SmartCard-HSM Tool with key wrap / unwrap

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

SmartCard-HSM Tool with key wrap / unwrap

Andreas Schwier
Good evening,

we've created a pull request towards OpenSC/staging for adding the
SmartCard-HSM tool (sc-hsm-tool).

Using version 0.17 or higher, the SmartCard-HSM provides for a key wrap
/ unwrap mechanism that allows to securely export and import card
generated keys. Key values are encrypted under a 256-bit AES Device Key
Encryption Key (DKEK) and saved to file with key description and
optional certificate. From such a file, the key can be recreated in a
SmartCard-HSM that has been set-up with the same DKEK.

Using this mechanism, one can securely backup keys or migrate keys
between different SmartCard-HSMs. This increases the capacity of the
device, as infrequently used keys can be exported and archived
externally. It also provides for redundancy and load balancing if keys
are replicated in a cluster of SmartCard-HSMs.

The DKEK can be recreated from a defined number of key shares. Such key
shares are created with sc-hsm-tool and saved to file using password
based encryption.

Kind regards,

Andreas

--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SmartCard-HSM Tool with key wrap / unwrap

Martin Paljak-4
Hello Andreas,

Is the applet available for download or cards with pre-loaded applet
on sale somewhere?

Martin


On Fri, Nov 9, 2012 at 7:33 PM, Andreas Schwier
<[hidden email]> wrote:

> Good evening,
>
> we've created a pull request towards OpenSC/staging for adding the
> SmartCard-HSM tool (sc-hsm-tool).
>
> Using version 0.17 or higher, the SmartCard-HSM provides for a key wrap
> / unwrap mechanism that allows to securely export and import card
> generated keys. Key values are encrypted under a 256-bit AES Device Key
> Encryption Key (DKEK) and saved to file with key description and
> optional certificate. From such a file, the key can be recreated in a
> SmartCard-HSM that has been set-up with the same DKEK.
>
> Using this mechanism, one can securely backup keys or migrate keys
> between different SmartCard-HSMs. This increases the capacity of the
> device, as infrequently used keys can be exported and archived
> externally. It also provides for redundancy and load balancing if keys
> are replicated in a cluster of SmartCard-HSMs.
>
> The DKEK can be recreated from a defined number of key shares. Such key
> shares are created with sc-hsm-tool and saved to file using password
> based encryption.
>
> Kind regards,
>
> Andreas
>
> --
>
>     ---------    CardContact Software & System Consulting
>    |.##> <##.|   Andreas Schwier
>    |#       #|   Schülerweg 38
>    |#       #|   32429 Minden, Germany
>    |'##> <##'|   Phone +49 571 56149
>     ---------    http://www.cardcontact.de
>                  http://www.tscons.de
>                  http://www.openscdp.org
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: SmartCard-HSM Tool with key wrap / unwrap

Andreas Schwier
Hi Martin,

cards and USB-sticks can be purchased at http://www.cardomatic.de/.

The product does not yet show up in the online shop, but you can contact
Karsten Niehusen directly (cc-ed above) for sales inquiries.

Andreas


Am 22.11.2012 12:29, schrieb Martin Paljak:

> Hello Andreas,
>
> Is the applet available for download or cards with pre-loaded applet
> on sale somewhere?
>
> Martin
>
>
> On Fri, Nov 9, 2012 at 7:33 PM, Andreas Schwier
> <[hidden email]> wrote:
>> Good evening,
>>
>> we've created a pull request towards OpenSC/staging for adding the
>> SmartCard-HSM tool (sc-hsm-tool).
>>
>> Using version 0.17 or higher, the SmartCard-HSM provides for a key wrap
>> / unwrap mechanism that allows to securely export and import card
>> generated keys. Key values are encrypted under a 256-bit AES Device Key
>> Encryption Key (DKEK) and saved to file with key description and
>> optional certificate. From such a file, the key can be recreated in a
>> SmartCard-HSM that has been set-up with the same DKEK.
>>
>> Using this mechanism, one can securely backup keys or migrate keys
>> between different SmartCard-HSMs. This increases the capacity of the
>> device, as infrequently used keys can be exported and archived
>> externally. It also provides for redundancy and load balancing if keys
>> are replicated in a cluster of SmartCard-HSMs.
>>
>> The DKEK can be recreated from a defined number of key shares. Such key
>> shares are created with sc-hsm-tool and saved to file using password
>> based encryption.
>>
>> Kind regards,
>>
>> Andreas
>>
>> --
>>
>>     ---------    CardContact Software & System Consulting
>>    |.##> <##.|   Andreas Schwier
>>    |#       #|   Schülerweg 38
>>    |#       #|   32429 Minden, Germany
>>    |'##> <##'|   Phone +49 571 56149
>>     ---------    http://www.cardcontact.de
>>                  http://www.tscons.de
>>                  http://www.openscdp.org
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel