Nitrokey 3 - Test Firmware Release

The firmware releases formerly known as "alpha" are now called "test" releases to describe the character of the releases more precisely. This is firmware that contains functions that are not yet fully developed. The current release 1.3.1-test.20230417 contains the OpenPGP Card functionality and a still very experimental PIV card implementation.

For completeness, here are all the functions that are available with the test firmware:  ​

Due to the nature of these test releases, we explicitly advise against using them in production environments. Please always have backups available for all sensitive data. 

You strictly need pynitrokey in a version >= 0.4.35, which is now also available as a Windows installer and single executable. The latter could lead to a virus warning depending on your system, which is of course a false alarm. In addition, there is also a single executable for Linux.

To update to the current test release it is no longer necessary to download the files yourself. Instead you can simply use pynitrokey as follows:

$ nitropy nk3 update --version v1.3.1-test.20230417

You can switch back to the stable firmware like this:

$ nitropy nk3 update
19.4.2023

Comments

Submitted by Gandalf on 25. April 2023 - 20:42
What is the current status regarding the use of the secure element for the OpenPGP feature. It was mentioned before that all secret keys and related PINs are still stored insecrurely without using the actual secure enclave storage. HAs that changed yet? And related to that, how is the Fido2 Pin on the Nitrokey 3 stored? Is it handled differently from the OpenPGP implementation? Or can the Fido2 PIN also be extracted from insecure memory at the moment due to this still under development?
Submitted by meissner on 28. April 2023 - 0:05
OpenPGP data is currently stored on the external flash and encrypted with a key bound to the MCU. Using the secure element for this is an option, which will be available in the coming releases. FIDO2 data is stored inside the internal flash (on the MCU) thus also not extractable - this is important to allow FIDO2 to work over NFC (there is not enough energy available through NFC to allow powering up the secure element). In the future there might also be the option to move FIDO2 into the secure element (with the drawback that FIDO2 will not be available through NFC).
Submitted by Gandalf on 29. April 2023 - 11:53
Thank you for the reply. Is the Fido2 secret and PIN protected from software extraction only or is is also impossible to extract it using physical access to the circuitry?
Submitted by meissner on 2. May 2023 - 14:32
As the data is inside the main MCU package, even with physical access to the MCU you cannot extract its contents. Various security mechanisms ensure this behavior (mainly sealing).
Submitted by Gandalf on 2. May 2023 - 18:30
Sealing sounds like the threat model for the nk3 is rather a moderate adversary that would have trouble gaining physical access to the chip without destroying it. The question is if there are measures that also protect against adversaries with significant resources. Or to ask differently: Would you be confident that all secrets (Fido2 key, Pin, gpg and ssh key) would stay confidential, even if your nitrokey 3 was confiscated by authorities e.g. US border control, NSA, FSB ... Would you recommend the NK3 to be used by activists in Iran who would not survive if any secrets can be extracted (assuming there are no unknown vulnerabilities present)
Submitted by meissner on 3. May 2023 - 11:00
Generally I cannot give blanket guarantees that actors with enough resources can break given security mechanisms or not. I would be confident that a confiscation through some authorities would give me enough time to revoke the secrets on the key. Overall the token should in your described threat scenarios be mainly used as a 2nd factor so that the 1st is still valid even if you "lose" your token. E.g. U2F secrets are derived, so even if you have the key physically in your hand and full access you cannot tell which service it's registered for.
Submitted by Gandalf on 3. May 2023 - 18:08
The relevant (and final) question is if any practical physical attack on the stored secrets is part of the threat model. When the Titan Fido key from google was found to allow physical key extraction via a side channel attack on the NXP chip, it was treated as a vulnerability because their threat model was supposed to prevent any extraction, independent of the required efforts. Would the same be true for Nitrokeys? This is especially relevant for the secrets used for encryption like PGP keys or the Fido2 HMAC-secret extension that can be used for disk encryption (see systemd-cryptsetup). Would Nitrokeys provide the same protection as e.g. OpenPGP cards? And is the Fido key material (e.g. hmac-secret) equally protected from extraction then the PGP/SSH data? (once the firmware is out of beta)
Submitted by meissner on 5. May 2023 - 9:47
There has not been a thorough analysis yet by some external security researcher, but generally we consider the secrets safe also for physical theft. Although the absolute level of security is not the same as it is for a (OpenPGP) smartcard, as they have proven physical tamper resistance counter measures. Still once the SE050 is being used to save credentials/secrets inside it, the secure element (security) level should be comparable (as the SE050 also gives FIPS-based certification for tamper resistance). We plan to let the user decide, which protection level to choose - e.g. for FIDO2 credentials there likely will be the option to also save them to the secure element at some point, which if chosen will allow only USB usage of the FIDO2 features only (as during NFC operation there is not enough power to start the SE050).

Add new comment

Fill in the blank.