How can I initialize a Nitrokey HSM 2 remotely if the host machine that the HSM is connected to is untrusted?
Use-case:
I am the admin at location A. The Nitrokey HSM 2 is plugged into an untrusted host machine at location B. I would like to remotely initialize the Nitrokey HSM 2 with the so-pin, user pin, several key-pairs, and some certificates. Users at location B would then receive the user pin to use the HSM to sign device certificates, but I need to prevent them from exporting any of the objects to another HSM to ensure there is only one HSM with proper signing capabilities.
To do this, I will need a secure connection between myself and the Nitrokey HSM 2 to prevent any listener/MITM from seeing and modifying the initialization input.
The SmartCard-HSM supports remote administration and that is actually a key feature of the PKI-as-a-Service Portal.
A remote secure channel can be established using the Device Authentication Key and the associated Device Certificate. Both are generated during production and are present on a SmartCard-HSM even before the device is initialized by the user. The secure channel protocol is based on TR-03110 and is the same mechanism used to protect APDU exchange on electronic passports and eID cards.
The secure channel allows a remote system to access the HSM, ensuring confidentiality and integrity of the APDU exchange. On top of the APDU exchange we use the RAM-Over-Http Protocol, which allows a webservice to access the remote device. RAM-Over-Http is supported in the OpenSCDP Scriptingserver, which is the foundation for the PKI-as-a-Service portal.
To get this implemented, you could run your own instance of the PKI-as-a-Service software or write your own scripts using the ScriptingServer. The ScriptingServer comes with some examples that show how RAM-Over-Http works.
When you run your own instance of the PKI-as-a-Service software, you also have the option to write your own plug-in to support service request code that caters your specific needs.
Of course we provide professional services, but the software itself is available as Open Source in the CDN.
