From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B5FFF138334 for ; Tue, 30 Apr 2019 17:06:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8898DE08DA; Tue, 30 Apr 2019 17:06:43 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 62622E08C2 for ; Tue, 30 Apr 2019 17:06:43 +0000 (UTC) Received: from grubbs.orbis-terrarum.net (localhost [127.0.0.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D8C6C342FD9 for ; Tue, 30 Apr 2019 17:06:41 +0000 (UTC) Received: (qmail 24194 invoked by uid 10000); 30 Apr 2019 17:06:37 -0000 Date: Tue, 30 Apr 2019 17:06:37 +0000 From: "Robin H. Johnson" To: gentoo-project@lists.gentoo.org Subject: [gentoo-project] Nitrokey Pro not vulnerable to the Nitrokey Start read-only bit Message-ID: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Project discussion list X-BeenThere: gentoo-project@lists.gentoo.org Reply-To: gentoo-project@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Pql/uPZNXIm1JCle" Content-Disposition: inline User-Agent: Mutt/1.11.4 (2019-03-13) X-Archives-Salt: 3191c900-7403-422c-96bb-6827303a9d58 X-Archives-Hash: 3d0376ff6500070d1b01007bf5c36c31 --Pql/uPZNXIm1JCle Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable TL;DR: The Foundation/Nitrokey partnership is sending Nitrokey Pro units that are not the same as the Nitrokey Start units vulnerable to hands-on key extraction attack. As a few people have asked about it: There was a production batch of "Nitrokey Start" units that did not have a read-protection bit configured, and thus were vulnerable to a key extraction attack: https://github.com/rot42/gnuk-extractor The issue was specific to a batch of hardware that was mis-programmed, and the issue is not present on newer Nitrokey Start units. https://github.com/Nitrokey/nitrokey-start-firmware/issues/14 The Foundation/Nitrokey partnership is providing Nitrokey Pro 2 units, which are supposedly not vulnerable to this issue (but I'd be happy for a hardware hacker to confirm this, I understand that the Pro2 has a seperate smartcard internally) If you already had an older Nitrokey Start unit, reviewing/updating the firmware is advised. --=20 Robin Hugh Johnson Gentoo Linux: Dev, Infra Lead, Foundation Treasurer E-Mail : robbat2@gentoo.org GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136 --Pql/uPZNXIm1JCle Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Robbat2 @ Orbis-Terrarum Networks - The text below is a digital signature. If it doesn't make any sense to you, ignore it. iQKTBAABCgB9FiEEveu2pS8Vb98xaNkRGTlfI8WIJsQFAlzIgJ1fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEJE RUJCNkE1MkYxNTZGREYzMTY4RDkxMTE5Mzk1RjIzQzU4ODI2QzQACgkQGTlfI8WI JsTfHA/9ECjEUp40yA4sg1VhAoJLhKXcc9ZBY6aujRW5USwSj1l54zTZpl6vVx+W 19sefzcnEVSsDC3Si2B5/D/ddvwlIQBmAK3ajBWo9DuVhlScK1HrOFoycE7gm0mQ tf3jiPjlqZX/MPXDTrOoCREbjVqxCdjoW9JR+UPDfNbumjM+IG3eoM4yE8Q1VW45 6QvSctoPSFwV2M+A+YRQZlDLtPut+t0sPd5bmsYIcW++S17LlAjkZWsUGxla6LDf JTJ9Xis4iF0NqLky3b2SYULGqDpuwDkCjHZsmY8crTOzXpipsiN6ASW1MZ9nbMlJ CnqTTpmrXSGUbQzY/Rhs+Qw/lgyVFz34/d9t2QoXhf6a7ALYTs2eIJxWJ8fX3rDi KIBCFhhtwSjoRHUVL3isp0KdpY99enC9ZHRKGxoNHS8Cmn5qg9fLdGcaRkBrCwle yBHZp2qAzjiC0fkzsS+EkMc/QK7wNamIQPGf25Sq+gfbIjXOQAtb8t5N3csrmZEW sAtlJ9folJ5UzZIb7nOeBbT4WWgj2GKpnR0ypGrSzEG9uBWZk81X8rjw+Knz4JEF 5Qoim/1MT2ED9Mpu+9d5FafW01/dNao5f6lx/1L+IdPFEaCg20/XPEi8+Yg/fGJg Jg6kX7sMY/f3YzrX7Mlh0G2u6A4ZiO62hdVfYh9306zvJDjRI9E= =cXub -----END PGP SIGNATURE----- --Pql/uPZNXIm1JCle--