Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage
peter at digitalbrains.com
Mon Nov 23 11:15:26 CET 2015
On 23/11/15 08:54, Jan Suhr wrote:
> 2nd factors are usually not access protected at all e.g. may have a
> display (which allows funny hacks).
Ah, that makes sense! I forgot about that because I myself would
actually like an OTP protected by PIN as complete two-factor solution
(have the device, know the PIN). But that is an uncommon scenario.
> We introduced PIN-protection of
> OTPs as an optional feature because we don't have a physical button.
Can I suggest you document this well so people know the limitations of
the functionality? As a part of that, I'm sure you are aware a physical
button is out-of-band (a remote attacker can't press it), but a remote
attacker can send a PIN to the smartcard.
>> NK-02-006 Micro SD and Smartcard Slots lack ejection switch (High)
> An ejection switch doesn't make any sense to me. Note that ejection
> switch could only be triggered if a card is ejected while the device is
> Furthermore any pupil would be able to use a soldering iron to
> circumvent an ejection switch.
I read this part of the pentest document as a bundle complete with a
supercap to keep the power applied when unplugged and the part where
there is tamper detection. All three together make sense, the tamper
detection beating the pupil.
But the odd thing there is that the ejection switch is rated high
importance, but the others medium.
Thanks for your explanation!
 With his own soldering iron, if need be ;P.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
More information about the Gnupg-users