Where do the private keys are stored?

[alireza11048]

Hi, I have a question about the OpenSK project

If I've understood correctly (hopefully :)), in fido2 we should generate a keypair and send the public key to the fido2 server and save the private key in the security key.

my question is, Where do the private keys are stored in OpenSK (are they stored in the flash of the micro)?

if yes, suppose we have some tock application alongside to OpenSK application, is there any method to avoid other application access to the security keys? or can we read the keys through the jtag as simple as we read the content of flash?

thanks

[kaczmarczyck]

Hi! Generally, you can read the private keys through JTAG or with a concurrent Tock app. It is possible to lock down OpenSK further to prevent that. At the moment, OpenSK flashed to a Nordic dongle is not hardened against a local attacker, only protects against phishing / password stuffing etc.

To answer the original question, there are two types of credentials: resident and server-side. Resident keys are, as you described, written to our flash storage. Server-side credentials are encrypted with a master key that is written to flash and stored at the server. Consequently, extracting the content of the flash storage leads to access to both types.