adding basic draft for SE05 specific documentation #358
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,70 @@ | ||||||
| SE05x Secure Element | ||||||
| ==================== | ||||||
|
|
||||||
| .. contents:: :local: | ||||||
|
|
||||||
| The Secure Element is a tamper-resistant secure element designed by NXP Semiconductors that provides advanced security features. | ||||||
| It offers hardware-based security functions including cryptographic operations, secure key storage, and protection against physical and logical attacks. | ||||||
| The SE05X Secure Element is certified to Common Criteria EAL 6+ security level and includes features like RSA, ECC, AES, and SHA algorithms, making it ideal for the Nitrokey 3. | ||||||
| It usage is optional and provides faster performance and some additional features. | ||||||
|
|
||||||
| Currently only OpenPGP Card and PIV are using the Secure Element. PIV depends on the Secure Element and does not run without it being enabled and OpenPGP Card can be configured to use the Secure Element or not. Passwords and FIDO2 are not making use of it. | ||||||
|
|
||||||
| You can read more information about the Secure Element itself here `SE050 <https://www.nxp.com/products/SE050>`__. | ||||||
|
|
||||||
| Activation and Deactivation | ||||||
| --------------------------- | ||||||
| The Secure Element is enabled by default if no key in OpenPGP Card and PIV is already saved on the device. | ||||||
| This is automatically the case after reset of the OpenPGP Card or the whole device. Manually activating the Secure Element for the OpenPGP Card will delete all current keys. | ||||||
|
|
||||||
| To check whether the Secure Element is activated run: | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
|
|
||||||
| * nitropy nk3 get-config opcard.use_se050_backend | ||||||
|
|
||||||
| To enable the Secure Element: | ||||||
|
|
||||||
| * nitropy nk3 set-config opcard.use_se050_backend true | ||||||
|
|
||||||
| To disable the Secure Element: | ||||||
|
|
||||||
| * nitropy nk3 set-config opcard.use_se050_backend false | ||||||
|
|
||||||
| Additional Features | ||||||
jans23 marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| ------------------- | ||||||
|
|
||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | Algorithm | With Secure Element | Without Secure Element | | ||||||
| +=========================================+=====================+========================+ | ||||||
| | RSA 2048 bit | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | RSA 3072 bit | ✓ | ⨯ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | RSA 4096 bit | ✓ | ⨯ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | ECC 256-521 bit | ✓ | ✓ | | ||||||
|
There was a problem hiding this comment. What is ECC exactly? I assume this is covered by the ciphers below already. |
||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | AES 128/256 bit | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | SHA 256/384/512 bit | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | NIST P-256 (secp256r1/prime256v1) | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | NIST P-384 (secp384r1/prime384v1) | ✓ | ⨯ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | NIST P-521 (secp521r1/prime521v1) | ✓ | ⨯ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | Ed25519/Curve25519 | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | brainpoolP256r1 | ✓ | ⨯ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | brainpoolP384r1 | ✓ | ⨯ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | brainpoolP512r1 | ✓ | ⨯ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | HOTP (RFC 4226) | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | TOTP (RFC 6238) | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
| | Physical random number generator (TRNG) | ✓ | ✓ | | ||||||
| +-----------------------------------------+---------------------+------------------------+ | ||||||
|
|
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a bit weird to say "PIV depends on the Secure Element and does not run without it being enabled", since the secure element is always "enabled", it's just not always in use for applications (and it's used for seeding the randomness).