knox-hsm VS tkey-verification

Compare knox-hsm vs tkey-verification and see what are their differences.

knox-hsm

Circuits and hardware security modules formally verified with Knox 🔐 (by anishathalye)
Suggest topics
Source Code
anish.io
Suggest alternative
Edit details

tkey-verification

Vendor signing and user verification of TKey genuineness (by tillitis)
Suggest topics
Source Code
tillitis.se
Suggest alternative
Edit details
InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
knox-hsm tkey-verification
1 1
21 40
- -
5.3 0.0
2 months ago about 18 hours ago
Verilog Go
MIT License GNU General Public License v3.0 only
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

knox-hsm

Posts with mentions or reviews of knox-hsm. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-12-25.
  • TKey is a RISC-V computer in a USB-C case, that can run security applications
    2 projects | news.ycombinator.com | 25 Dec 2023
    This is really neat!

    We've been working on some research to formally verify the hardware/software of such devices [1, 2]. Neat how there are so many shared ideas: we also use a PicoRV32, run on an iCE40 FPGA, use UART for communication to/from the PicoRV32 to keep the security-critical part of the hardware simple, and use a separate MCU to convert between USB and UART.

    Interesting decision to make the device stateless. Given that the application keys are generated by combining the UDS, USS, and the hash of the application [3], it seems this rules out software updates? Was this an intentional tradeoff, to have a sort of "forward security"?

    In an earlier project I worked on [4], we had run into a similar issue (no space for this in the write-up though); there, we ended up using the following approach: applications are _signed_ by the developer (who can use any keypair they generate), the signature is checked at application load time, and the application-specific key is derived using the hash of the developer's public key instead of the hash of the application. This does have the downside that if the developer is compromised, an adversary can use this to sign a malicious application that can leak the key.

    [1]: https://github.com/anishathalye/knox-hsm

tkey-verification

Posts with mentions or reviews of tkey-verification. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2023-12-25.
  • TKey is a RISC-V computer in a USB-C case, that can run security applications
    2 projects | news.ycombinator.com | 25 Dec 2023
    Yes. I've described some of the flexibility characteristics elsewhere in this thread, but here's how you could do it:

    1. The ROM stage measures the first mutable application stage A1, and makes the Compound Device Identifier (CDI) available to A1. CDI=Hash(UDS, Hash(A1), USS).

    2. A1 creates a key pair for itself using CDI.

    3. A1 measures A2 and creates a key pair for A2.

    4. A1 signs A2's public key. This is the attestation.

    5. A1 scrubs CDI and its private key from memory while ensuring that the attestation as well as A2's key pair is available to A2. Note that the TKey only supports two-stage boot chains at the moment.

    A1's key pair could also be signed by the vendor before shipping. We do it like this: https://github.com/tillitis/tkey-verification