public inbox for gentoo-project@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-project] Nitrokey Pro not vulnerable to the Nitrokey Start read-only bit
@ 2019-04-30 17:06 Robin H. Johnson
  0 siblings, 0 replies; only message in thread
From: Robin H. Johnson @ 2019-04-30 17:06 UTC (permalink / raw
  To: gentoo-project

[-- Attachment #1: Type: text/plain, Size: 1182 bytes --]

TL;DR: The Foundation/Nitrokey partnership is sending Nitrokey Pro units
that are not the same as the Nitrokey Start units vulnerable to hands-on
key extraction attack.

As a few people have asked about it:
There was a production batch of "Nitrokey Start" units that did not have
a read-protection bit configured, and thus were vulnerable to a key
extraction attack:
https://github.com/rot42/gnuk-extractor
The issue was specific to a batch of hardware that was mis-programmed,
and the issue is not present on newer Nitrokey Start units.
https://github.com/Nitrokey/nitrokey-start-firmware/issues/14

The Foundation/Nitrokey partnership is providing Nitrokey Pro 2 units,
which are supposedly not vulnerable to this issue (but I'd be happy for
a hardware hacker to confirm this, I understand that the Pro2 has a
seperate smartcard internally)

If you already had an older Nitrokey Start unit, reviewing/updating the
firmware is advised.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-04-30 17:06 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-04-30 17:06 [gentoo-project] Nitrokey Pro not vulnerable to the Nitrokey Start read-only bit Robin H. Johnson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox