Can I find responses from NK to Audit findings?

It is great to see that you have done an audit for Firmware and Hardware.

When I have done company audits, the management was given a chance to response to each issue and provide a high-level action plan to mitigate the risk or fix the issue. So I wonder what was the NK responses to each of the findings ?

Some of the findings are critical, while others maybe less “important” but quick wins to fix during a next release.

Maybe I overlooked a document - at least the search function inside the forum has not thrown out any type of responses. Are the responses/plan to the audit findings available ?

Hi Peacekeeper,

as far as I can see the main information is shown in the audit-files (the answer of nitrokey is included) and there is a short answer to one issue on this news article.

If you have a specific question to one or more issues please just tell us.

Kind regards,

Ups, I overlooked the paragraphs with note in front - shame on me ! :blush:

There is only one left in the firmware, where you don’t defect an exchanged smart card. I wonder if you could not run a general thread that reads, stores and compares the serial number of the smart card and alarms if a change happened - like a watchdog

Anyhow, I am good after reading the response

As you said, all issues contain a note at the end, such as “Note: This issue was fixed by the Nitrokey maintainers, the fix was verified by Cure53.”

I don’t get your point, please elaborate. If you are referring to a particular issue mentioned in the report, please state its number.

Sure. It its about “NK-01-008 OTP can be unlocked by replacing Smart Card”. To simplify, I would see the problem, that NK asks the SmartCard “is the password correct” and doesn’t check if the Smart Card is still the same. So I bought, why you not asking " Are you Smart Card with S/N xyz and is PW ok". If these two combined questions are not possible, I wonder if you not could run a background task that always check’s the S/N and barks when it has changed ?

Just a suggestion ! I am not knee deep in your firmware to understand if the current code would allow such a parallel task.
Hope that makes sense …

First of all OTP are 2nd factor which means they are an additional protection (usually additional to a password). Therefore access to OTP usually isn’t protected at all. For instance if you have a physical OTP generator with a display, everybody who is in possession of the device can read the OTP from the display. Consequently, if somebody has your Nitrokey he would be able to access the OTP even without replacing the smart card, and that is totally fine in regards to the concept described above. The purpose of the optional PIN protection for OTP in Nitrokey is to stop malicious software from accessing OTP. But software wouldn’t be able to physically replace a smart card.

I hope this clarifies.

Yes, thanks !
(this fills up to provide 20 chars :slight_smile: )