public inbox for gentoo-project@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download: 
* [gentoo-project] Nitrokey Pro not vulnerable to the Nitrokey Start read-only bit
@ 2019-04-30 17:06 99% Robin H. Johnson
  0 siblings, 0 replies; 1+ results
From: Robin H. Johnson @ 2019-04-30 17:06 UTC (permalink / raw
  To: gentoo-project

[-- Attachment #1: Type: text/plain, Size: 1182 bytes --]

TL;DR: The Foundation/Nitrokey partnership is sending Nitrokey Pro units
that are not the same as the Nitrokey Start units vulnerable to hands-on
key extraction attack.

As a few people have asked about it:
There was a production batch of "Nitrokey Start" units that did not have
a read-protection bit configured, and thus were vulnerable to a key
extraction attack:
https://github.com/rot42/gnuk-extractor
The issue was specific to a batch of hardware that was mis-programmed,
and the issue is not present on newer Nitrokey Start units.
https://github.com/Nitrokey/nitrokey-start-firmware/issues/14

The Foundation/Nitrokey partnership is providing Nitrokey Pro 2 units,
which are supposedly not vulnerable to this issue (but I'd be happy for
a hardware hacker to confirm this, I understand that the Pro2 has a
seperate smartcard internally)

If you already had an older Nitrokey Start unit, reviewing/updating the
firmware is advised.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

^ permalink raw reply	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2019-04-30 17:06 99% [gentoo-project] Nitrokey Pro not vulnerable to the Nitrokey Start read-only bit Robin H. Johnson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox