Test to validate Key Generation in Nitrokeys

My understanding is Nitrokey (which uses the same codebase as Solokeys), generates a master which is then used to derive key pairs for each site. The key wrapping scheme (described here) uses a random number as the key-id which is used to generate the key pair dynamically. The public key along with the the random number is used for registration. Subsequently, the key-id is used to regenerate (derive) the key pair during authentication.

The question is - is the master key burnt into the nitrokey during manufacturing? The same documentation says it is generated during initialization. But the question is if the master key is retained after a reset?

I tried to pose the question in this thread, but didn’t reach a conclusion. I wasn’t sure after reading the code either. So one of my colleague suggested the test below. do you think this tests would provide conclusively?

  1. Start with a new nitrokey - Register with a site (This will generate a key-id that is included in the registration)
  2. Login using the key ( this should work. Standard process)
  3. Reset the key
  4. Try to login to the site without new registration. If you are able to login to the site, then we can conclude that the master key is retained beyond a factory reset. If you are not able to login, it means the keys generated from key-id is different which means the master key has changed. (possibly regenerated).

hey @akdev93

yes you are right, given how derived keys work this might serve as a verification that the key was re-generated.



I bought the new NK Passkey and ran the above mentioned test. after resetting the key, it no longer worked with the registered sites. This proves that the master key was indeed removed (and regenerated) after the factory reset.