Weird. I needed nearly 10 Minutes to find were they are, physically. I still do not know who is behind that industry. The whole statement of the company says nothing about opensource hardware. Their goals appear to be vague (to say the minor). The whole process does not to seem transparent.
The hardware may not be the problem here.
Memento Crypto AG?
Personally: an opensource product has my trust.
From the nitrokey site:
Both hardware and software are open-source, free software and allow independent security reviews. Customizable, no vendor lock-in, no security via obfuscation, no hidden security issues!
Compare this to their company statements:
Our goal is to use advanced technology to protect your network security.
Can you please comment about a level of hardware security against private keys extraction say by an invisible virtualization trojan activated from BIOS?
Are there any software solutions using the most reliable keys like NitroKeyPro2 to emulate FIDO2.
I already have a Nitrokey Pro2 and it would be nice to run some completelly open source Linux or OpenBSD distro on a dedicated board like Beaglebone Black to emulate a FIDO2, OTP, HOTP, TOTP, etc. still outsourcing the most sensitive parts of work to Nitrokey Pro2 attached to such BBB board.
2090RUB / 66 $/R = about $31 USD.
Your Nitrokey FIDO2 does not have NFC but still costs a few more: 29 EUROs, though such a small price difference does not matter. I am more concerned it is mentioned that even Nitrokey FIDO2 token has a chip weaker than NK Pro2 from a security point of view.
Actually I am not fond of using NFC and not sure if it works with FIDO2 and USB channel at all.
I need a FIDO2 token on Linux in a USB port.
Does your Nitrokey FIDO2 token ask for a PIN code after token confirmation button has been pressed?
Is it possible to avoid typing PIN or automate its typing?
There are even FEITIAN BioPASS FIDO2 tokens with a fingeprint scanner which does not require entering PIC code, though it looks like a good idea I am not sure how secure they are as a whole solution.
I couldn’t find any technical details about Thetis, so can’t comment about it’s security level.
Our Nitrokey FIDO2 is based on Solokey. Hence Nitrokey FIDO2 uses a STM32L4 and we plan to add an OpenPGP Card feature in the future. Compared to JavaCards STM32L4’s side channels resistance and tamper protection are low. However, the recent publication in this field targeted STM32F1.
Whether a PIN is requested or not depends on the actual website to be used and is nothing the device vendor can decide.
Also we produce locally in Germany so that we have better control to avoid supply chain attacks.
Recently I was told by a Feitian distributor that K9B token has two chips:
NFC - NXP J3E081
USB - NXP LPC11U
How is it possible on the same single token to have two different chips? One chip per communication channel? Do they share data or they are completely unlinked from each other one like two separated tokens placed near to each other?
While NFC - NXP J3E081 is a secure JavaCard
USB - NXP LPC11U is just an ARM MCU?
How does compare NXP LPC11U to Solo Key in terms of security?
Or may be NXP LPC11U is used only as a convertor from JavaCard to add a USB channel for it?
Are private keys stored only in JavaCard or in NXP LPC11U too?
I think you should ask Feitian about that. I could only speculate, since I am not familiar with their hardware.
We are not using their firmware directly, but a modified fork. We test all our updates on each release ourselves. Either way I am sure SoloKey will handle this.
Yes, this will be introduced in the subsequent updates.
You can compare locally built firmware with distributed one signed, and it should be identical. Signature is a separate part.
By the way of your first posts I wanted to add, that STM32L4 offers higher protection level than STM32F1 by disabling the debug adapter access altogether, and the brown-out protection. Perhaps this is the reason only STM32F1 is shown in the publications (this, and wide usage, including medical devices).
Regarding your question about the chips, all the security related part is inside the J3E081 Security Element. The LPC chip is just used to handle the USB communication part, it does not store any keys. Just to provide USB connection and HID protocol.
The ePass FIDO2 Token does not provide update function or opensource function. Our keys is built on secure element which provide higher level of security against physical attacks compare to other keys that using MCU.
So LPC11U is like a card reader not keeping any sensitive info.
Do you think is it still dangerous to passthrough such China Feitian tokens into a KVM VM via virtual USB?
If the host does not talk to such dongle directly and even HID interface disabled on the host then token cannot do a harm to the host unless escaped from KVM VM?
If using full software emulation without hardware virtualization acceleration then it is hardly likely for a VM to escape to the host?
I would like to make a general rule here, device- or producer-agnostic: if you do not trust the device, do not connect it to any fragile system, not to mention storing any secret data on it. If your device was altered, modified or was stolen, it is not your device anymore in any way, whatever protections were used.
As for the Feitian devices specifically, I have not heard anything about them being dangerous.
About VM’s and PC workstation hardware security, the topic is very wide and every year now and then one hears about new breaks and attacks. IOMMU seems to not be in wide use, and even then it might be implemented with a flaw, making it possible to access the PC’s memory, where the secret keys are stored if not done so on an external device. I have to leave further research regarding the VM escaping to you unfortunately.
About a year ago I have forgot my Nitrokey at home in a belt bursicle, I did not indicate this anyhow, did not call anyone to aks about this, only one thought, and it was enough to find my Nitrokey in the evening demonstratively pulled out of the bursicle near it though I left NK inside the closed bursicle.
Can I still trust my NK Pro 2 after that? How to verify its authenticity? How can I protect from repeating this for example during my sleep time?