One-time passwords and GnuPG with Nitrokey

Posted Jul 28, 2016 14:18 UTC (Thu) by drag (guest, #31333)
In reply to: One-time passwords and GnuPG with Nitrokey by corsac
Parent article: One-time passwords and GnuPG with Nitrokey

To me this isn't a big deal if you are using it for OTP as part of a two-factor authentication. Even if you lose the card it doesn't mean that they gain access. They still need to get your password.

For GnuPG applications, I donno. For personal use I don't see it as a big problem provided you never let the thing off your person while in public with it. If you are paranoid then I suppose you could use potting material or epoxy to encase the board (beware of differentials in thermal expansion for surface mount components) to make the device tamper-resistant and tamper-evident.

One-time passwords and GnuPG with Nitrokey

Posted Jul 28, 2016 20:21 UTC (Thu) by roc (subscriber, #30627) [Link] (5 responses)

That does make it easier for an attacker to clone your key without your knowledge and obtain your password later, or obtain your password first and maintain persistent access to your account. Agreed this isn't a big deal for most users, who hopefully won't ever face such a well-resourced attacker.

One-time passwords and GnuPG with Nitrokey

Posted Jul 28, 2016 21:31 UTC (Thu) by drag (guest, #31333) [Link] (3 responses)

You are talking about somebody breaking into your house or your office, disassembling your key, cloning it, repairing it, and then returning it to you without your knowledge then stealing your password later one. That's some ninja-level stuff right there. I don't think it matters how much money they have. At that point probably having a 'secure processor' isn't going to help a whole lot. There are hundreds of other things they can do to you at that point that is worse then getting access to your accounts.

Getting the key stolen/lost is a issue, I think, with GnuPG type things, but it's really not a issue with OTP.

However having a secure processor is certainly 'nice to have' and would probably increase the usefulness of the device in the long run. I am curious what barriers to adoption it has right now; cost? practical limits to reprogramming the device?

One-time passwords and GnuPG with Nitrokey

Posted Jul 28, 2016 21:49 UTC (Thu) by corsac (subscriber, #49696) [Link] (1 responses)

I honestly don't care about the OTP part, what I'm worried about is the GPG part, because leaking the keys is really not something you want, either way. The “breaking in your house” part is a bit too much. Like nobody ever lost her keys, or left her backpack unattended in a train or in a bar… As always, it depends on your trust model and your own little paranoia, but people need to know that the fact it's a microcontroller in a token doesn't make it secure against everything.

One-time passwords and GnuPG with Nitrokey

Posted Jul 29, 2016 10:50 UTC (Fri) by Lekensteyn (guest, #99903) [Link]

According to the hardware description at [1], an OpenPGP smartcard is embedded. Thus your PGP keys should be as safe as with other OpenPGP smart cards using a dedicated reader. This does not prevent attacks where the firmware on the device gets replaced by a a malicious one that logs pin codes though, akin to an Evil Maid attack on laptops with FDE.

[1]: https://github.com/Nitrokey/nitrokey-pro-hardware/blob/ma...

One-time passwords and GnuPG with Nitrokey

Posted Jul 29, 2016 5:34 UTC (Fri) by roc (subscriber, #30627) [Link]

I was thinking more like leaving it in a hotel room in China.

I agree this is not something most people would have to worry about.

One-time passwords and GnuPG with Nitrokey

Posted Jul 29, 2016 8:59 UTC (Fri) by ballombe (subscriber, #9523) [Link]

Off-the-shelf secure microcontrollers are not off-limit to well-resourced attackers.

One-time passwords and GnuPG with Nitrokey

Posted Jul 29, 2016 17:04 UTC (Fri) by kreijack (guest, #43513) [Link]

> To me this isn't a big deal if you are using it for OTP as part of a two-factor authentication.
> Even if you lose the card it doesn't mean that they gain access. They still need to get your password.

If so, in what nitrokey is different from a... mass storage usb key equipped with a program which is executed by the host ? or an app in your phone ?

I think that to be not cloneable is the key factor for this kind of gadget.