NitroKey 3 (NK3) and Firmware Upgrade Security Considerations

Kcortman · July 16, 2024, 4:49pm

OP is not about brute force security but rather the security implications of any firmware signed using a compromised Nitrokey signature.

Please keep the discussion on topic or open your own.

nku · July 16, 2024, 9:01pm

What is your threat model? The purpose of a security token is to protect the secret. So if not defeating the security measures after a malicious firmware update is your concern, what is it? Weak RNG? Bad USB? Phone home?

Kcortman · July 16, 2024, 10:13pm

Hello.

My threat model was a hypothetical one in which anyone (enter ‘blank’ as you like) came into possession of a signing key from Nitrokey, would they not be able to access all your stored secrets and gpg keys? The example I gave initially is that a 6-digit pin can be trivially compromised if a firmware that allowed infinite pin attempts was pushed to the NK3. Any firmware can be pushed to the NK3 provided it is signed by Nitrokey. Thus, the discussion of a physical attack is not necessary in this thought experiment.

That’s it. That’s my question. What are the security considerations of an ‘upgradable’ firmware in view of the fact that signing keys can be stolen, confiscated, or otherwise compromised. (I also noted for reference in one of my replies that Yubikey does not allow for firmware upgrades due to admitted security considerations - read nothing more into this statement, however).

monwarez · July 16, 2024, 10:38pm

I am pretty sure that you could just build the firmware and sign it with your key by using the Nitrokey 3A NFC Hacker.
From

github.com

Nitrokey/nitrokey-3-firmware/blob/main/docs/lpc55-quickstart.md

# LPC55 Quickstart Guide

This guide explains how to compile and flash the firmware on a LPC55 Nitrokey 3 Hacker device using a Linux system.

*Note:*  This guide and the building tools are work in progress and may change frequently.

## Requirements

* Hardware
  * Nitrokey 3A NFC Hacker (NK3ANH) or a similar device with a LPC55 MCU
  * optional: [LPC-Link2](https://www.embeddedartists.com/products/lpc-link2/)
* Software
  * Python 3 with the `toml` package
  * [rustup](https://rustup.rs)
  * GNU Make
  * Git
  * LLVM, Clang, GCC
    * On Debian-based distributions, you need to install these packages: `llvm clang libclang-dev gcc-arm-none-eabi libc6-dev-i386`
  * [`nitropy`](https://github.com/nitrokey/pynitrokey)
  * [`solo2`](https://github.com/solokeys/solo2-cli) with the `dev-pki` feature

This file has been truncated. show original

There is the following information that suggest that you can lock it to your own key

Reset the device
Apply the development configuration
Flash a provisioning firmware
Generate and provision FIDO attestation key and certificate
Flash the final firmware

For a regular Nitrokey 3 device, we would also perform these steps that are currently not covered by this guide:

Apply the release configuration and generate device secrets
Generate, sign and provision a Trussed device key and certificate
Seal the device configuration (not reversible)

nku · July 17, 2024, 4:06am

OK. So lets assume eat your own dog food: Nitrokey technology gets used by Nitrokey folks.

Main keys reside on a HSM and no single person has full control but a n of m scheme is used. Maybe some high ranking individuals have access to a backup key as BCDR precaution.

If a rogue person does this or a key gets lost, I assume that compromised keys get revoled.

As a German company, there is no legal push possible to provide access to keys, enter PINs, etc.

For high ranking people at Nitrokey there would be no incentive to sign malicious firmware. It would ruin the reputation of a security company.

In a civilized country, water hose cryptography is not likely.

The team, however, is international. I guess this is covered by 4-eye principles in pipelines or code reviews.

Occams razer would point more to a sneaky attack vector like modifying the code by contributors in a malicious way. The team of contributors is small.

The fact that you also actively have to firmware update your device and thus the device also needs to get confiscated, makes it difficult for an attacker.

Non-update firmware freezes a device and over time bugs might get known that can be exploited or require an exchange. There is a rationale for both scenarios and no school of thought is best.

As a lot of details are not known from an outside in view and as trust is an individual thing, this is a difficult question.

Kcortman · July 17, 2024, 12:02pm

I want to take a little time to look into the details of your post as this may be the best solution currently. Thank you.

Kcortman · July 17, 2024, 12:03pm

Allow me to simplify your analysis; It means there is a purely social means to access the stored information on the Nitrokey (e.g. if it is taken from you or if you lose it). It’s a hole, and a completely unnecessary one. I would gladly pay for a Nitrokey that cannot be upgraded (as a simple alternative).

nku · July 17, 2024, 1:58pm

I would definitely see the use case to freeze a stick.

Other security hardware can be locked down by a password for any firmware updates and when this is randomized, nobody can update it.

If you look at the frequency of new releases with significant feature updates, I would prefer the possibility to update but enforce a factory reset. Find this convenient and secure.

One of the most sophisticated open source security tokens had a minimal firmware that got locked down. And a few months later there was a security bug and now the device has been nerfed.

As the NK3 got released as FIDO2 only version, maybe a locked down series can be released or ideally have some feature flags to set this in the field.