mirror of
https://github.com/tillitis/tillitis-key1.git
synced 2025-01-04 12:20:54 -05:00
Improve wording of what makes TK1 unique
Signed-off-by: Joachim Strömbergson <joachim@assured.se>
This commit is contained in:
parent
8179f40642
commit
9760ebeea4
47
README.md
47
README.md
@ -2,26 +2,39 @@
|
|||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
|
|
||||||
Tillitis Key 1 is a new kind of USB security token. All of its
|
Tillitis Key 1 (TK1) is a new kind of USB security token. What makes
|
||||||
software, FPGA logic, schematics, and PCB layout are open source, as
|
the TK1unique is that it allows a user to load and run applications on
|
||||||
all security software and hardware should be. This in itself makes it
|
the device, while still providing security. This allow for open ended,
|
||||||
different, as other security tokens utilize closed source hardware for
|
flexible usage. Given the right application, the TK1 can support use
|
||||||
its security-critical operations.
|
cases such as SSH login, Ed25519 signing, Root of Trust, FIDO2, TOTP,
|
||||||
|
Passkey and more.
|
||||||
|
|
||||||
What makes the Tillitis Key 1 security token unique is that it doesn’t
|
During the load operation, the device measures the application
|
||||||
verify applications, it measures them (hashes a digest over the
|
(calculates a cryptographic hash digest over the) before running
|
||||||
binary), before running them on its open hardware security processor.
|
it on the open hardware security processor. This measurement
|
||||||
|
is similar to [TCG DICE](https://trustedcomputinggroup.org/work-groups/dice-architectures/).
|
||||||
|
|
||||||
Each security token contains a Unique Device Secret (UDS), which
|
Each TK1 device contains a Unique Device Secret (UDS), which
|
||||||
together with an application measurement, and an optional
|
together with the application measurement, and an optional
|
||||||
user-provided seed, is used to derive key material unique to each
|
user-provided seed, is used to derive key material unique to each
|
||||||
application. This allows users to build and load their own apps, while
|
application. This guarantees that if the integrity of the application
|
||||||
ensuring that each app loaded will have its own cryptographic
|
loaded onto the device has been tampered with, the correct keys
|
||||||
identity. The design is similar to TCG DICE. The Tillitis Key 1
|
needed for an authentication will not be generated.
|
||||||
platform has 128 KB of RAM. The current firmware is designed to load
|
|
||||||
an app that is up to 100 KB in size, and gives it a stack of 28 KB. A
|
The key derivation with user provided seed allows users to build and
|
||||||
smaller app may want to move itself in memory to get larger continuous
|
load their own apps, while ensuring that each app loaded will have
|
||||||
memory.
|
its own cryptographic identity, and can also be used for authentication
|
||||||
|
towards different services.
|
||||||
|
|
||||||
|
The TK1 platform is based around a 32-bit RISC-V processor and has
|
||||||
|
128 KB of RAM. The current firmware is designed to load an app that is
|
||||||
|
up to 100 KB in size, and gives it a stack of 28 KB. A smaller app may
|
||||||
|
move itself in memory to get larger continuous memory.
|
||||||
|
|
||||||
|
All of the TK1 software, FPGA logic, schematics, and PCB layout are
|
||||||
|
open source, as all security software and hardware should be. This in
|
||||||
|
itself makes it different, as other security tokens utilize closed source
|
||||||
|
hardware for its security-critical operations.
|
||||||
|
|
||||||
![Tillitis Key 1 PCB, first implementation](doc/images/mta1-usb-v1.jpg)
|
![Tillitis Key 1 PCB, first implementation](doc/images/mta1-usb-v1.jpg)
|
||||||
*Tillitis Key 1 PCB, first implementation*
|
*Tillitis Key 1 PCB, first implementation*
|
||||||
|
Loading…
Reference in New Issue
Block a user