Decapping and reading the chip inside a Nitrokey

There was a tweet about brute force.
Has anyone decapped the chip in a Nitrokey and read the flash/storage contents with an electron microscope?

Hi!

Do you mean any recent one? If so, I have not seen it. Could you link it here?

In case you mean Nitrokey Start, the read-out protection for this chip turned out to be faulty, and could be overcomed, allowing to read out the flash. However its content is encrypted. To decrypt the data attacker has to run the brute-force attack, hence it is important to have it long enough. For sufficiently long PIN the attack is not feasible to execute.

Here are more details about this: Key generation with Nitrokey Start on Debian buster fails / RSA4096

Announcement for the Nitrokey Start: Breaking the STM32F1 Read-Out Protection

1 Like

Thank you!!

The Password Safe stores passwords in the STM32F1. These are additionally encrypted with an AES key, which is stored in a tamper-proof smart card (and is PIN-protected).

Does it mean that there is Another chip in Nitrokeys?
Where are they?? https://github.com/Nitrokey/nitrokey-pro-hardware/blob/master/Nitrokey_Pro_v2_schematics.pdf

Do you mean any recent one? If so, I have not seen it. Could you link it here?

No. I’ve meant is the following. Has anyone tried to decap the chip and read its contents with a microscope or other way?

In the FIDO2 key I see an Atmel chip.
https://github.com/Nitrokey/nitrokey-fido2-hardware/blob/master/nk-fido2-schematic.pdf

One of its documents says.

Probing
The probing attack method centerson attacking an integrated circuit containing a secretby physically probing the circuit itself.In some cases, the secrets are stored in nonvolatile memories, either EEPROM or Flashthat are soldered to the board. Since the datasheets and functionality of most memory devicesarewell known, itis usually easy to read and/or write values to these devicesand read the secrets directly.It is usually relatively easy to locate the secret keys within the memory itself, despite the obfuscation that is often applied. Some methods include comparing thecontents of two identical systemsorlooking for areas of memory for which the contents are not in well-defined formats like media files or operating programs for the local microprocessor.If the secret is stored in an integrated circuit otherthan a standard memory then the silicon itself can usually be probed with microprobes(needles). Microprobe systems are widely used in the semiconductor industry to develop and debug production devices. They are not particularly expensive and can be foundin most college laboratories, on the used market.Most modern integrated circuits have two insulating layers between an attacker and the circuit elements on the chip:Plastic package of the devicePassivationlayer over the silicon itselfFuming nitric acid, which is available at chemical supply stores, can easily etch away the epoxy that forms most integrated circuit packages. Depending upon the type of passivation used, various solvents or etch methods are available to strip that layer away, exposing themetallization layers which can thenbe measured. Itisusually possible to repeat an activity on most systems, so only a single probe may benecessary. The attacker successively probes each individual output of the on-chip memory or computation block with the same input stimulus applied.In this manner the key can be retrieved one bit at a time.More sophisticated machinery can also be used to mount these attacks. Lasers can cut or burn away individual traces on a chip. E-beam probers do not require physical contact with the traces on the device to determine their state. Focused Ion Beam (FIB) machines can be used to effectively re-wire a deviceto change its operation.Please refer to“Mondex’s Pilot System Broken” (12)article for an example of asuccessful attack using these kinds of methods. These attacks tend to be destructive.

Product page https://www.microchip.com/wwwproducts/en/ATECC608A

It’s inside the smart card, placed in the smart card jack. It’s NXP based as far as I remember. Smart card was designed to be tamper-resistant, with multiple attacks in mind.

Do you mean decapping STM32 chip? Sure. Quick Google search for one of the models:

This is why we do not rely on sole hardware read protection for the MCU, and use smart cards additionally, which should have additional protection against such attacks.

Actually:

  • Nitrokey FIDO2 uses STM32L4;
  • Atmel is used in Nitrokey Storage.