diff --git a/doc/public_key_authentication.md b/doc/public_key_authentication.md index 25b389f..a24c4cf 100644 --- a/doc/public_key_authentication.md +++ b/doc/public_key_authentication.md @@ -25,24 +25,37 @@ To take advantage of PKA, the following is required: Before using SCS3, it must be patched [scs3.patch.txt](https://github.com/polhenarejos/pico-hsm/files/8890050/scs3.patch.txt). See [SCS3](/doc/scs3.md "SCS3") for further details. -### Generate the authentication key +### Generate the authentication key On a secondary device, generate a private key, on the ECC 256 bits (`brainpoolP256r1` or `secp192r1`). Label it with an easy name, such as "Authentication". +Captura de Pantalla 2022-06-13 a les 12 11 00 + Once finished, export the public key. +Captura de Pantalla 2022-06-13 a les 12 11 39 + ### Initialization On the primary device, initialize it. When prompting for an authentication mechanism, select "Public Key Authentication". +Captura de Pantalla 2022-06-13 a les 12 05 09Captura de Pantalla 2022-06-13 a les 12 14 48 + Once finished, register the exported public key. A message of `0 authenticated public key(s) in 1 of 1 scheme` will appear if it is properly registered. -### Authentication +Captura de Pantalla 2022-06-13 a les 12 15 44Captura de Pantalla 2022-06-13 a les 12 16 17 -Plug the secondary device that stores the private key (do not load the device in the SCS3 tool). + +### Authentication + +Plug the secondary device that stores the private key (do not load the device in the SCS3 tool) and initiate the public key authentication. + +Captura de Pantalla 2022-06-13 a les 12 19 47 Select the secondary card and the Authentication private key (or the name you labeled it). +Captura de Pantalla 2022-06-13 a les 14 25 25 + Introduce the PIN of the secondary device. If the private key matches with the registered public key, the primary device will grant access and it will display `User PIN authenticated (9000)` (despite no PIN is provided).