Single Card BIP 39 seed injection (mnemonic). 12 to 24 words
Internal single key generation form TRNG source (most secure). Beware: in this case, the BIP 32 seed is only present in one single card, with no possibility of extraction or backup.
Card administrations
Change PIN
Change PUK
Reset card
Number of card parings
256 cards max
Desktop application characteristics
Application for desktop
Command line interface for Windows, MacOS and Linux (including Ubuntu Core)
Card technical specifications
Authentication
PIN (4 to 9 digits) / PUK (12 characters). Card power cycle needed after 3 wrong PIN. Card locked after 12 wrong PIN (4×3). Can be unlocked with the PUK.
Slot NIST256 R1 signature authentication (mobile phone secure element or PIV) x 1
Slot RSA2048 (Windows Hello TPM) x 1
Slot for Webauthn/FIDO2 x 1
Option to set a dedicated derivation path which doesn’t require the PIN to sign.
Possibility to disable auth by PIN once a key slot is filled.
Secure channel
AES256 from Hash (ECDH, PairingKey)
With MAC
256 bits pairing key
Key in the card certificate tree
Custom user data
At initialisations : 20 + 60 bytes user data filed (email/name)
6 custom bytes provided at SELECT
3600 bytes private data buffer
Digital signature
ECDSA on “Koblitz Bitcoin” 256 k1 curve
ECDSA on NIST P256 r1 curve
BIP 340 “Schnorr” signature (256k1)
EOS 32 bytes loop option
Key deviation
BIP 32 key derivation function, with SLIP10 standard for NIST 256R1 curve. Max derivation depth is 8 levels.
Random number generation
True Random Number Generator (AIS31 compliant)
Encryption/ Decryption
ECIES using an EC key in the BIP32 tree. Based on DECipher from OpenPGP.
Authenticity
Dynamic card key authentication. Card is loaded with a unique card certificate signed by the factory root key.
