Mechanism for unique secret material inside of FIDO2 USB sticks

Dear Nitrokey experts,

I own several Nitrokey FIDO2 USB sticks. Now I wonder what mechanism is used to ensure that the secret material on each Nitrokey FIDO2 USB stick is unique? What has been done to avoid having two Nitrokey FIDO2 with the same secret key material?

I hope that my question makes sense. Please correct me if I misunderstood anything!

Thank you in advance!

Solo aims to achieve 256 bit (32 byte) security with its FIDO2 implementation, even in light of physical side channels.

When Solo is first programmed, it will be “uninitialized,” meaning it won’t have any secret material, until the first time it boots, then it will leverage the TRNG to generate all necessary material. This only happens once.

A master secret, M, is generated at initialization. This is only used for all key generation and derivation in FIDO2. Solo uses a key wrapping method for FIDO2 operation.

Source (Nitrokey FIDO2 uses/shares source from/with Solokeys)

I had a follow up question to this. My understanding from the source, it seems that there is a master key ‘M’ which is used to generate the keys used during registration. My question is does nitrokey give you a mechanism of customizing the master key? In other words, can i install my own master key?

Also, from the source, it seems ‘M’ is not created during manufacturing process. Is that correct?

Don‘t know the details but I guess they want to reduce the risk and hassle to "burn-in“ a secret key during manufacturing to protect against supply-chain attacks.

For solo, there are special versions that were shipped together with Dicekeys and you could burn new secrets into them.

This is a philosophy question. Some prefer to have an option to change secrets, other would like to have that in a secure state that cannot be tampered with.

Maybe a toggle command that can be set once could activate or deactivate this feature would be a nice addition.

I can’t help but express surprise, that the documentation comes with a five year old note about a planned enhancement of the key generation.

Any case: If you could fully customize “your” master key, it would not be fido2 compliant. Whether it’s done programmatically at initial setup, or as a step in production, the master key of each dongle must be unique. Besides, when you use it to register a fido2 credential somewhere, it’s only one piece of the secrets tuple. So, it can’t be hacked via a supply-chain leak, which happened with the RSA secure ID tokens.

1 Like

AFAIK there is no rule that a user generated secret is against entry level FIDO2 specification and it can be part of the self attestation that this method gets supported.

With products like Dicekeys, the key IS unique but the user is in control of how it gets generated (secure dice throws) and it allows to forge a backup token.

I see its use in some applications. Think: access to a crypto wallet where you want a self-managed backup or where you have regulatory requirements to prove that noone else has even theoretical access to the seed.

Supply Chain attacks potentially could also be in the form of tampered random number generators or bugs in a hardware chip providing the TRNG.

Thanks!! So, if the key ‘M’ is not generated during manufacturing, is it generated the first time when we plugin to the USB port? Is there anyway to check there is no key when i receive a new nitrokey?

Also, when we reset they nitrokey , does it regenerate the master key (‘M’) ?

@sosthene-nitrokey Do you have insights or is there a documentation how the first setup of the blank pcbs work and what happens during factory reset?

My guess is that the seed stays but fresh secret material gets derived using TRNG input. With the different MCUs providing different sources for this randomness and storing this either encrypted on flash or in write only storage in the cryptoprocessor.

For each NK3 device, there is an attestation asymmetric key that is generated on the device. It is generated during the production of the device and stays the same following a factory reset.

The uniqueness of the private key depends on the secure random number generator of the device, which is secure and generates unique keys.

We cannot make that secret customizable because the public key is signed by us, and is accessible through the standard FIDO API in the packed attestation’s x5c field: Web Authentication: An API for accessing Public Key Credentials - Level 2.


Thank you @sosthene-nitrokey . My understanding is attestation key is used to identify the device. Is the Master (‘M’) different from this ? Also, during factory reset, does ‘M’ also get regenerated?

The documentation here says all secret materials are regenerated but is not explicit on the master key ‘M’