Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage
Peter Lebbing
peter at digitalbrains.com
Mon Nov 23 11:15:26 CET 2015
On 23/11/15 08:54, Jan Suhr wrote:
> 2nd factors are usually not access protected at all e.g. may have a
> display (which allows funny hacks[1]).
Ah, that makes sense! I forgot about that because I myself would
actually like an OTP protected by PIN as complete two-factor solution
(have the device, know the PIN). But that is an uncommon scenario.
> We introduced PIN-protection of
> OTPs as an optional feature because we don't have a physical button.
Can I suggest you document this well so people know the limitations of
the functionality? As a part of that, I'm sure you are aware a physical
button is out-of-band (a remote attacker can't press it), but a remote
attacker can send a PIN to the smartcard.
>> Hardware:
>> NK-02-006 Micro SD and Smartcard Slots lack ejection switch (High)
>
> An ejection switch doesn't make any sense to me. Note that ejection
> switch could only be triggered if a card is ejected while the device is
> powered.
> Furthermore any pupil would be able to use a soldering iron to
> circumvent an ejection switch.
I read this part of the pentest document as a bundle complete with a
supercap to keep the power applied when unplugged and the part where
there is tamper detection. All three together make sense, the tamper
detection beating the pupil[1].
But the odd thing there is that the ejection switch is rated high
importance, but the others medium.
Thanks for your explanation!
Peter.
[1] With his own soldering iron, if need be ;P.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users
mailing list