Nitrokey HSM2 Firmware update and customization for own solution

Hello,

is it possible to modify the firmware (HSM, not STM) of the HSM2?
As far as I understand, the hardware of the OpenPGP Card v2 is comparable to
a microcontroller with basic protection against reading the memory from outside,
but most likely, sensitive keys are not protected against advanced attacks
that are based on chemicals and lasers etc - in contrast to the JavaCard? module inside the
nitrokey HSM2 or debit/credit smartcards, ePassport etc.

In order to really increase security by using an external crypto device like the nitrokey, it is necessary
to specify contraints on the operations that are running inside the secure crypto module.
For example, think of an encrypted hard disk of either a laptop or a shared storage system.
At some point. it is required to release the key from either the human memory of the user or a
Nitrokey-like system to the laptop - the only alternative is to use a (very expensive) system that
is able to perform all the encryption/decryption of data completely inside a secure module at an acceptable speed.

As soon as the key is written to the memory of the laptop, the security of the encryption depends on the
laptop’s integrity, which requires approaches like TPM of the Nitropad, but even then, any vulnerability of the OS’s kernel may leak the key to malware on the system, revealing the complete data to an attacker.

If the secure hardware module inside the Nitrokey HSM2 would offer pubkey authentification for decryption, a single master key could be used to encrypt a large amount of subkeys, each used for only a small part of the disk. The master key itself would never leave the HSM and would only be used for decryption of those keys that are needed. Decrypting keys by the HSM requires a valid certificate of the
user that has to be renewed frequently an is only valid for a specified ammount of keys to decrypt.

In order to implement this, one had to add some functionality to the HSM, namely configuring a condition on a key that has to be satisfied by an other operation (cert verification) before the key is unlocked for the requested operation (decryption).

This could be applied to many other use cases that benefit from access control of keys.

Do you have access to the firmware of the secure hardware module at all?
Is it open source/possible to customize it?

Thanks in advance

Hi @jochen!

To clarify, for OpenPGP/PKCS communication we have only one product based solely on the MCU, and this is Nitrokey Start. Other products have either real hardware OpenPGP or HSM smart card to store the secrets, and are MCU assisted (being a smart card reader over USB, and providing extra features).

Specifically Nitrokey HSM2 is based on smart card (JavaCard), which firmware is securely update-able through encrypted connection using website. The smart card used is not OpenPGP, but HSM from CardContact, and it’s firmware is closed-source, not directly modifiyable, but seems to support custom applets as far as I understand from the vendor site.

So as far as I get this right this would be evolution of standard wrapped asymmetric/symmetric (like RSA/ECC) encryption to asymmetric/asymmetric per block. This is interesting idea.
However have you taken into consideration the performance of the device?

@sc-hsm: Could you tell is it possible to upload custom applets to the HSM? I did not see that in the documentation.

Technically, uploading additional applets is possible, but we only do that in customer specific projects.

We do also add functionality to the core applet as part of customer projects. Actually most of the functionality added lately (Public Key Authentication, XKEK Key Domains, AES support) are the result of doing customer projects.

Asymmetric operations should only be necessary if an internal counter that represents the quota for accessing encrypted data has reached zero (gets decremented after each decrypted subkey).
To reset the counter, the user has to provide a new certificate (issued by an external system, smartphone, smartcard with integrated pinpad etc…). The subkeys can be en/decrypted symmetrical with a key that never leaves the internal secure storage. After decryption by the nitrokey, the laptop can now use them for decrypting the requested block on the HDD.
To account for the lower processing power of the secure hardware module, the ratio between the ammount of data on the disk and the decryption speed of the associated subkey by the hsm has to be chosen appropriately.

It seems that the JavaCard that is used by the HSM is more secure than the openPGP card (BasicCard?)

It is possible for the community to contribute to such addons in order to get additional features?

I do not see it that way, rather as offering different functionality. Both cards have anti-tampering solutions in place, if you are asking about that. You should get more information regarding hardware and taken precautions asking the vendors directly, if you would like to compare them in detail (I do not have such information unfortunately).

Ah okay, I didn’t know that. I don’t want to make unproven/false claims about the manufacturer,
I just could not find detailed information on their website about anti tampering features, but I’ll ask
them directly.

1 Like

Regarding OpenPGP, some information is provided here:

1 Like

That sounds to me like the Public Key Authentication that is already implemented in the SmartCard-HSM. Instead of using a PIN to unlock the HSM you can configure an ECDSA key on a different HSM, have the public key authenticated based on the certificate chain (SRCA-DICA-DevAut-PubKey) and use a challenge response protocol.

There is also an authenticated ECDH operation where the other public key must be validated in the HSM before the shared secret is calculated.

1 Like