jb
/
spmkey
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
spmkey/SupportList.md

2.7 KiB
Raw Permalink Blame History

Features

Pico FIDO2 includes the following features:

FIDO2 / U2F / WebAuthn

  • CTAP 2.1 / CTAP 1
  • WebAuthn
  • U2F
  • HMAC-Secret extension
  • CredProtect extension
  • User presence enforcement through physical button
  • User verification with PIN
  • Discoverable credentials (resident keys)
  • Credential management
  • ECDSA and EDDSA authentication
  • Support for SECP256R1, SECP384R1, SECP521R1, SECP256K1 and Ed25519 curves
  • App registration and login
  • Device selection
  • Support for vendor configuration
  • Backup with 24 words
  • Secure lock to protect the device from flash dumps
  • Permissions support (MC, GA, CM, ACFG, LBW)
  • Authenticator configuration
  • minPinLength extension
  • Self attestation
  • Enterprise attestation
  • credBlobs extension
  • largeBlobKey extension
  • Large blobs support (2048 bytes max)
  • OATH (based on YKOATH protocol specification)
  • TOTP / HOTP
  • Yubikey One Time Password
  • Challenge-response generation
  • Emulated keyboard interface
  • Button press generates an OTP that is directly typed
  • Yubico YKMAN compatible
  • Nitrokey nitropy and nitroapp compatible
  • Secure Boot and Secure Lock in RP2350 and ESP32-S3 MCUs
  • One Time Programming to store the master key that encrypts all resident keys and seeds.
  • Rescue interface to allow recovery of the device if it becomes unresponsive or undetectable.
  • LED customization with Pico Commissioner.

OpenPGP Smartcard

  • OpenPGP card specification v3.4
  • 3 key slots (Signature, Encryption, Authentication)
  • RSA (2048, 3072, 4096), Ed25519, Curve25519, ECDSA (NIST P-256, P-384, P-521)
  • Key generation on device
  • Key import/export
  • PIN and Admin PIN protection
  • Reset and Unblock functions
  • Works with GnuPG, SSH, S/MIME, and compatible tools
  • CCID over USB
  • Compatible with major OS (Linux, Windows, macOS)
  • Touch button for user presence confirmation (optional)
  • Open source

Security Considerations

Microcontrollers RP2350 and ESP32-S3 are designed to support secure environments when Secure Boot is enabled, and optionally, Secure Lock. These features allow a master key encryption key (MKEK) to be stored in a one-time programmable (OTP) memory region, which is inaccessible from outside secure code. This master key is then used to encrypt all private and secret keys on the device, protecting sensitive data from potential flash memory dumps.

However, the RP2040 microcontroller lacks this level of security hardware, meaning that it cannot provide the same protection. Data stored on its flash memory, including private or master keys, can be easily accessed or dumped, as encryption of the master key itself is not feasible. Consequently, if an RP2040 device is stolen, any stored private or secret keys may be exposed.