adding basic draft for SE05 specific documentation #358
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jans23
reviewed
Dec 15, 2024
|
|
||
| Activation and Deactivation | ||
| --------------------------- | ||
| The SE550 is enabled by default if no key is already saved on the device. This is automatically the case after reset of the opcard or the whole device. Activating the SE50 will delete all current keys. |
There was a problem hiding this comment.
Unclear which keys you talk about. FIDO keys? PIV keys?
OPCard is a developer terminology but not expected to be known by users.
| The following Elliptic Curve algorithms can only be used with the SE50 enabled: | ||
|
|
||
| * NIST P-384 | ||
| * NIST P-521 (secp256r1/prime256v1, secp384r1/prime384v1, secp521r1/prime521v1) |
There was a problem hiding this comment.
different key lengths are mixed.
There was a problem hiding this comment.
taken this from the shop page https://shop.nitrokey.com/shop/nk3cn-nitrokey-3c-nfc-148#attr= maybe we should fix it there too
nitrosimon
force-pushed
the
issue302
branch
5 times, most recently
from
fe2f83d to
d2782f6
Compare
jans23
changed the title
jans23
reviewed
Dec 26, 2024
jans23
reviewed
Dec 26, 2024
sosthene-nitrokey
requested changes
Jan 6, 2025
| The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. | ||
| It usage is optional and provides faster performance and some additional features. | ||
|
|
||
| Currently only OpenPGP Card and PIV are using the Secure Element. PIV depends on the Secure Element and does not run without it being enabled and OpenPGP Card can be configured to use the Secure Element or not. Passwords and FIDO2 are not making use of it. |
There was a problem hiding this comment.
It is a bit weird to say "PIV depends on the Secure Element and does not run without it being enabled", since the secure element is always "enabled", it's just not always in use for applications (and it's used for seeding the randomness).
| The Secure Element is enabled by default if no key in OpenPGP Card and PIV is already saved on the device. | ||
| This is automatically the case after reset of the OpenPGP Card or the whole device. Manually activating the Secure Element for the OpenPGP Card will delete all current keys. | ||
|
|
||
| To check whether the Secure Element is activated run: |
There was a problem hiding this comment.
Suggested change
| To check whether the Secure Element is activated run: | |
| To check whether the Secure Element for the OpenPGP Card is activated run: |
jans23
reviewed
Jan 6, 2025
jans23
reviewed
Jan 12, 2025
|
|
||
| The Secure Element `SE050 <https://www.nxp.com/products/SE050>`__ is a tamper-resistant chip by NXP Semiconductors that provides advanced security features. It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and implements algorithms like RSA, ECC, AES, and SHA, making it ideal for the Nitrokey 3. | ||
|
|
||
| PIV uses the Secure Element. OpenPGP Card can be configured to use the Secure Element or not in which case a software-only implementation is used. Passwords and FIDO2 don't use the Secure Element, but it is used for specific use cases, like additional randomness. |
There was a problem hiding this comment.
... specific use cases, like additional randomness
Which other use cases?
jans23
reviewed
Jan 12, 2025
| Activation/Deactivation for OpenPGP | ||
| ----------------------------------- | ||
| The Secure Element is enabled by default if no cryptographic key in OpenPGP Card and PIV is already saved on the device. | ||
| This is automatically the case after resetting the OpenPGP Card or the whole Nitrokey. Manually activating the Secure Element for the OpenPGP Card will delete all existing keys. |
There was a problem hiding this comment.
Manually activating the Secure Element for the OpenPGP Card will delete all existing keys.
Better make this a warning block.
jans23
reviewed
Jan 12, 2025
| +-----------------------------------------+---------------------+------------------------+ | ||
| | RSA 4096 bit | ✓ | ⨯ | | ||
| +-----------------------------------------+---------------------+------------------------+ | ||
| | ECC 256-521 bit | ✓ | ✓ | |
There was a problem hiding this comment.
What is ECC exactly? I assume this is covered by the ciphers below already.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes #302