PIN**. Note that when combined, only PKA grants authenticated privileges. Therefore, if both schemes are setup, it is necessary to unlock the DKEK with PIN verification.
Otherwise, it will not be possible to operate with private/secret keys despite the user will be logged in. Otherwise, it will not be possible to operate with private/secret keys despite the user will be logged in.
Unfortunately, SCS3 does not supports the combination of both schemes during the initialization. Fortunately, OpenSC does. With this scheme, multiple custodians may authenticate the device individually and remotely and, when fully authenticated, the master user can unlock the DKEK with the PIN.
To initialize the device with PKA **and** PIN use the following command (or similar), which accepts the use of PIN parameter **and** PKA configuration: Moreover, with this approach the device is kept safe and neither the DKEK nor the private/secret keys are stored in plain text in the device.
Even though the flash memory is dumped by an attacker, it will not be possible to decipher any sensitive data or key.
Initialization of the device with PKA **and** PIN can be achieved with SCS3 or OpenSC:
**Note:** do not import any DKEK share or DKEK operation before PKA and PIN setup.
### With OpenSC
Use the following command (or similar), which accepts the use of PIN parameter **and** PKA configuration:
``` ```
sc-hsm-tool -X --so-pin 1234567890123456 --pin 648219 -K 1 -n 1 -s 1 sc-hsm-tool -X --so-pin 1234567890123456 --pin 648219 -K 1 -n 1 -s 1
``` ```
where PKA and PIN are enabled, jointly with DKEK protection. and PKA and PIN are enabled, jointly with DKEK protection.
Therefore, with this scheme, multiple custodians may authenticate the device individually and, when fully authenticated, the master user can unlock the DKEK with the PIN. ### With SCS3
With this approach the device is kept safe and neither the DKEK nor the private/secret keys are stored in plain text in the device. Unfortunately, SCS3 does not allow to initialize the device with PKA and PIN at the same time, though it can be achieved in separated steps:
Even though the flash memory is dumped by an attacker, it will not be possible to decipher any sensitive data or key.
1. Initialize the device with PKA. When done, the PIN will not be initialized but it will advice that 3 attemps can be performed.
2. There is NO default PIN. So, DO NOT attempt to log in yet. A reset PIN shall be requested.
3. Click on ``Reset User-PIN``, introduce the SO-PIN configured during the initialization and introduce the desired User-PIN.
When done, the device will be configured with PIN **and** PKA.