Cryptnox Docs

cryptnox-logo

Pairing & Secure Channel establishment

Once initialized, all operations involving sensitive data must occur over a Secure Channel. This 

channel provides encryption, integrity, and mutual authentication between the host and the card.

The pairing process proceeds as follows:

  1. The host selects the wallet applet.
  2. The host requests the Manufacturer Certificate to validate card authenticity.
  3. The host retrieves the Card Certificate, which contains the card’s ephemeral public key.
  4. The host sends its own session public key using the OPEN SECURE CHANNEL command.
  5. Both sides compute shared session keys using:
    AESkey‖MACkey = SHA-512(ECDHSecret ‖ PairingKey ‖ SessionSalt)
  6. The host and card exchange verification data using the MUTUALLY AUTHENTICATE command to confirm that both derived the same keys.

After successful verification, all subsequent communications are protected by AES-256 CBC 

encryption for confidentiality and AES-256 CMAC for integrity, with replay protection ensured by 

session nonces.

Authentication (PIN, pairing key, user key, FIDO)

Authentication ensures that only authorized users or paired devices can access or perform 

cryptographic operations on the card.

Supported authentication methods include:

  • PIN: A 4–9 digit numeric code required before executing sensitive commands such as signing or seed management. The PIN remains valid for the duration of the session or until a signature is performed. Three incorrect attempts trigger a temporary lock, requiring a power cycle; another three incorrect attempts cause a permanent lock until the PUK is used.
  • PUK: A 12-character recovery code used to reset or unblock the PIN. Attempts are unlimited but rate-limited by enforced computational delays and power cycles to prevent brute force.
  • Pairing Key: A 32-byte key required to open the secure channel; not used for direct user authentication. If lost, it can be regenerated from the PUK using a SHA-256^32 derivation.
  • User Keys: External authentication keys (ECDSA, RSA, or FIDO2) uploaded to the card to require external approval before critical operations.
  • FIDO2 Authentication: A challenge–response mechanism where the card verifies a signature from an external FIDO2 authenticator (e.g., YubiKey, TPM, Secure Enclave) before authorizing specific operations.

This layered authentication model allows the Cryptnox card to support both user-level and device-level access control.

Menu
cryptnox-logo
Menu