Key & Seed Management
LOAD KEY
The Load Key command in Cryptnox is used to securely load a cryptographic key into the device’s secure element. This operation is essential for initializing, updating, or configuring the device with cryptographic material needed for its operations.
Once you are done running this command, the 2 cards will have a common seed, SHA256( ECDH). As a result, one card becomes a backup of the other. The common seed can be checked by deriving a path and reading the matching blockchain public keys of the cards.
The computer facilitating the transfer or exchange cannot compute the Seed Administration because it is protected using Elliptic Curve Diffie-Hellman (ECDH). Additionally, the computer cannot participate in the key exchange since this process requires a signature generated with a secret key stored exclusively within the paired cards’ secure elements, which cannot be extracted.
The following code snippet represents this command in the relevant language set:
from cryptnoxpy import Card
# Initialize the card
card = Card()
# Define your 32-byte seed and PIN
seed = bytes.fromhex('your_32_byte_seed_in_hex')
pin = 'your_pin'
# Load the seed into the card
card.load_seed(seed, pin)
📘 Note
- Secure channel must be open.
- The user PIN must be provided if no the user keys were not authenticated.
Python:
- The load_seed method allows you to load a 32-byte seed into the card, enabling key derivation and cryptographic operations.
- Make sure that the cryptnoxpy library is installed in your Python environment. You can find more details and documentation in the [Cryptnoxpy GitHub repository](cryptnoxpy GitHub repository).
In the above example,
- Replace ‘your_32_byte_seed_in_hex’ with your actual 32-byte seed in hexadecimal format.
- Replace ‘your_pin’ with your card’s PIN.
Application Protocol Data Unit (APDU) Components
The following table outlines the components of the Application Protocol Data Unit (APDU).
Field | Description | Value |
CLA | This field specifies the class of the instruction. | 0x80 |
INS | This field specifies the particular command or operation that the smart card or secure element should execute. | 0xD0 This value writes the binary data to a file. |
P1 | First parameter of the instruction that specifies the details about the operation being requested. |
|
P2 | First parameter of the instruction that specifies additional details about the operation being requested. | 0x00 |
Data | Key data | PIN (if no user auth, 9 bytes padded). Refer to the ‘Data Values’ table below for more conditions around this field. |
📘 Prerequisites
- Secure channel must be open.
- PIN or challenge-response must be validated.
Data Values
The following table outlines the values for the Data field within the ADPU components based on some conditions:
Condition | Data Value | Additional Details |
P1 is 0x01 or 0x02 |
| The key source is set to:
|
P1 is 0x03 | A 16 to 64 byte seed seed administration byte sequence generated according to the BIP39 specifications. | The master key node pairs will be computed according to the SLIP10 standard and will be compatible with the BIP32 specification. One master key is computed for k1 curve and r1 curve each. The key source is set to ‘L’ using this command with P1=3. |
P1 is 0x04 | The cards initializes the dual generation seed mode and sends back a public key to be used for the other card as the public counterpart. This public key is provided with an ECDSA signature with the basic group key. | No action around the key and seed loading is taken at this stage. The card only generates and sends a signed public key for the dual EC seed generation mode. 📘 📘 Note
|
P1 is 0x05 |
|
📘 📘 Note
|
Response
The following table outlines the possible responses that you will receive:
Response Code | Description |
0x9000 | Success |
0x63Cx | PIN is not valid. |
0x6A80 |
|
0x6A86 | P1 is invalid. |
0x6986 | A key/seed administration is already loaded. We recommend performing a reset if you receive this response. |