Hi Diego,
Am 23.11.2015 um 09:42 schrieb NdK:
> Il 23/11/2015 08:56, Jan Suhr ha scritto:
>
>>> I didn't look at the code (so this could be completely wrong and I'd be
>>> happy!), but if the OTP key is decrypted using a key in the chip after
>>> verifying that the card accepts the PIN, then it's
On 23/11/15 08:54, Jan Suhr wrote:
> 2nd factors are usually not access protected at all e.g. may have a
> display (which allows funny hacks[1]).
Ah, that makes sense! I forgot about that because I myself would
actually like an OTP protected by PIN as complete two-factor solution
(have the device
Il 23/11/2015 08:56, Jan Suhr ha scritto:
>> I didn't look at the code (so this could be completely wrong and I'd be
>> happy!), but if the OTP key is decrypted using a key in the chip after
>> verifying that the card accepts the PIN, then it's even worse, since
>> that master key is in cleartext
Hi Ndk,
Am 21.11.2015 18:23, schrieb NdK:
Il 21/11/2015 12:07, Peter Lebbing ha scritto:
Personally, I don't really see yet why the latter is so important;
however, gaining the ability to issue OTP's by simply inserting my own
OpenPGP card with my own PIN seems serious? Do I misunderstand it?
Hi Peter,
Am 21.11.2015 12:07, schrieb Peter Lebbing:
On 21/11/15 09:00, Jan Suhr wrote:
All serious findings are fixed already. Look for the "Note" at the end
of each issue description.
I suppose by "serious" you mean "defined as 'Critical' in the pentest"?
There are unfixed issues with seve
Il 22/11/2015 12:55, Peter Lebbing ha scritto:
> My guess is the OTP shared secret is stored in the non-volatile memory
> of the microcontroller (in plaintext). That memory is reasonably well
> protected against reading out (when properly configured). Sure, it's
> possible with a lab, but it's not
On 21/11/15 18:23, NdK wrote:
> I didn't look at the code (so this could be completely wrong and I'd be
> happy!), but if the OTP key is decrypted using a key in the chip after
> verifying that the card accepts the PIN, then it's even worse, since
> that master key is in cleartext somewhere outside
Il 21/11/2015 12:07, Peter Lebbing ha scritto:
> Personally, I don't really see yet why the latter is so important;
> however, gaining the ability to issue OTP's by simply inserting my own
> OpenPGP card with my own PIN seems serious? Do I misunderstand it? Or is
> it not part of the threat model
On 21/11/15 09:00, Jan Suhr wrote:
> All serious findings are fixed already. Look for the "Note" at the end
> of each issue description.
I suppose by "serious" you mean "defined as 'Critical' in the pentest"?
There are unfixed issues with severity "High":
Firmware:
NK-01-008 OTP can be unlocked b
Hi Malte!
Am 20.11.2015 11:26, schrieb Malte:
> Hi,
>
> very nice!
>
> Two questions/remarks, though:
>
> On Thursday 19 November 2015 22:37 Jan Suhr wrote:
>> The firmware and hardware of Nitrokey Storage have already been
>> verified
>> by Cure59, a professional third-party security auditor.
Hi,
very nice!
Two questions/remarks, though:
On Thursday 19 November 2015 22:37 Jan Suhr wrote:
> The firmware and hardware of Nitrokey Storage have already been verified
> by Cure59, a professional third-party security auditor.
How do you deal with the findings of the audit?
(https://cure53.
Hi!
Nitrokey Storage is a USB device which operates as a “digital latchkey”
to protect your data and user accounts. It allows for the secure
encryption of emails, files and hard drives, secure login on the web and
contains encrypted mass storage. The encryption keys are stored securely
in the hard
12 matches
Mail list logo
