One-time passwords and GnuPG with Nitrokey

Posted Jul 28, 2016 20:21 UTC (Thu) by roc (subscriber, #30627)
In reply to: One-time passwords and GnuPG with Nitrokey by drag
Parent article: One-time passwords and GnuPG with Nitrokey

That does make it easier for an attacker to clone your key without your knowledge and obtain your password later, or obtain your password first and maintain persistent access to your account. Agreed this isn't a big deal for most users, who hopefully won't ever face such a well-resourced attacker.

One-time passwords and GnuPG with Nitrokey

Posted Jul 28, 2016 21:31 UTC (Thu) by drag (guest, #31333) [Link] (3 responses)

You are talking about somebody breaking into your house or your office, disassembling your key, cloning it, repairing it, and then returning it to you without your knowledge then stealing your password later one. That's some ninja-level stuff right there. I don't think it matters how much money they have. At that point probably having a 'secure processor' isn't going to help a whole lot. There are hundreds of other things they can do to you at that point that is worse then getting access to your accounts.

Getting the key stolen/lost is a issue, I think, with GnuPG type things, but it's really not a issue with OTP.

However having a secure processor is certainly 'nice to have' and would probably increase the usefulness of the device in the long run. I am curious what barriers to adoption it has right now; cost? practical limits to reprogramming the device?

One-time passwords and GnuPG with Nitrokey

Posted Jul 28, 2016 21:49 UTC (Thu) by corsac (subscriber, #49696) [Link] (1 responses)

I honestly don't care about the OTP part, what I'm worried about is the GPG part, because leaking the keys is really not something you want, either way. The “breaking in your house” part is a bit too much. Like nobody ever lost her keys, or left her backpack unattended in a train or in a bar… As always, it depends on your trust model and your own little paranoia, but people need to know that the fact it's a microcontroller in a token doesn't make it secure against everything.

One-time passwords and GnuPG with Nitrokey

Posted Jul 29, 2016 10:50 UTC (Fri) by Lekensteyn (guest, #99903) [Link]

According to the hardware description at [1], an OpenPGP smartcard is embedded. Thus your PGP keys should be as safe as with other OpenPGP smart cards using a dedicated reader. This does not prevent attacks where the firmware on the device gets replaced by a a malicious one that logs pin codes though, akin to an Evil Maid attack on laptops with FDE.

[1]: https://github.com/Nitrokey/nitrokey-pro-hardware/blob/ma...

One-time passwords and GnuPG with Nitrokey

Posted Jul 29, 2016 5:34 UTC (Fri) by roc (subscriber, #30627) [Link]

I was thinking more like leaving it in a hotel room in China.

I agree this is not something most people would have to worry about.

One-time passwords and GnuPG with Nitrokey

Posted Jul 29, 2016 8:59 UTC (Fri) by ballombe (subscriber, #9523) [Link]

Off-the-shelf secure microcontrollers are not off-limit to well-resourced attackers.