Hi Peter,
Am 21.11.2015 12:07, schrieb Peter Lebbing:
On 21/11/15 09:00, Jan Suhr wrote:
All serious findings are fixed already. Look for the "Note" at the end
of each issue description.
I suppose by "serious" you mean "defined as 'Critical' in the pentest"?
There are unfixed issues with severity "High":
Firmware:
NK-01-008 OTP can be unlocked by replacing Smart Card (High)
2nd factors are usually not access protected at all e.g. may have a
display (which allows funny hacks[1]). We introduced PIN-protection of
OTPs as an optional feature because we don't have a physical button. If
an attacker has physical access to replace the smart card, he could also
press a hypothetical button or read a hypothetical display. The PIN
isn't aiming to protect against physical attacks hence it's not in our
threat model.
Hardware:
NK-02-006 Micro SD and Smartcard Slots lack ejection switch (High)
An ejection switch doesn't make any sense to me. Note that ejection
switch could only be triggered if a card is ejected while the device is
powered. Furthermore any pupil would be able to use a soldering iron to
circumvent an ejection switch.
Personally, I don't really see yet why the latter is so important;
I agree
however, gaining the ability to issue OTP's by simply inserting my own
OpenPGP card with my own PIN seems serious? Do I misunderstand it? Or
is
it not part of the threat model because the attacker is unable to
extract the key used for OTP generation?
Right, not part of the threat model and keys can't be extracted. Also an
ejection switch wouldn't help here because a card could be replaced
while the device is powered off which renders and ejection switch
useless.
Anyway, thanks for all your work on the Nitrokey series! I think it's
great you put so much effort into creating these nifty devices.
Thank you. :-)
Best regards,
Jan
[1]
https://smallhacks.wordpress.com/2012/11/11/reading-codes-from-rsa-secureid-token/
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
