Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage

Peter Lebbing peter at
Sun Nov 22 12:55:55 CET 2015

On 21/11/15 18:23, NdK wrote:
> I didn't look at the code (so this could be completely wrong and I'd be
> happy!), but if the OTP key is decrypted using a key in the chip after
> verifying that the card accepts the PIN, then it's even worse, since
> that master key is in cleartext somewhere outside the smartcard. So,
> with some efforts and a good lab the OTP keys can be extracted.

My guess is the OTP shared secret is stored in the non-volatile memory
of the microcontroller (in plaintext). That memory is reasonably well
protected against reading out (when properly configured). Sure, it's
possible with a lab, but it's not cheap. If such adversaries are in your
threat model, my guess (again) is that the OTP feature of this stick is
not aimed at you.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list