Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage

NdK ndk.clanbo at
Sat Nov 21 18:23:32 CET 2015

Il 21/11/2015 12:07, Peter Lebbing ha scritto:

> Personally, I don't really see yet why the latter is so important;
> however, gaining the ability to issue OTP's by simply inserting my own
> OpenPGP card with my own PIN seems serious? Do I misunderstand it? Or is
> it not part of the threat model because the attacker is unable to
> extract the key used for OTP generation?
I didn't look at the code (so this could be completely wrong and I'd be
happy!), but if the OTP key is decrypted using a key in the chip after
verifying that the card accepts the PIN, then it's even worse, since
that master key is in cleartext somewhere outside the smartcard. So,
with some efforts and a good lab the OTP keys can be extracted.

> Anyway, thanks for all your work on the Nitrokey series! I think it's
> great you put so much effort into creating these nifty devices.
Nifty, indeed. Too bad PGP-card spec lacks decryption key archiving (so
that you can change your DEC key every year but keep using the same card
year after year).


More information about the Gnupg-users mailing list