Hello,

When do you plan a future major upgrade of NK HSM2 hardware internals like in the beginning of 2019?

What is the most stable HSM2 firmware version?

What is the LATEST HSM2 firmware version ever shipped to anyone up to now July 2020?

How to verify its version from a host computer?

Do you always ship only the very latest versions of firmware after ordering from your shop?

If a wrong obsolete version of HSM2 firmware and/or hardware shipped can you replace the item for a free of additional charge and ship another HSM2 piece with the LATEST hardware/firmware after item you sent returned?

I have already purchased only NK PRO2 earlier and now thinking about getting a new NK HSM2.

Thanks,
Alex

Hi @sanyo!

1. For Nitrokey HSM2 I am not aware of any plans for H/W upgrade at the moment.
2. Firmware can be upgraded on both hardware lines.
3. One of the OpenSC status commands (pkcs11-tool AFAIR) shows the firmware version.
4. It should be mostly up to date on the buy day. It’s not really an issue, since the update is easy and could be done over the browser.
5. We do not send old H/W anymore, so you should never receive it. Additionally all smart card is tested during production on our side and before actual shipment takes place.

Firmware can be upgraded on both hardware lines.

I am not sure, which hardware lines do you refer? HSM1 and HSM2?

Does the latest Nitrokey HSM2 made in the mid of 2020 have an update-able firmware (by end users)?

Do you still work on and release updates for old HSM1 hardware?

For how long are you going to support current HSM2 hardware with firmware updates?

Are firmware updates always verified for its signature by an internal flashing API?

Is HSM2 firmware proprietary (like Yubikey’s and unlike NK PRO2)?

1. Both Nitrokey HSM1 and HSM2 support smart card firmware update.
2. For HSM1 security updates are released.
3. No EOL date is given for Nitrokey HSM2 at the moment.
4. Yes, updates are secure and verified.
5. Yes, HSM smart card’s firmware is closed.

Please clarify defects or obsolescense in which features are fixable by firmware upgrade and what can be fixed only by replacing hardware (I mean a mass product line, not just a single buggy piece)?

Can it happen that in the nearest 1-3 years OpenSSH will release something not compatible with current HSM2 features, e.g. deprecation related to RSA keys or something like it and the only fix will be a replacement of hardware like HSM2 → HSM3 (new purchase) ?
I refer only existing features of OpenSSH, sure they can add support for something new yet not supported, but I am afraid of indirect deprecation of compatibility with HSM2.

I understand OpenBSD developers have good reasons to deprecate something like RSA-SHA1 mentioned in the:

Future deprecation notice

It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 hash algorithm for less than USD$50K. For this reason, we will
be disabling the “ssh-rsa” public key signature algorithm that depends
on SHA-1 by default in a near-future release.

This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.

https://www.openssh.com/txt/release-8.2

But how to deal with something like that having NK HSM2 or even NK HSM1?