Algorithms in a Nitrokey HSM


I do have bought a Nitrokey HSM, and looking on the encryption and
algorithms loaded on it, using the manual “AGD_SmartCard-HSM_V3.1rc1_User_Manual”.

By doing some tests, it seems like algorithms for derive keys, like the ‘98’, ‘99’, ’10’ or ‘11’ cannot be called.

  • Is it normal ?
  • Can they be activated or downloaded on it ?
  • Can I activate or download another algorithm, a standard one, but another that the one specified on the manual
  • Can we add some of my own algorithms ?

Thank you for your answer and have a nice day,

Tayfun Kalkanci.


Could you elaborate on how have you called the commands, and what these algorithms are? And what is the exact error?

I do not think the HSM smart card could be updated with own implementation. As far as I know there only one firmware path, so as long as it is in the manual I expect it to work.

cc: @sc-hsm


off course…

I have downloaded a C++ project that allows me to send APDU commands to my Nitrokey HSM 2 :

I have generated on it 2 asymmetric keys, a RSA and an EC :

pkcs11-tool.exe -l --pin 981567 --keypairgen --key-type rsa:2048 --id 01
pkcs11-tool.exe -l --pin 981567 --keypairgen --key-type EC:prime256v1 --id 02

Then I use the APDU commands :

First a VERIFY command, with my pin, to maintain authentification state

0020 01 81 06 393831353637 => return '90 00'

Then try to Derive the EC key, with the algorithm ‘98’

8076 02 03 03 985462 => return '6A 81' Function not supported, key derivation not allowed for key referenced in P1

I did not yet managed to create or import a symmetric key, so I tried its derivation on the RSA and EC keys, which is hazardous, I reckon

8078 01 99 05 0102030405 00 => return '6A 81' Function not supported, key does not support algorithm in P2

(same thing for key ‘02’, and algorithms ‘10’ and ‘11’)

But off course I did not set the allowed algorithms on each key, as it is possible to do on the APDU command GENERATE ASYMMETRIC KEY PAIR, or GENERATE SYMMETRIC KEY.
Can it be the cause ?
I will try to work on that.

I see. I am afraid I cannot help you on the APDU level further. Perhaps @sc-hsm can. The proper support for that is here:

For a final advice of managing this issue, could you try to achieve the same with the OpenSC tools first, and peek the communication with OPENSC_DEBUG=9 environment flag? Perhaps some preparation is required to execute the commands you listed.

Out of curiosity, could you tell what are the human readable names of the algorithms you would like to use?

Yes, I will try to do everything with OpenSC. To be honest, I did not found those functions explained other that with the APDU commands, so I do not know how to call them in OpenSC, but I will search.

I just want to call the algorithm ‘10’, for AES Encryption using CBC mode, but as the others seems to be availables, I tried them to see the result (failure or success)…

Hello szszszsz,

Indeed I used the “Smart Card Shell (SCSH3)” I could find somewhere on the links you gave me, to initialize the Nitrokey HSM, and to generate an AES symmetric Key, and to declare witch algorithms can be executed with this key. I select the algorithms 10, 11 and 99 for the key.

Then the APDU commands worked.

8078 01 99 05 0102030405 00 => 10B3A1EF0A6118B59AF2649B22AC6B1D902AF00A2622F6813A1D43BF49FBCE17(9000)
8078 01 10 10 0102030405060708090A0B0C0D0E0F10 00 => E62D9B589A04EC6F4FB5619EA04A026F(9000)
8078 01 11 10 E62D9B589A04EC6F4FB5619EA04A026F 00 => 0102030405060708090A0B0C0D0E0F10(9000)

So I needed to declare the algorithms allowed on the key creation. That were my problem…

1 Like