adding basic draft for SE05 specific documentation #358
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| Secure Element SE05x | ||
| ==================== | ||
|
|
||
| .. contents:: :local: | ||
|
|
||
| The Secure Element `SE050 <https://www.nxp.com/products/SE050>`__ is a tamper-resistant chip by NXP Semiconductors that provides advanced security features. It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and implements algorithms like RSA, ECC, AES, and SHA, making it ideal for the Nitrokey 3. | ||
|
|
||
| PIV uses the Secure Element. OpenPGP Card can be configured to use the Secure Element or not in which case a software-only implementation is used. Passwords and FIDO2 don't use the Secure Element, but it is used for specific use cases, like additional randomness. | ||
|
|
||
| Activation/Deactivation for OpenPGP | ||
| ----------------------------------- | ||
| The Secure Element is enabled by default if no cryptographic key in OpenPGP Card and PIV is already saved on the device. | ||
| This is automatically the case after resetting the OpenPGP Card or the whole Nitrokey. Manually activating the Secure Element for the OpenPGP Card will delete all existing keys. | ||
|
There was a problem hiding this comment.
Better make this a warning block. |
||
|
|
||
| To check whether the Secure Element for OpenPGP is activated run: | ||
|
|
||
| * nitropy nk3 get-config opcard.use_se050_backend | ||
|
|
||
| To enable the Secure Element: | ||
|
|
||
| * nitropy nk3 set-config opcard.use_se050_backend true | ||
|
|
||
| To disable the Secure Element: | ||
|
|
||
| * nitropy nk3 set-config opcard.use_se050_backend false | ||
|
|
||
| Algorithms | ||
| ---------- | ||
|
|
||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | Algorithm | With Secure Element | Without Secure Element | | ||
| +=========================================+=====================+========================+ | ||
| | RSA 2048 bit | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | RSA 3072 bit | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | RSA 4096 bit | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | ECC 256-521 bit | ✓ | ✓ | | ||
|
There was a problem hiding this comment. What is ECC exactly? I assume this is covered by the ciphers below already. |
||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | AES 128/256 bit | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | SHA 256/384/512 bit | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | NIST P-256 (secp256r1/prime256v1) | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | NIST P-384 (secp384r1/prime384v1) | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | NIST P-521 (secp521r1/prime521v1) | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | Ed25519/Curve25519 | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | brainpoolP256r1 | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | brainpoolP384r1 | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | brainpoolP512r1 | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | HOTP (RFC 4226) | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | TOTP (RFC 6238) | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | Physical random number generator (TRNG) | ✓ | ✓ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which other use cases?