SmartCard-HSM Blog
Remote Key Attestation is the mechanism by which a relying party can cryptographically verify that a public key is part of a key pair that was generated inside a trusted device. The relying party can be a certification authority, that wants to enforce a certain policy for storing key material.
Enrollment over Secure Transport (EST) is an automatic certificate enrollment protocol defined in RFC 7030. It allows both, the initial enrollment of a X.509 certificate and later certificate renewal. The beauty of EST is, that is uses simple PKCS#10 and PKCS#7 objects, transmitted using https with TLS client authentication.
Pretty Good Privacy (PGP) is a common standard for file and e-mail encryption and signing. The GNU Privacy Guard (GnuPG) is a free software commonly used on Linux systems and on Windows.
The PKI-as-a-Service Portal now offers the ability to operate your own TrustCenter. With this new function you can create your own PKI with the SmartCard-HSM as secure key store for the certification authority.
This screencast shows how to prepare a SmartCard-HSM for use with a TrustCenter in the PKI-as-a-Service Portal.
Caused by a bug in the GENERATE SYMMETRIC KEY command, the SmartCard-HSM (aka Nitrokey HSM2) in versions 3.1 and 3.2 generates weak AES keys with little to no entropy.
The release of the SmartCard-HSM 4K marks an important milestone, with support for larger keys, support for AES and the introduction of key domains. The next generation SmartCard-HSM will make key management even more flexible and secure.
SmartCard-HSMs are great devices to store cryptographic keys. However, managing a bunch of token, setting up and running a PKI can be a quite daunting task.
On October 16th, 2017 a group of security researchers published a report about a flaw detected in the RSA key generation function, which is part of the cryptographic library used in Infineon Smartcard microcontroller and TPM modules.
Devices for the Internet-of-Things (IoT) often operate in hostile environments. That makes securing cryptographics keys even more important, as you don’t want your keys to access the infrastructure (LAN and back-end) floating around in cyberspace.
The new 2.1 release of the SmartCard-HSM is a minor release, adding two important new features: Controlled secure messaging binding of the authentication state and key agreement with authenticated public keys.
Building a SmartCard-HSM cluster is a very cost-effective way to increase cryptographic processing power. The ability to securely migrate keys from one SmartCard-HSM to another allows adding devices as the demand increases.
Cryptographic keys do not only need to be well protected from copying, it is just as important to control key access and usage. Placing keys on a hardware security module helps little, if it is easier to steal the hardware than it is to break into the software.
SSH is the de-facto standard used by system administrators to access remote systems. Often SSH is used with password based authentication, however the recommended way is to use public key authentication.
In October 2014, I had the pleasure to present IAEA’s new Universal Instrument Token at the Symposium on International Safeguards.
Starting in November 2014, the SmartCard-HSM USB-Stick ships with a new hardware revision.
Have you ever accidently deleted an important cryptographic key? Or suffered a hardware defect which results in the loss of key material?
EJBCA is the most popular open-sourced and enterprise-ready certification authority. It’s build on J2EE technology and scales well from small corporate installations to national PKIs with millions of issued certificates. Since version 6 it has a great UI to manage keys in a HSM.
The SmartCard-HSM has always had support for Elliptic Curve Cryptography (ECC), however initial support in OpenSC was somewhat limited. With the latest 0.14 release of the popular open source crypto middleware, support for ECC is on-par with RSA support.
Welcome to the SmartCard-HSM Blog.