Nitrokey HSM2 as CA with ECDSA-521: Security Questions


we want to use the Nitrokey HSM2 as CA to sign several certificates of embedded devices.
Therefore we use the ECC-Curve secp521r1 and OpenSSL as commandline tool with opensc and libp11.

The command that signs a request:
openssl x509 -req -CA CACertificate.pem -engine pkcs11 -CAkeyform engine -CAkey slot_XXX-id_YYYYY -in SigningRequest.csr -out Certificate.crt

The key that lies behind this ID has the type secp521r1.
Up to now that works pretty well, but I’m not sure if this is secure.

My Questions:

  • The Algorithm that should be executed is ECDSA-521. Is this done by OpenSSL or fully done by the HSM?
  • ECDSA has a big weakness when the value “k” is not chosen correctly. (Elliptic Curve Digital Signature Algorithm - Wikipedia)
    With this weakness it’s possible to recover the private key of the CA with some certificates.
    Do we have to do something to ensure the correct creation of “k”? Or is this ensured when the Certificate is signed with the command mentioned before?
  • Is there a maximum of certificates that should be signed by a private key?

Thanks for your help!
Best regards

1 Like

The private key operation is of course performed in the SmartCard-HSM. The private key never leaves the secure element.

The random value k is generated using the build-in random number generator. The whole cryptography was evaluated and certified at EAL 5+ level, so you could place considerable trust into the device.

1 Like

And there is no limit on the number of times you can use the key.

That was what I wanted to hear. :slight_smile: