Hi, Andreas Fenkart: > I'm comparing NitroKey Pro and KernelConcepts OpenPGP card. > > https://shop.nitrokey.com/shop/product/nitrokey-pro-3 > http://shop.kernelconcepts.de/#openpgp > > I'm only interested in creating signatures for FW releases. What > confuses me is the claim made by NitroKey that it is "tamper > resistant". I guess kernelconcepts card being a BasicCard[1] should be > "tamper resistant" as well.
I think you are a bit mistaken: In the Nitrokey Pro, the STM32 processor is not doing any crypto. Indeed, the STM32 has no hardware protection at all for such purpose. The processor is used to implement the smartcard /reader/ protocol (and a few other functions) and itself forwards all crypto tasks to an on-board OpenPGP smartcard (can be exchanged via slot). As far as I know, there are no known side channels or (easy) attacks to the OpenPGP smartcard. As a normal user you almost have no way to find implementation details for smartcards because they are all protected by patents and NDAs (it would not be possible to make the design free). It is not (at least it should not be) possible to extract secret keys from a smartcard: you send your plain text to the reader, to the card, and get back the cipher text (or vice versa). The Nitrokey people had to decide to do the crypto on the STM32 where they can influence the PCB layout but not the processor (with known attacks) itself, or to do it on an OpenPGP smartcard and have to trust the manufacturer. Since the Nitrokey software and hardware design is free (as in freedom), you can at least inspect these bits (e.g. you can look at the layout using the free software KiCad) and modify the firmware run on the STM32 (maybe you want to add some other additional function that is not security critical). If you only buy a smartcard, you still have to trust the smartcard reader you use then because it can read/copy/modify/transmit via HF all communication and, dependent on your level of paranoia, you also have to carry the reader always with you. Since you need to trust both the reader and the smartcard, Nitrokey put both in the same package and labeled it Nitrokey Pro so you can carry it around. Cheers, ~flapflap _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
