Possible to use offline without connecting to webserver? Also, ephemeral keystorage? #59
-
|
Hello, thank you for all your work on these firmwares, it is very exciting! I have flashed both an rpi pico and a esp32-s3 super mini board with the pico-hsm. However, I am mostly interested in using these with ssh operations, which don't require any infrastructure as far as PKI goes. Is it possible to use the firmware without loading the certificate your webservice signs for them? Or possibly to make a guide on how to self-host the webservice? Thank you! This is related to another idea I had. I have a machine that is always on unless it loses power, in which case I have to turn it back on myself, and usually when this happens I end up rebuilding it anyway. The idea is to give each boot of the machine its own set of keys, to avoid storing any of the secrets in the flash, and to have a device that forgets the keys when it is reset. This would not make sense for, for example, a FIDO use case, but for an HSM where the machine rarely powers off, it might make sense, and it would avoid any possibility that a compromise could result in the loss of the flash and a dump of the keys. If the machine powers off, the keys must then be loaded from a backup or redistributed. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 4 replies
-
|
The device certificate is needed to attestate all the keys. This is only needed the first time you initialize the device. After that, you don't need anymore this process as the certificate is already placed inside the device. This is the principle of hierarchical key derivation, used by Bitcoin and cryptowallets and specified in BIPS specs. Pico HSM supports it via extended commands but at least you will always need 1 key stored at the device, the seed key, where all the subkeys derive from. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you, I read your response here . Would you accept a PR or maybe there is a way to use a self-signed certificate somehow instead that is generated at the time of initialization, so that I can initialize a device completely offline? It looks like much of the code to make a local pki is already available in pycvc, and the local CA creation part could be added to pico-hsm-tool? I can try it myself but maybe I am missing some important detail. I appreciate your guidance, thank you! |
Beta Was this translation helpful? Give feedback.
-
|
It can be initialized completely offline. In other words, you do not need the online PKI to upload the attestation certificate. During the initialization, the Pico HSM generates a self-signed certificate for attestation. Later, it is replaced by the online one signed by the the CA but this is not a mandatory step to make it work. |
Beta Was this translation helpful? Give feedback.
-
|
I initially tried with pkcs11-tool on an es32-s3. It didn't work as I expected, but after using the python script it worked like a charm. I may have made a different error, I will try again. |
Beta Was this translation helpful? Give feedback.
-
|
I found a bug during the initialization and this is why it did not work the first time. Now, it is fixed and the terminal is properly initialized (via SCS3 or OpenSC or pico-hsm-tool) with a self-signed device certificate. If pico-hsm-tool is used, it is replaced by a certificate signed by a CA. Fixed in 4ec1d4d |
Beta Was this translation helpful? Give feedback.
It can be initialized completely offline. In other words, you do not need the online PKI to upload the attestation certificate. During the initialization, the Pico HSM generates a self-signed certificate for attestation. Later, it is replaced by the online one signed by the the CA but this is not a mandatory step to make it work.
You can initialize the device by using other tools such as SCS3 or OpenSC. If you are not interested in providing attestation, then is not relevant to you.