AES encryption and key permission management support


#1

Hi,

I’m looking for USB token device supporting following features simultaneously:

  1. Holds x509 certificate for TLS communication.
  2. Holds 2048 bit RSA key for TLS communication.
  3. Holds 256 bit AES key for file encryption.

The device would be connected to a computer in a non-secure physical environment, meaning that it could get stolen. Hence, I need some sort of permission management to never allow decryption with AES key.

Reading almost all of your product briefs I believe I can’t achieve my tasks with NitroKey products. None of your products support on-module AES encryption/decryption and no permission management is available. (NitroKey Pro 2 is the closest to my needs, however it doesn’t have AES functionality except storing one AES key)

Can you confirm this?


#2

Hi,

as far as I can see the Nitrokey Pro 2 supports encryption and decryption with AES256 key. See specification page 57 to 60.

I don’t know any software which actually uses it yet, though. Thus, you might need to implement it yourself (e.g. in OpenSC).

Kind regards
Alex


#3

Hi @nitroalex,

as far as I can see the Nitrokey Pro 2 supports encryption and decryption with AES256 key . See specification page 57 to 60.

I don’t understand why you linked gpg specification. What does it have to do with Nitrokey Pro 2?

I don’t know any software which actually uses it yet, though. Thus, you might need to implement it yourself (e.g. in OpenSC).

I am able to do AES encryption/decryption, and public key crypto, with Python-PKCS#11 and SoftHSM2. Python-PKCS#11 compatibility table says AES operations are not available on OpenSC (Nitrokey).

I was asking whether I can do the same with Nitrokey Pro 2. The factsheet states it supports PKCS#11 and storing 1xAES256 key. Bu you haven’t mentioned any AES functionality, mode of operation, and etc.

So, is there any possibility of doing AES encryption on your module? I’m not particularly interested in fetching AES key from Nitrokey and doing encryption on CPU.

Thanks,
Batuhan


#4

Hi Bahutan,

I should have explained that indeed, I am sorry. Inside the Nitrokey Pro resides a OpenPGP Card v3.3. So technically you can do everything what a OpenPGP Card v3.3 can do. Therefore, I linked the specification.

As this is a rather new feature there is no software which makes use of this functionality. OpenSC is not able to handle this yet and I don’t know if it will (didn’t looked at it from a AES perspective in the past), but it is a good candidate.

In summary: there is no solution for that yet, but the Pro 2 supports enciphering and decryption with a imported AES key. The operations are done on the Nitrokey. So this would be what you are looking for. I would implement such feature in OpenSC (if desired by the project), but can not do it anytime soon.

Kind regards
Alex