SmartCard-HSM Blog
User Story - SAP SmartCard Access
Andreas Schwier | 07 Oct 2024
The IT-Services of the Leibniz University in Hannover, Germany are operating a shared SAP ERP (German Site) system for 18 universities in Lower Saxony. About 3000 users can access this service using a SmartCard-HSM equipped with a X.509 certificate. The certificate is issued by the DFN-PKI, a public trusted service for the science community. SAP is configured to use client certificates for authentication, with OpenSC as cryptographic middleware.
Signing jar Files
Andreas Schwier | 13 Jun 2024
We recently upgraded our Jenkins CI/CD server to sign jar files during the build process. Obviously we wanted to follow the “Use what you sell” principle and attached a SmartCard-HSM to store the code signing key and certificate. However, integrating jarsigner with a SmartCard-HSM turned out to be a little more complex.
DKEK Share as PaperKey
Andreas Schwier | 22 May 2024
The export and import of key material from or into a SmartCard-HSM requires the configuration of a key domain. While in XKEK Key Domains the Key Encryption Key (KEK) is derived using an authenticated Diffie-Hellman, in a DKEK Key Domain the KEK is the result of importing DKEK Shares.
Remote Key Attestation explained
Andreas Schwier | 24 Feb 2024
Remote Key Attestation is the mechanism by which a relying party can cryptographically verify that a public key is part of a key pair that was generated inside a trusted device. The relying party can be a certification authority, that wants to enforce a certain policy for storing key material.
Using EST for IOT Certificates
Andreas Schwier | 28 Sep 2022
Enrollment over Secure Transport (EST) is an automatic certificate enrollment protocol defined in RFC 7030. It allows both, the initial enrollment of a X.509 certificate and later certificate renewal. The beauty of EST is, that is uses simple PKCS#10 and PKCS#7 objects, transmitted using https with TLS client authentication.
Using the SmartCard-HSM with PGP
Andreas Schwier | 20 Jun 2022
Pretty Good Privacy (PGP) is a common standard for file and e-mail encryption and signing. The GNU Privacy Guard (GnuPG) is a free software commonly used on Linux systems and on Windows.
Run your own TrustCenter
Andreas Schwier | 11 May 2022
The PKI-as-a-Service Portal now offers the ability to operate your own TrustCenter. With this new function you can create your own PKI with the SmartCard-HSM as secure key store for the certification authority.
Preparing a TrustCenter HSM
Andreas Schwier | 09 May 2022
This screencast shows how to prepare a SmartCard-HSM for use with a TrustCenter in the PKI-as-a-Service Portal.
Security Advice - SmartCard-HSM generates weak AES Keys
Andreas Schwier | 17 Sep 2019
Caused by a bug in the GENERATE SYMMETRIC KEY command, the SmartCard-HSM (aka Nitrokey HSM2) in versions 3.1 and 3.2 generates weak AES keys with little to no entropy.
Finally - The new SmartCard-HSM 4K Version
Andreas Schwier | 15 Mar 2019
The release of the SmartCard-HSM 4K marks an important milestone, with support for larger keys, support for AES and the introduction of key domains. The next generation SmartCard-HSM will make key management even more flexible and secure.
Introducing the new PKI-as-a-Service Portal
Andreas Schwier | 13 Feb 2018
SmartCard-HSMs are great devices to store cryptographic keys. However, managing a bunch of token, setting up and running a PKI can be a quite daunting task.
SmartCard-HSM not affected by CVE-2017-15361
Andreas Schwier | 17 Oct 2017
On October 16th, 2017 a group of security researchers published a report about a flaw detected in the RSA key generation function, which is part of the cryptographic library used in Infineon Smartcard microcontroller and TPM modules.
IoT and the SmartCard-HSM
Andreas Schwier | 14 Feb 2017
Devices for the Internet-of-Things (IoT) often operate in hostile environments. That makes securing cryptographics keys even more important, as you don’t want your keys to access the infrastructure (LAN and back-end) floating around in cyberspace.
What's new in the 2.1 release
Andreas Schwier | 25 Feb 2016
The new 2.1 release of the SmartCard-HSM is a minor release, adding two important new features: Controlled secure messaging binding of the authentication state and key agreement with authenticated public keys.
Building a SmartCard-HSM Cluster
Andreas Schwier | 20 Nov 2015
Building a SmartCard-HSM cluster is a very cost-effective way to increase cryptographic processing power. The ability to securely migrate keys from one SmartCard-HSM to another allows adding devices as the demand increases.
Shared Control over Key Usage
Andreas Schwier | 10 Oct 2015
Cryptographic keys do not only need to be well protected from copying, it is just as important to control key access and usage. Placing keys on a hardware security module helps little, if it is easier to steal the hardware than it is to break into the software.
Protecting your SSH keys
Andreas Schwier | 11 Mar 2015
SSH is the de-facto standard used by system administrators to access remote systems. Often SSH is used with password based authentication, however the recommended way is to use public key authentication.
The IAEA's new Universal Instrument Token
Andreas Schwier | 07 Jan 2015
In October 2014, I had the pleasure to present IAEA’s new Universal Instrument Token at the Symposium on International Safeguards.
SmartCard-HSM USB-Stick with new USB Product ID
Andreas Schwier | 10 Nov 2014
Starting in November 2014, the SmartCard-HSM USB-Stick ships with a new hardware revision.
Desaster Recovery for your SmartCard-HSM
Frank Thater | 25 Sep 2014
Have you ever accidently deleted an important cryptographic key? Or suffered a hardware defect which results in the loss of key material?
Accessing your SmartCard-HSM from EJBCA
Andreas Schwier | 05 Sep 2014
EJBCA is the most popular open-sourced and enterprise-ready certification authority. It’s build on J2EE technology and scales well from small corporate installations to national PKIs with millions of issued certificates. Since version 6 it has a great UI to manage keys in a HSM.
Using the SmartCard-HSM with ECC and OpenSC
Andreas Schwier | 22 Aug 2014
The SmartCard-HSM has always had support for Elliptic Curve Cryptography (ECC), however initial support in OpenSC was somewhat limited. With the latest 0.14 release of the popular open source crypto middleware, support for ECC is on-par with RSA support.
Welcome to the SmartCard-HSM Blog
Andreas Schwier | 07 Aug 2014
Welcome to the SmartCard-HSM Blog.