mirrors/pico-hsm
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-hsm.git synced 2026-01-17 09:28:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
pico-hsm/doc/public_key_authentication.md
Pol Henarejos 4dce0e5958
Update public_key_authentication.md 
Added screenshots.
2022-06-13 14:33:33 +02:00

4 KiB
Raw Blame History

Public Key Authentication

Public Key Authentication (PKA) is a mechanism to authenticate a legit user without introducing any PIN. The authentication is performed by signing a challenge and checking the signature result.

  1. A Pico HSM #A contains a private key, whose public key will be used for authentication.
  2. The public key of #A is registered into a second Pico HSM #B.
  3. When a user wants to login into #B, #B generates a challenge that is passed to #A for signature.
  4. #A signs the challenge and returns the signature.
  5. #B verifies the signature against the challenge with the public key of #A, previously registered.
  6. If the signature is valid, #B grants access to the user.

This mechanism has no retry counter or PIN throttling, as no PIN is set up on the device.

To enable PKA, the device must be initialized beforehand. In case the device has secret/private keys, all shall be exported and reimported when the set up is finished.

Requirements

To take advantage of PKA, the following is required:

  1. Two Pico HSM: one will be used only for authentication (it can be any device able to generate a private key and sign arbitrary data).
  2. SCS3 tool to authenticate the user. At this time, OpenSC does not support PKA.
  3. A secret key of ECC 256 bits. SCS3 does not support other curves.

Usage

Before using SCS3, it must be patched scs3.patch.txt. See SCS3 for further details.

Generate the authentication key

On a secondary device, generate a private key, on the ECC 256 bits (brainpoolP256r1 or secp192r1). Label it with an easy name, such as "Authentication".

Captura de Pantalla 2022-06-13 a les 12 11 00

Once finished, export the public key.

Captura de Pantalla 2022-06-13 a les 12 11 39

Initialization

On the primary device, initialize it. When prompting for an authentication mechanism, select "Public Key Authentication".

Captura de Pantalla 2022-06-13 a les 12 05 09Captura de Pantalla 2022-06-13 a les 12 14 48

Once finished, register the exported public key. A message of 0 authenticated public key(s) in 1 of 1 scheme will appear if it is properly registered.

Captura de Pantalla 2022-06-13 a les 12 15 44Captura de Pantalla 2022-06-13 a les 12 16 17

Authentication

Plug the secondary device that stores the private key (do not load the device in the SCS3 tool) and initiate the public key authentication.

Captura de Pantalla 2022-06-13 a les 12 19 47

Select the secondary card and the Authentication private key (or the name you labeled it).

Captura de Pantalla 2022-06-13 a les 14 25 25

Introduce the PIN of the secondary device.

If the private key matches with the registered public key, the primary device will grant access and it will display User PIN authenticated (9000) (despite no PIN is provided).

From now on, you have full access and can operate normally with the primary device.