[dbrgn]

Are you aware of Trussed, an initiative by SoloKeys and Nitrokey? https://solokeys.com/blogs/news/trussed-announcement / https://trussed.dev/

From what I understand, this is an API to write applications against a common interface, which can run on different hardware devices. An abstraction layer for security key apps. Similar to Java Card, but in a more modern way. Is this something that would or could be compatible with Tillitis?

[ecesena]

I've been dreaming of a fpga-based key since I read about precursor. Not sure if it's yet possible to power it via NFC. But with this said, sharing at least the FIDO implementation would be outstanding.

[kfreds]

Yes, I'm aware of it. I'm not sure if it's small enough for the Tillitis Key to be able to use it.

[Perseids]

A bit off-topic: Can anyone recommend a platform that is production ready today, if I want to (develop and) deploy a custom Smartcard / HSM application in small scale? JavaCard seems to fit the bill, but I've not yet found an approachable tutorial.

[zahllos]

JavaCard is the answer for smartcards. You can find example card software all over github, and you're looking for the JavaCard SDK from Oracle and GlobalPlatformPro to program them: https://github.com/martinpaljak/GlobalPlatformPro. There's even an ant task around somewhere that allows you to use ant tooling. Blank cards with "developer"/default keys can be picked up pretty much anywhere.

Buy blank cards, write your applet, test in an emulator if you want, push to card, test for real with your software that talks to the card, profit. Be aware that if your goal is to write custom cryptography implementations in Java on the Javacard, these will be prohibitively slow. No need to take my word for it, Niels Duif did exactly this: https://research.tue.nl/en/studentTheses/smart-card-implemen...

> Java Card proves to be a worthless platform for high-speed cryptography. Despite the > speedups, generating a signature takes more than 28 minutes for a private key of 254 > bits.

How is crypto done then? JavaCard provides APIs that do it, but these call implementations that either use coprocessors, or contain optimised implementations in the mask ROM. You can't program a mask ROM without doing a production run of smartcards in the hundreds of thousands. Small scale, this isn't possible.

HSM vendors will often sell SDKs for custom code, which you can add to certain models. The barrier to entry simply being that you need to buy an HSM, which isn't cheap. It can be done, however, and on the plus side in my experience of Thales HSMs this means actual C code, meaning performant implementation is possible.

[mike_d]

https://github.com/OpenSC/OpenSC

Note that "production ready" does not equate to "follow a YouTube video and write 17 lines of TypeScript." You need to know Java, you need to know crypto, and you need a few bucks to throw at the appropriate hardware. That said, the entire US DoD is built on JavaCard so it is as production grade as you can get.