Reflashing protection


#1

Hi Jan,

  1. Please let me know, why you do not add a button for each encryption transaction verification like in Yubikey?

Can you please suggest an USB cable which would have a timer breaking USB circuit after a few minutes after pressing the button.

I have not a better idea than just ironing a big AC timer like this:

into a general USB cable circuit break.

So that when I need some operation with token I would activate a timer for a few minutes.
It will short the USB circuit, say power line and token will get connected to computer for a few minutes.

  1. Please suggest how well Nitrokey is protected from unauthorized reflashing with a modified firmware with a trojan if taken unnoticed from me for example at night during sleeping?

Do you have a protection from reflashing in a service mode? Do you check a digital signature of the firmware like microcode updates are checked in Intel CPU?

Someone on your forum mentioned even a public commercial service for crypto keys extraction from a token:

https://lists.gnupg.org/pipermail/gnupg-users/2018-June/060601.html

http://www.pcbcopy.com/2016/ic_1128/1928.html


#2

Because such development takes time. :slight_smile: The FIDO U2F model is our first device with a touch button and we will add such button to our other models subsequently.

I don’t have experience with such and therefore can’t recommend any.

It depends on the model: Firmware updates on Nitrokey Pro and FIDO U2F require physical access (opening the casing and connecting wires). Firmware updates on Nitrokey Start are protected with user’s password. Firmware updates on Nitrokey Storage are protected with dedicated firmware password.

We don’t do digital signature checking to allow users flashing their own firmware. However, we may change this in future models.

This is why our devices contain a secure elements to securely protect cryptographic keys against such attacks. (Nitrokey Start doesn’t contain a secure element on purpose but the cryptographic keys are encrypted with user password.) Note that such services require physical access to the device and AFAIK to access and open the microprocessor in a laboratory. This is nothing which can be performed by a malware.