Schlüsselerzeugung auf Nitrokey Storage scheitert

Ups - thought I already have posted it:

Yes, it works for the NK Pro Version gpg has created a file /var/root/.gnupg/sk_F5187107F63BBDFA.gpg as backup.
So looks like the firmware of NK Storage has still an issue with that backup procedure ( at least under macOS Sierra with GnuPG )

Let me know if I should test something else…

Hallo,
trying to get mey keys into the brandnew (15.10.2016) NK-Storage (Firmware 0,7) unter Linumxmint 18/64bit:

  1. Installed libccid and copied nitrokey-rules.
  2. Installed nitrokey-app 0.5.1 from PPA.Reboot.
  3. Checked NK Pro! with gpg --card-status (and gpg2 --card-status) : that worked.
  4. Switched to NK Storage:
niklas@niklasdesktop ~ $ gpg2 --card-status
^C
gpg: signal Interrupt caught ... exiting

I interrupt because red LED and nothing else.

niklas@niklasdesktop ~ $ gpg --card-status
^C
gpg: Interrupt caught ... exiting

…same here, no error, no reaction, so I interrupt. afterwards: plugoff/plugin:

niklas@niklasdesktop ~ $ gpg --card-status
gpg: selecting openpgp failed: ec=6.108
gpg: OpenPGP Karte ist nicht vorhanden: Allgemeiner Fehler
niklas@niklasdesktop ~ $ gpg2 --card-status
gpg: selecting openpgp failed: Kartenfehler
gpg: OpenPGP Karte ist nicht vorhanden: Kartenfehler
niklas@niklasdesktop ~ $ 

I think that might be my fault (Mint-Problem?) but NitrokeyPro works.

Any idea what to do?

Puh,
niklas

Hi Niklas!

Could you check again your Nitrokey Storage firmware version? Current one is 0.43 and you have mentioned 0.7.

I have managed to reproduce your issue with Mint 18/x64 under VM. After full OS update and installing scdaemon the gpg2 --card-status command occasionally worked (after issuing sudo killall scdaemon from time to time). However key creation was not working at all whether it was with backup or not. Let’s wait for the investigation results regarding previous issue - I think this should be also fixed by the occasion.
I am not sure what is the cause of Mint behaving worse than Ubuntu in this situation. Software versions of GPG2 look similar.

Regards

Hi SZ+,
my mistake: Firmware is of course 0.43, Appversion: 0.5.1. Linuxmint 18.

When I try to gpg2 --card-status the Nk Storage switches the red LED on for approx 20 sec, then goes off again, after approx. 1 minute: "gpg: OpenPGP Karte ist nicht vorhanden: Nicht unterstützt."
The killall-command doesn’t work for me, same error: “gpg: OpenPGP Karte ist nicht vorhanden: Nicht unterstützt”

I guess thats some old Ubutu-problem eg libccid vs gpg-agent vs scdaemon vs keyring.

But the NKPro works flawlessly and I hoped those old problems were solved by now.

Although I don’t want to use both (Storage and Pro) on the same system, I have to since “keytocard” doesn’t work and I use the NKPro for encrypting and the NK-Storage for data …

Any suggestions für the keytocard-problem besides, seems it isn’t solved?
NIklas

We are working to fix the firmware and will announce it here once solved.

We released a firmware update (0.44) which solves the issue when generating keys with key backup. Download and update instructions are here:
nitrokey.com/en/doc/firmware-update-storage

Background: This issue was more complex to solve than we though initially and still isn’t solved perfectly (more of this below). It was caused by different buffer lengths. By specification all USB high-speed devices have to use 512 byte buffers for their logical endpoints. The CCID (smart card) level on top of USB allows devices to specify the buffer length individually (wMaxPacketSize). Consequently the CCID implementation in Linux and Mac OS ignores the buffer length of devices and assumes its always 512 byte. The CCID implementation on Windows behaves differently and uses the device’s individual buffer length. This is the reason why the issue appeared on Linux and Mac OS only. Basically Linux and Mac OS violate the CCID specification and Windows violates the USB specification. Our hardware hasn’t sufficient buffer space available to assign the maximal buffers for both, the mass storage and for CCID interface. Therefor our current patch reduces the mass storage buffer in order to be able to use the maximal buffer for the CCID interface. The sideeffect is, that the performance of the mass storage is reduced by at least 10%. We are looking into ways to overcome this drawback (e.g. patching Linux’s libccid, assigning buffers dynamically) but didn’t find a good solution yet. For now: If you want maximum performance of the mass storage, use firmware version 0.43. If you want to get key generation issue solved or don’t care, use version 0.44 and newer. You could also update and downgrade both versions interchangeably.