Hi,
how resilient is the nitrokey please? Imagine this: if i stop all my MASTER passwords to nitrokeys password manager and consider nitrokey as my castle, how much trust i can put into the pin protection on nitrokey?
Can for example someone take a copy of the firmware and run it under an emulator where this person could simple brute force 000000 - 999999 all combinations, find out the one which suits?
taskin
No they can’t copy the firmware of the Nitrokey and your password manager information, then emulate the Nitrokey in a secondary environment. The emulator environment doesn’t exist and the password manager information is encrypted…
I say this because it is the firmware itself that enforces the 5 retries before blocking access further.
Now if they obtained your Admin PIN, then you’re in trouble…which brings me to the below sentence…
Down the rabbit hole…let’s say a nation-state creates an emulator mimicking the hardware environment, then downloads the firmware from Nitrokey, obtains your Nitrokey physically to pull the encrypted password manager information, obtains your Admin PIN, then writes a batch to try 5 times until the firmware blocks further access and resets the emulator and tries another 5 times…and all this happens quickly using the batch file…then yes your worries are valid and all bets are off.
Back to the unfortunately reality of not being able to control much now…I’ll say that Nitrokey is not likely able to prevent any of the procedures of the rabbit hole…
Can for example someone take a copy of the firmware and run it under an emulator where this person could simple brute force 000000 - 999999 all combinations, find out the one which suits?
One minor nitpick: the OpenPGP card standard (which the Nitrokey implements) specifies that the PIN contain between 6 and 32 characters. – not digits.
Most of us would normally call that a password. 20 characters of random printable ASCII is roughly equivalent to a 128-bit symmetric key.
It’s called a PIN because the first OpenPGP cards (and many still are) normal smart cards - like a bank card. Many of the card readers can accept only a numeric PIN.
The Nitrokey is not so limited.
If you make a 20-character random printable ASCII password, there’s no way an intelligence agency is going to find the PIN - hardware lock and reset or no.
