HSM2: Distributed key access & sign counter

Nitrokeys
1

Hi there!

I have some questions regarding the Nitrokey HSM 2 featureset. The fact sheet says:

Key administrators can either authenticate themselves using their own Nitrokey HSM (required for M-of-Naccess protection) or by means of a password. Remote access is possible, so key administrators do not have to be physically present in the same location.

Unfortunately, I only found out how to use this feature for key encryption when initializing the key and this without remote access or authentication by other NitroKeys. Am I right that this is not yet supported by the advertised software? If yes, is there some kind of roadmap when it should be possible to use other NitroKeys for unlocking the keys stored inside the HSM or using other NitroKeys at least for initializing?

Another feature question: Other HSMs and smart cards can count how many times a single key was used for signing. Is it possible or will it be possible in the future to obtain this metric? This would be pretty nice for auditing purposes!

Thanks!

2

Both features are available starting with the 2.0 version from 2015. Public key authentication is explained in a blog post at [1] and a HowTo is available at [2] (CDN registration required). Adding support in OpenSC is an open issue [4] with some progress in [5].

A key use counter can be defined using the PKCS#11 module from sc-hsm-embedded and a proprietary attribute defined in [3]. The other way is to write a script and use the SmartCardHSM class in SCSH3 for configuration.

So both features are currently only available when doing some integration work. They are not available in the general purpose tools of OpenSC.

[1] https://www.smartcard-hsm.com/2015/10/10/Shared_Control_over_Key_Usage.html
[2] https://devnet.cardcontact.de/documents/7
[3] https://github.com/CardContact/sc-hsm-embedded/blob/master/src/sc-hsm/sc-hsm-pkcs11.h
[4] https://github.com/OpenSC/OpenSC/issues/594
[5] https://github.com/OpenSC/OpenSC/pull/1711

3

Hi! Thanks a lot for the information, this looks much better than I anticipated :slight_smile:
Maybe it would be worthwhile to document this a little bit better inside the NitroKey documentation?

Can public key authentication also be used in conjunction with DKEK shares and Key Backup?

Also, I have trouble setting up scsh3 shell (rgives me CARD_CONNECT_FAILED), despite the other tools (OpenSC PKCS#11 in Firefox, pkcs11-tool, pkcs15-tool, ssh-agent + git etc.) working fine. Can you tell me where to get help with this?

Now, with n-m-authentication for unlocking keys available, I think I won’t even need the key usage counter anymore :wink:

Thanks again for your help!

4

Hi!

Try killing other services, that might use smart card, e.g.:

gpgconf --kill gpg-agent # GnuPG
sudo systemctl pcscd stop # OpenSC
sudo killall pcscd scdaemon # mentioned two once again, just in case

Edit: typo with systemctl service name

5

Thanks for your answer. I just managed to get it working :+1:

Manually adding the path to the pcsclite library by specifying the sun.security.smartcardio.library property in the command line did the trick!

-Dsun.security.smartcardio.library=/usr/lib64/libpcsclite.so.1.0.0

Source

But while trying this, another question came to my mind: if OpenSC does not support this yet, will it be usable for 3rd party apps then (e.g. with OpenSSL) if I unlock the PIN inside scsh3 first?

edit: I’ve done some tests regarding my questions.

Can public key authentication also be used in conjunction with DKEK shares and Key Backup?

The answer to this seems to be YES! Key backup is still possible.

if OpenSC does not support this yet, will it be usable for 3rd party apps then (e.g. with OpenSSL) if I unlock the PIN inside scsh3 first?

For this, the answer seems to be NO, but I would love to stand corrected on that! Would it be possible to implement an “card already has status logged in” inside OpenSC until the ‘real’ implementation is ready?

1 Like