It is great to see that you have done an audit for Firmware and Hardware.
When I have done company audits, the management was given a chance to response to each issue and provide a high-level action plan to mitigate the risk or fix the issue. So I wonder what was the NK responses to each of the findings ?
Some of the findings are critical, while others maybe less āimportantā but quick wins to fix during a next release.
Maybe I overlooked a document - at least the search function inside the forum has not thrown out any type of responses. Are the responses/plan to the audit findings available ?
as far as I can see the main information is shown in the audit-files (the answer of nitrokey is included) and there is a short answer to one issue on this news article.
If you have a specific question to one or more issues please just tell us.
Ups, I overlooked the paragraphs with note in front - shame on me !
There is only one left in the firmware, where you donāt defect an exchanged smart card. I wonder if you could not run a general thread that reads, stores and compares the serial number of the smart card and alarms if a change happened - like a watchdog
As you said, all issues contain a note at the end, such as āNote: This issue was fixed by the Nitrokey maintainers, the fix was verified by Cure53.ā
I donāt get your point, please elaborate. If you are referring to a particular issue mentioned in the report, please state its number.
Sure. It its about āNK-01-008 OTP can be unlocked by replacing Smart Cardā. To simplify, I would see the problem, that NK asks the SmartCard āis the password correctā and doesnāt check if the Smart Card is still the same. So I bought, why you not asking " Are you Smart Card with S/N xyz and is PW ok". If these two combined questions are not possible, I wonder if you not could run a background task that always checkās the S/N and barks when it has changed ?
Just a suggestion ! I am not knee deep in your firmware to understand if the current code would allow such a parallel task.
Hope that makes sense ā¦
First of all OTP are 2nd factor which means they are an additional protection (usually additional to a password). Therefore access to OTP usually isnāt protected at all. For instance if you have a physical OTP generator with a display, everybody who is in possession of the device can read the OTP from the display. Consequently, if somebody has your Nitrokey he would be able to access the OTP even without replacing the smart card, and that is totally fine in regards to the concept described above. The purpose of the optional PIN protection for OTP in Nitrokey is to stop malicious software from accessing OTP. But software wouldnāt be able to physically replace a smart card.