users

SmartCard-HSM Blog

The IT-Services of the Leibniz University in Hannover, Germany are operating a shared SAP ERP (German Site) system for 18 universities in Lower Saxony. About 3000 users can access this service using a SmartCard-HSM equipped with a X.509 certificate. The certificate is issued by the DFN-PKI, a public trusted service for the science community. SAP is configured to use client certificates for authentication, with OpenSC as cryptographic middleware.

Read more...

We recently upgraded our Jenkins CI/CD server to sign jar files during the build process. Obviously we wanted to follow the “Use what you sell” principle and attached a SmartCard-HSM to store the code signing key and certificate. However, integrating jarsigner with a SmartCard-HSM turned out to be a little more complex.

Read more...

The export and import of key material from or into a SmartCard-HSM requires the configuration of a key domain. While in XKEK Key Domains the Key Encryption Key (KEK) is derived using an authenticated Diffie-Hellman, in a DKEK Key Domain the KEK is the result of importing DKEK Shares.

Read more...

Remote Key Attestation is the mechanism by which a relying party can cryptographically verify that a public key is part of a key pair that was generated inside a trusted device. The relying party can be a certification authority, that wants to enforce a certain policy for storing key material.

Read more...

Enrollment over Secure Transport (EST) is an automatic certificate enrollment protocol defined in RFC 7030. It allows both, the initial enrollment of a X.509 certificate and later certificate renewal. The beauty of EST is, that is uses simple PKCS#10 and PKCS#7 objects, transmitted using https with TLS client authentication.

Read more...

Pretty Good Privacy (PGP) is a common standard for file and e-mail encryption and signing. The GNU Privacy Guard (GnuPG) is a free software commonly used on Linux systems and on Windows.

Read more...

The PKI-as-a-Service Portal now offers the ability to operate your own TrustCenter. With this new function you can create your own PKI with the SmartCard-HSM as secure key store for the certification authority.

Read more...

This screencast shows how to prepare a SmartCard-HSM for use with a TrustCenter in the PKI-as-a-Service Portal.

Read more...

Caused by a bug in the GENERATE SYMMETRIC KEY command, the SmartCard-HSM (aka Nitrokey HSM2) in versions 3.1 and 3.2 generates weak AES keys with little to no entropy.

Read more...

The release of the SmartCard-HSM 4K marks an important milestone, with support for larger keys, support for AES and the introduction of key domains. The next generation SmartCard-HSM will make key management even more flexible and secure.

Read more...

SmartCard-HSMs are great devices to store cryptographic keys. However, managing a bunch of token, setting up and running a PKI can be a quite daunting task.

Read more...

On October 16th, 2017 a group of security researchers published a report about a flaw detected in the RSA key generation function, which is part of the cryptographic library used in Infineon Smartcard microcontroller and TPM modules.

Read more...

Devices for the Internet-of-Things (IoT) often operate in hostile environments. That makes securing cryptographics keys even more important, as you don’t want your keys to access the infrastructure (LAN and back-end) floating around in cyberspace.

Read more...

The new 2.1 release of the SmartCard-HSM is a minor release, adding two important new features: Controlled secure messaging binding of the authentication state and key agreement with authenticated public keys.

Read more...

Building a SmartCard-HSM cluster is a very cost-effective way to increase cryptographic processing power. The ability to securely migrate keys from one SmartCard-HSM to another allows adding devices as the demand increases.

Read more...

Cryptographic keys do not only need to be well protected from copying, it is just as important to control key access and usage. Placing keys on a hardware security module helps little, if it is easier to steal the hardware than it is to break into the software.

Read more...

SSH is the de-facto standard used by system administrators to access remote systems. Often SSH is used with password based authentication, however the recommended way is to use public key authentication.

Read more...

In October 2014, I had the pleasure to present IAEA’s new Universal Instrument Token at the Symposium on International Safeguards.

Read more...

Starting in November 2014, the SmartCard-HSM USB-Stick ships with a new hardware revision.

Read more...

Have you ever accidently deleted an important cryptographic key? Or suffered a hardware defect which results in the loss of key material?

Read more...

EJBCA is the most popular open-sourced and enterprise-ready certification authority. It’s build on J2EE technology and scales well from small corporate installations to national PKIs with millions of issued certificates. Since version 6 it has a great UI to manage keys in a HSM.

Read more...

The SmartCard-HSM has always had support for Elliptic Curve Cryptography (ECC), however initial support in OpenSC was somewhat limited. With the latest 0.14 release of the popular open source crypto middleware, support for ECC is on-par with RSA support.

Read more...

Welcome to the SmartCard-HSM Blog.

Read more...