SmartCard-HSM and PKI-as-a-Service Documentation

Nitrokeys HSM
1

We’ve started a new documentation project for the PKI-as-a-Service and the Key Manager for the SmartCard-HSM / Nitrokey-HSM.

This is to fill the gaps for the more complex use cases.

Comments and wishes welcome.

1 Like
2

Hello,

I will be very happy to see some Nitrokey documentation about n-of-m authentification.

I think it is related to the PKI-as-a-service according to this: N-of-m Schemes - Nitrokey Documentation

Currently If I understand, the documentation is in <cardcontact [dot] de> website but it’s really not clear:

  • Do we have to buy their SmartCard-HSM to use this feature ?
  • What is the relation between Nitrokey and <cardcontact [dot] de>
  • It’s not possible to lock/unlock the Nitrokey using n-of-m without <cardcontact [dot] de> softwares/hardwares ?

It will be really good if Nitrokey provide some API or something to do this without using this third party tool.

3

Documentation for n-of-m was just added.

The Nitrokey-HSM is actually using the SmartCard-HSM Applet. CardContact develops the software (Applet, Middleware, PKI-as-a-Service).

If you buy a Nitrokey-HSM you can use all the software available for the SmartCard-HSM, because internally it is the same thing.

4

I think I miss some informations, I start from zero.

I read nitrokey documentation (nitrokey website) and some docs linked that are in openscdp.

But for exemple if I take your new documentation:

image

I suppose that this step is some of the steps explained in N-of-m Schemes - Nitrokey Documentation ?

Then for the next step:

image

I have downloaded scsh3gui from here : Smart Card Shell 3

When I start the software I get this:

image
image797×730 18.4 KB

How do we log into ‘the personal SmartCard-HSM’ ?

The nitrokey HSM 2 is supposed to appear automatically in the software ?

Also:

  • Do I really need to access the GIT of openscdp or scsh3 is enought for what I need ?

What I know:

  • I am running ubuntu 24.04 fresh
  • The Nitrokey HSM 2 is plugged in the computer
  • It doesn’t seems to appear in scsh3gui.
  • it correctly appear with pkcs11-tool (so the dongle is working)
  • Same issues on a 22.04 computer
  • The dongle is also not recognised by nitrokey-app but I don’t know if it is supposed to be recognised or not by this app (it’s not clear if Nitrokey HSM 2 use it or not). (I tried two versions of nitrokey-app (1.x and 2.x)

Maybe there 2 options

  1. I miss some information somewhere, this is just “wrong usage” of the solution.
  2. There is a problem with my setups on Ubuntu 22.04 and 24.04

Any help will be apreciated, possibly on another post to avoid spoiling on this post.

My objective is: Be able to use a Nitrokey HSM 2 with pkcs11 for signature of firmwares (using openssl + pkcs11). AND lock/unlock the access to the dongle with n-of-m scheme

5

There are actually two n-of-m schemes:

  • You can use a n-of-m scheme to share the password of a DKEK share (this is what the NItrokey Doc is about) and
  • you can use a n-of-m scheme for authenticating, rather than using a PIN.

In the Smart Card Shell (a general tool to work with SmartCards) you need to start the Key Manager (a tool for the SmartCard-HSM) with CTRL+M (or from the menu).

The problem you will face is, that PKCS#11 does not support Public Key Authentication. PKCS#11 only knows User PINs.

You will need some user interface to use Public Key Authentication (prompt key custodians to insert their token etc), which neither PKCS#11 nor OpenSSL provides.

There is the idea to allow PKA over the PKI-as-a-Service, but that development has not yet seen any funding.

6

Hello,

For n-of-m authentication, can you confirm that we need :

  • one Nitrokey for each custodian (to store their public/private key pair)
  • one Nitrokey (like a ‘master key’) used to store the key’s for signature, encryption … Protected by n-of-m authentification

Is it possible to test the feature with only one Nitrokey HSM 2 device ? (for example with SoftHSM simulation)

This suggest that each custodian need to have it’s own Nitrokey:

Every key custodian involved in enabling access to keys on a SmartCard-HSM must generate a personal authentication key.

Log into the personal SmartCard-HSM and select Generate ECC Key from the context menu of the SmartCaard-HSM node of the outline.

Currently we have one key, the second key was more for “backup”, we are like in evaluation phase.

I tried the tutorial with a single key, I get this error at the step ‘preparing-for-public-key-authentication’ when adding a second public key:

GPError: Card (CARD_INVALID_SW/27272) - "Unexpected SW1/SW2=6A88 (Checking error: Reference data not found) received" in /pathto/scsh-3.18.59/scsh/sc-hsm/ManagePKA.js#281
    at /pathto/scsh-3.18.59/scsh/sc-hsm/ManagePKA.js#281
    at /pathto/scsh-3.18.59/keymanager/keymanager.js#1923
    at /pathto/scsh-3.18.59/keymanager/keymanager.js#3310

But maybe it’s because I am using only one Nitrokey.

7

Yes, you need a Nitrokey-HSM or SmartCard-HSM card for every key custodian.

8

Added documentation for the new Key Escrow Service.

To give it a try use the Sandbox or deploy your own instance with the deployment setup from Github (use the ‘latest’ branch).