mirrors/pico-hsm
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-hsm.git synced 2026-04-17 21:58:27 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into development

Browse source
This commit is contained in:
Pol Henarejos 2022-11-15 17:40:29 +01:00
commit e70461e551
No known key found for this signature in database
GPG key ID: C0095B7870A4CCD3
1 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
README.md
View file

@ -13,7 +13,7 @@ RSA key generation in place for 1024, 2048, 3072 and 4096 bits. Private keys nev
ECDSA key generation in place for different curves, from 192 to 521 bits. ECDSA key generation in place for different curves, from 192 to 521 bits.
### > ECC curves ### > ECC curves
It supports secp192r1, secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192k1 (insecure), secp256k1 curves. It supports secp192r1, secp256r1, secp384r1, secp521r1, brainpoolP256r1, brainpoolP384r1, brainpoolP512r1, secp192k1 (insecure), secp256k1 curves. Also Curve25519 and Curve448.
### > SHA1, SHA224, SHA256, SHA384, SHA512 digests ### > SHA1, SHA224, SHA256, SHA384, SHA512 digests
ECDSA and RSA signature can be combined with SHA digest in place. ECDSA and RSA signature can be combined with SHA digest in place.
@ -111,6 +111,21 @@ Public Key Authentication (PKA) allows to authenticate by using a secondary devi
In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one. In PKA, the PIN is used for protecting the DKEK, as classic method with only PIN, and PKA is used for adding an extra security layer. Therefore, this mechanism provides a higher degree of security, since it needs a secondary Pico HSM to authenticate the primary one.
### > Secure Lock
An extra layer can be added to the device by adding a private key stored on the computer to lock that Pico HSM to the specific computer. The content will be completely encrypted with a private key only available from a specific computer.
### > ChaCha20-Poly1305
This is a novel fast and efficient symmetric encryption algorithm. Similarly to AES, it can be used to cipher your private data.
### > X25519 and X448
Both cruves Curve25519 and Curve448 are supported for doing DH X25519 and X448. Remember that cannot be used for signing.
### > Key Derivation Functions: HKDF, PBKDF2 and X963-KDF
It supports symmetric key derivations from different standards and RFC.
### > HMAC
It supports performing HMAC from a secret key on a arbitrary data with SHA digest algorithm.
[^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`). [^1]: PKCS11 modules (`pkcs11-tool` and `sc-tool`) do not support CMAC and key derivation. It must be processed through raw APDU command (`opensc-tool -s`).
[^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information. [^2]: Available via SCS3 tool. See [SCS3](/doc/scs3.md "SCS3") for more information.
[^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process. [^3]: Imports are available only if the Pico HSM is previously initialized with a DKEK and the DKEK shares are available during the import process.