From d2782f6caccc2dae397e88f12dff9b59928a3b99 Mon Sep 17 00:00:00 2001 From: simon Date: Fri, 13 Dec 2024 21:15:03 +0100 Subject: [PATCH 1/5] SE050 doc page --- .../components/nitrokeys/nitrokey3/index.rst | 1 + .../nitrokeys/nitrokey3/secure-element.rst | 55 +++++++++++++++++++ 2 files changed, 56 insertions(+) create mode 100644 source/components/nitrokeys/nitrokey3/secure-element.rst diff --git a/source/components/nitrokeys/nitrokey3/index.rst b/source/components/nitrokeys/nitrokey3/index.rst index 5aefa4d5c0..11be1716d8 100644 --- a/source/components/nitrokeys/nitrokey3/index.rst +++ b/source/components/nitrokeys/nitrokey3/index.rst @@ -23,6 +23,7 @@ and the product guides: Set Pins nitropy Reset + The Secure Element Troubleshooting or check out the features: diff --git a/source/components/nitrokeys/nitrokey3/secure-element.rst b/source/components/nitrokeys/nitrokey3/secure-element.rst new file mode 100644 index 0000000000..d70412dc36 --- /dev/null +++ b/source/components/nitrokeys/nitrokey3/secure-element.rst @@ -0,0 +1,55 @@ +SE050 Secure Element +==================== + +.. contents:: :local: + +The Secure Element is a tamper-resistant secure element designed by NXP Semiconductors that provides advanced security features. +It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. +The SE050 Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. +It usage is optional and provides faster performance and some additional features. + +There are several apps on the Nitrokey 3 of which current only OpenPGPCard (opcard) and PIV (piv) are using it. PIV depends on the Secure Element and does not run without it being enabled. +Passwords (secrets) and FIDO2 (fido-authenticator) are not making use of it. + +Activation and Deactivation +--------------------------- +The Secure Element is enabled by default if no key is already saved on the device. This is automatically the case after reset of the opcard or the whole device. Activating the Secure Element for the opcard app will delete all current keys. + +To check whether the Secure Element is activated run + +* nitropy nk3 get-config opcard.use_se050_backend + +To enable the Secure Element + +* nitropy nk3 set-config opcard.use_se050_backend true + +To disable the Secure Element + +* nitropy nk3 set-config opcard.use_se050_backend false + +Additional Features +------------------- + +The following features are exclusively usable with the Secure Element being enabled: + +Secure key storage: + +* RSA4096 +* RSA3072 + + +The following Elliptic Curve algorithms can only be used with the SE50 enabled: + +* NIST P-384 +* NIST P-521 (secp256r1/prime256v1, secp384r1/prime384v1, secp521r1/prime521v1) +* brainpoolp256r1 +* brainpoolp384r1 +* brainpoolp512r1 +* SECP256K1 (Test release) + +TODO: + maybe + a link to the product page or data-sheet + table for comparison + + + From 32201333b3da2139fae65d2114d71b9855b0c463 Mon Sep 17 00:00:00 2001 From: jans23 Date: Mon, 23 Dec 2024 09:53:40 +0100 Subject: [PATCH 2/5] Update secure-element.rst --- .../nitrokeys/nitrokey3/secure-element.rst | 38 +++++++------------ 1 file changed, 14 insertions(+), 24 deletions(-) diff --git a/source/components/nitrokeys/nitrokey3/secure-element.rst b/source/components/nitrokeys/nitrokey3/secure-element.rst index d70412dc36..dbe75908dc 100644 --- a/source/components/nitrokeys/nitrokey3/secure-element.rst +++ b/source/components/nitrokeys/nitrokey3/secure-element.rst @@ -1,55 +1,45 @@ -SE050 Secure Element -==================== +SE05 Secure Element +=================== .. contents:: :local: The Secure Element is a tamper-resistant secure element designed by NXP Semiconductors that provides advanced security features. It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. -The SE050 Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. +The SE05 Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. It usage is optional and provides faster performance and some additional features. -There are several apps on the Nitrokey 3 of which current only OpenPGPCard (opcard) and PIV (piv) are using it. PIV depends on the Secure Element and does not run without it being enabled. -Passwords (secrets) and FIDO2 (fido-authenticator) are not making use of it. +Currently only OpenPGP Card and PIV are using the Secure Element. PIV depends on the Secure Element and does not run without it being enabled and OpenPGP Card can be configured to use the Secure Element or not. Passwords and FIDO2 are not making use of it. Activation and Deactivation --------------------------- -The Secure Element is enabled by default if no key is already saved on the device. This is automatically the case after reset of the opcard or the whole device. Activating the Secure Element for the opcard app will delete all current keys. +The Secure Element is enabled by default if no key in OpenPGP Card and PIV is already saved on the device. This is automatically the case after reset of the OpenPGP Card or the whole device. Manually activating the Secure Element for the OpenPGP Card will delete all current keys. -To check whether the Secure Element is activated run +To check whether the Secure Element is activated run: * nitropy nk3 get-config opcard.use_se050_backend -To enable the Secure Element +To enable the Secure Element: * nitropy nk3 set-config opcard.use_se050_backend true -To disable the Secure Element +To disable the Secure Element: * nitropy nk3 set-config opcard.use_se050_backend false Additional Features ------------------- -The following features are exclusively usable with the Secure Element being enabled: +The following algorithms can only be used with the Secure Element being enabled: -Secure key storage: - -* RSA4096 -* RSA3072 - - -The following Elliptic Curve algorithms can only be used with the SE50 enabled: - -* NIST P-384 -* NIST P-521 (secp256r1/prime256v1, secp384r1/prime384v1, secp521r1/prime521v1) +* RSA-3072 +* RSA-4096 +* NIST P-384 (secp384r1/prime384v1) +* NIST P-521 (secp521r1/prime521v1) * brainpoolp256r1 * brainpoolp384r1 * brainpoolp512r1 -* SECP256K1 (Test release) +* secp256k1 (Test release) TODO: maybe + a link to the product page or data-sheet table for comparison - - - From 0c4ed92fea9207cd45277ceccfdb23ec1c2875ad Mon Sep 17 00:00:00 2001 From: simon Date: Wed, 25 Dec 2024 17:16:51 +0100 Subject: [PATCH 3/5] adding table and fixing algorithm naming --- .../components/nitrokeys/nitrokey3/index.rst | 2 +- .../nitrokeys/nitrokey3/secure-element.rst | 59 +++++++++++++------ 2 files changed, 43 insertions(+), 18 deletions(-) diff --git a/source/components/nitrokeys/nitrokey3/index.rst b/source/components/nitrokeys/nitrokey3/index.rst index 11be1716d8..ab2c93ad45 100644 --- a/source/components/nitrokeys/nitrokey3/index.rst +++ b/source/components/nitrokeys/nitrokey3/index.rst @@ -23,7 +23,7 @@ and the product guides: Set Pins nitropy Reset - The Secure Element + Secure Element Troubleshooting or check out the features: diff --git a/source/components/nitrokeys/nitrokey3/secure-element.rst b/source/components/nitrokeys/nitrokey3/secure-element.rst index dbe75908dc..5333b31f80 100644 --- a/source/components/nitrokeys/nitrokey3/secure-element.rst +++ b/source/components/nitrokeys/nitrokey3/secure-element.rst @@ -1,18 +1,21 @@ -SE05 Secure Element -=================== +SE05x Secure Element +==================== .. contents:: :local: The Secure Element is a tamper-resistant secure element designed by NXP Semiconductors that provides advanced security features. It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. -The SE05 Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. +The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. It usage is optional and provides faster performance and some additional features. Currently only OpenPGP Card and PIV are using the Secure Element. PIV depends on the Secure Element and does not run without it being enabled and OpenPGP Card can be configured to use the Secure Element or not. Passwords and FIDO2 are not making use of it. +You can read more information about the Secure Element itself here `SE050 `__. + Activation and Deactivation --------------------------- -The Secure Element is enabled by default if no key in OpenPGP Card and PIV is already saved on the device. This is automatically the case after reset of the OpenPGP Card or the whole device. Manually activating the Secure Element for the OpenPGP Card will delete all current keys. +The Secure Element is enabled by default if no key in OpenPGP Card and PIV is already saved on the device. +This is automatically the case after reset of the OpenPGP Card or the whole device. Manually activating the Secure Element for the OpenPGP Card will delete all current keys. To check whether the Secure Element is activated run: @@ -29,17 +32,39 @@ To disable the Secure Element: Additional Features ------------------- -The following algorithms can only be used with the Secure Element being enabled: - -* RSA-3072 -* RSA-4096 -* NIST P-384 (secp384r1/prime384v1) -* NIST P-521 (secp521r1/prime521v1) -* brainpoolp256r1 -* brainpoolp384r1 -* brainpoolp512r1 -* secp256k1 (Test release) ++-----------------------------------------+---------------------+------------------------+ +| Algorithm | With Secure Element | Without Secure Element | ++=========================================+=====================+========================+ +| RSA 2048 bit | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| RSA 3072 bit | ✓ | ⨯ | ++-----------------------------------------+---------------------+------------------------+ +| RSA 4096 bit | ✓ | ⨯ | ++-----------------------------------------+---------------------+------------------------+ +| ECC 256-521 bit | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| AES 128/256 bit | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| SHA 256/384/512 bit | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| NIST P-256 (secp256r1/prime256v1) | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| NIST P-384 (secp384r1/prime384v1) | ✓ | ⨯ | ++-----------------------------------------+---------------------+------------------------+ +| NIST P-521 (secp521r1/prime521v1) | ✓ | ⨯ | ++-----------------------------------------+---------------------+------------------------+ +| Ed25519/Curve25519 | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| brainpoolP256r1 | ✓ | ⨯ | ++-----------------------------------------+---------------------+------------------------+ +| brainpoolP384r1 | ✓ | ⨯ | ++-----------------------------------------+---------------------+------------------------+ +| brainpoolP512r1 | ✓ | ⨯ | ++-----------------------------------------+---------------------+------------------------+ +| HOTP (RFC 4226) | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| TOTP (RFC 6238) | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ +| Physical random number generator (TRNG) | ✓ | ✓ | ++-----------------------------------------+---------------------+------------------------+ -TODO: - maybe + a link to the product page or data-sheet - table for comparison From b3455f23815df36ee8b75a0b8742e104e38e7a8c Mon Sep 17 00:00:00 2001 From: simon Date: Sat, 11 Jan 2025 19:41:02 +0100 Subject: [PATCH 4/5] emphasized the SE can be disabled for OpenPGP only --- .../nitrokeys/nitrokey3/secure-element.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/source/components/nitrokeys/nitrokey3/secure-element.rst b/source/components/nitrokeys/nitrokey3/secure-element.rst index 5333b31f80..4435903e66 100644 --- a/source/components/nitrokeys/nitrokey3/secure-element.rst +++ b/source/components/nitrokeys/nitrokey3/secure-element.rst @@ -6,18 +6,18 @@ SE05x Secure Element The Secure Element is a tamper-resistant secure element designed by NXP Semiconductors that provides advanced security features. It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. -It usage is optional and provides faster performance and some additional features. -Currently only OpenPGP Card and PIV are using the Secure Element. PIV depends on the Secure Element and does not run without it being enabled and OpenPGP Card can be configured to use the Secure Element or not. Passwords and FIDO2 are not making use of it. +PIV depends on the Secure Element. OpenPGP Card can be configured to use the Secure Element or not. +Passwords and FIDO2 are not depended of it, but it is used for specific use cases, like additional randomness. You can read more information about the Secure Element itself here `SE050 `__. -Activation and Deactivation ---------------------------- +Activation/Deactivation for OpenPGP +----------------------------------- The Secure Element is enabled by default if no key in OpenPGP Card and PIV is already saved on the device. This is automatically the case after reset of the OpenPGP Card or the whole device. Manually activating the Secure Element for the OpenPGP Card will delete all current keys. -To check whether the Secure Element is activated run: +To check whether the Secure Element for OpenPGP is activated run: * nitropy nk3 get-config opcard.use_se050_backend @@ -29,8 +29,8 @@ To disable the Secure Element: * nitropy nk3 set-config opcard.use_se050_backend false -Additional Features -------------------- +Algorithm Overview +------------------ +-----------------------------------------+---------------------+------------------------+ | Algorithm | With Secure Element | Without Secure Element | From 26096ff4897325720f432f6d71cab626a6d345f4 Mon Sep 17 00:00:00 2001 From: jans23 Date: Sun, 12 Jan 2025 17:35:10 +0100 Subject: [PATCH 5/5] Update secure-element.rst --- .../nitrokeys/nitrokey3/secure-element.rst | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/source/components/nitrokeys/nitrokey3/secure-element.rst b/source/components/nitrokeys/nitrokey3/secure-element.rst index 4435903e66..e29cf0f0b8 100644 --- a/source/components/nitrokeys/nitrokey3/secure-element.rst +++ b/source/components/nitrokeys/nitrokey3/secure-element.rst @@ -1,21 +1,16 @@ -SE05x Secure Element +Secure Element SE05x ==================== .. contents:: :local: -The Secure Element is a tamper-resistant secure element designed by NXP Semiconductors that provides advanced security features. -It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. -The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. +The Secure Element `SE050 `__ is a tamper-resistant chip by NXP Semiconductors that provides advanced security features. It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and implements algorithms like RSA, ECC, AES, and SHA, making it ideal for the Nitrokey 3. -PIV depends on the Secure Element. OpenPGP Card can be configured to use the Secure Element or not. -Passwords and FIDO2 are not depended of it, but it is used for specific use cases, like additional randomness. - -You can read more information about the Secure Element itself here `SE050 `__. +PIV uses the Secure Element. OpenPGP Card can be configured to use the Secure Element or not in which case a software-only implementation is used. Passwords and FIDO2 don't use the Secure Element, but it is used for specific use cases, like additional randomness. Activation/Deactivation for OpenPGP ----------------------------------- -The Secure Element is enabled by default if no key in OpenPGP Card and PIV is already saved on the device. -This is automatically the case after reset of the OpenPGP Card or the whole device. Manually activating the Secure Element for the OpenPGP Card will delete all current keys. +The Secure Element is enabled by default if no cryptographic key in OpenPGP Card and PIV is already saved on the device. +This is automatically the case after resetting the OpenPGP Card or the whole Nitrokey. Manually activating the Secure Element for the OpenPGP Card will delete all existing keys. To check whether the Secure Element for OpenPGP is activated run: @@ -29,8 +24,8 @@ To disable the Secure Element: * nitropy nk3 set-config opcard.use_se050_backend false -Algorithm Overview ------------------- +Algorithms +---------- +-----------------------------------------+---------------------+------------------------+ | Algorithm | With Secure Element | Without Secure Element |