How can I validate that a Nitrokey HSM and its firmware is genuine? For example, when I receive a Nitrokey HSM (or any other Nitrokey for that matter), how can I be sure that it hasn’t been replaced by a counterfeit during shipment?
Each Nitrokey-HSM/SmartCard-HSM has an unique device authentication key, that is generated during production and that is certified by the Device Issuer CA. The Device Issuer CA again is certified by the SmartCard-HSM Root CA (SRCA), that we operate at CardContact.
You can validate the device using the Key Manager function in the Smart Card Shell. Whenever you start the Key Manager, it reads the Device and Device Issuer CA certificates and validates the chain up to the SRCA certificate. You can see that in the Shell window:
>load("keymanager/keymanager.js");
SmartCard-HSM Version 3.5 on JCOP 3 Free memory 78840 byte
Issuer Certificate : CVC id-SC-HSM DICA CAR=DESRCACC100001 CHR=DEDINK0200001 CED=29. Mai 2017 CXD=28. Mai 2025
Device Certificate : CVC id-SC-HSM Device CAR=DEDINK0200001 CHR=DENK020060000000 CED=9. September 2021 CXD=28. Mai 2025
If you get a message like
GPError: KeyManager (CRYPTO_FAILED/0) - "Device authentication failed" in /home/asc/opt/CardContact/scsh3/keymanager/keymanager.js#205
at /home/asc/opt/CardContact/scsh3/keymanager/keymanager.js#205
at /home/asc/opt/CardContact/scsh3/keymanager/keymanager.js#267
then the certificate chain was not successfully validated against the trust anchor in the key manager.
In the default configuration the Key Manager does not further authenticate the device, but that can be enabled by un-commenting the line
// this.sc.openSecureChannel(this.crypto, this.certchain.publicKey);
in keymanager/keymanager.js. This will not only check the certificate validity, but additionally perform device authentication and establish a secure messaging channel between the device and the key manager. Subsequently all communication in the session will be protected for integrity, authenticity and confidentiality.
Alternatively you could log into the PKI-as-a-Service Portal, which is based on the same authentication mechanism. If that is successful, then you have a genuine device.
The SRCA certificate is also stored as trust anchor in the device during production and can be used to authenticate other HSMs and their keys. This is the basis for advanced key management mechanisms like Public Key Authentication or XKEK Key Domains.
For transport there is another important security mechanism: The device is sealed after production and you break the seal with the first device initialization. Whenever you receive a new device, you could check that sc-hsm-tool from OpenSC reports:
asc@caprese:~/Downloads$ sc-hsm-tool
Using reader with a card: Identive Identive CLOUD 4500 F Dual Interface Reader [uTrust 4700 F Contact Reader] (53201519204084) 01 00
Version : 3.4
SmartCard-HSM has never been initialized. Please use --initialize to set SO-PIN and user PIN.
In that case the seal is still in place and the device is new from factory or has been refreshed in a firmware update.
4 Likes