Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage

Jan Suhr jan at
Mon Nov 23 08:59:02 CET 2015

Hi Ndk,

Am 21.11.2015 18:23, schrieb NdK:
> Il 21/11/2015 12:07, Peter Lebbing ha scritto:
>> Personally, I don't really see yet why the latter is so important;
>> however, gaining the ability to issue OTP's by simply inserting my own
>> OpenPGP card with my own PIN seems serious? Do I misunderstand it? Or 
>> is
>> it not part of the threat model because the attacker is unable to
>> extract the key used for OTP generation?
> I didn't look at the code (so this could be completely wrong and I'd be
> happy!), but if the OTP key is decrypted using a key in the chip after
> verifying that the card accepts the PIN, then it's even worse, since
> that master key is in cleartext somewhere outside the smartcard. So,
> with some efforts and a good lab the OTP keys can be extracted.

The key is stored in the card.

The (optional PIN protected and encrypted) OTP secrets are stored in the 
microcontroller's flash which is read-protected.

Best regards,

>> Anyway, thanks for all your work on the Nitrokey series! I think it's
>> great you put so much effort into creating these nifty devices.
> Nifty, indeed. Too bad PGP-card spec lacks decryption key archiving (so
> that you can change your DEC key every year but keep using the same 
> card
> year after year).
> BYtE,
>  Diego
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

More information about the Gnupg-users mailing list