Nitrokeys Offer Investment Security Without Infineon's Security Vulnerability

Recently, a significant security vulnerability in Infineon security chips was made public. Nitrokeys do not contain Infineon chips and are therefore not affected by this security vulnerability! Nevertheless, this incident holds interesting lessons for Nitrokey and our customers. In a nutshell: Security certifications are overrated and open source offers advantages over them. Nitrokeys offer a high level of investment security thanks to firmware updates. More on this below.

What has happened?

The affected chips are used in many smart cards and small devices such as FIDO security keys from different manufacturers. The YSA-2024-03 vulnerability allows cryptographic keys to be read from the chip and thus completely break the security expected from the hardware. For example, a digital clone of FIDO security keys can be created and thus ultimately access the victim's accounts. Perhaps the worst thing about this vulnerability is that it cannot be corrected by means of a software update.

NinjaLab unveils a new side-channel vulnerability in the ECDSA implementation of Infineon 9 on any security microcontroller family of the manufacturer. [...] The exploitation of this vulnerability is demonstrated through realistic experiments and we show that an adversary only needs to have access to the device for a few minutes. The offline phase took us about 24 hours; with more engineering work in the attack development, it would take less than one hour. [...] These small timing leakages allow us to extract the ephemeral key and then the secret key.

What are the implications of this attack?

In the cited article it is speculated:

The attacks require about $11,000 worth of equipment and a sophisticated understanding of electrical and cryptographic engineering. The difficulty of the attack means it would likely be carried out only by nation-states or other entities with comparable resources and then only in highly targeted scenarios.

On this point, we disagree. 11,000 dollars is such a small investment that any serious cyber attack far exceeds it. The knowledge of the attack is now largely public and may still seem very challenging. However, clever hackers continue to show how easy it is to carry out attacks that were previously considered impossible or difficult. We would not be surprised if a simplification of this attack is demonstrated at one of the next CCCongress or Black Hats.

We estimate that the vulnerability exists for more than 14 years in Infineon top secure chips.

In this long period of 14 years, many millions of chips have been produced and delivered in smart cards and FIDO keys, all of which are now vulnerable to attack. Even if the scaling falls far short of purely software-based attacks, the potential gain from attacks is correspondingly huge, which increases the probability of attacks.

Useless certifications?

These chips and the vulnerable part of the cryptographic library went through about 80 CC certification evaluations of level AVA VAN 4 (for TPMs) or AVA VAN 5 (for the others) from 2010 to 2024 (and a bit less than 30 certificate maintenances).

The affected chips are not just any microcontrollers, but security chips that have received some of the strictest existing security certifications. Obviously, even these certifications did not protect against this development error. So are security certifications pointless? We don't think they are completely pointless, because as part of such certifications, manufacturers have to implement security mechanisms ranging from the banal to the sophisticated, depending on the level of certification, and their correct implementation is verified. However, this incident shows that security certifications do not offer absolute security. Moreover, this is not the first security incident of this kind and amateurish security errors have often been discovered in certified devices. In 2019, a similar security vulnerability in FIPS-certified dongles was published, which also could not be corrected via a software update. In 2010, it became known that FIPS 140-2 Level 2 certified encrypted USB storage devices from Kingston, SanDisk, Verbatim, MXI and PICO could be easily accessed using a standard password. We therefore consider security certifications to be nice-to-have but generally overrated.

Nevertheless, we have also carried out FIDO certification for the Nitrokey 3A Mini. The decisive factor was the desire of our users to use the Nitrokey in environments where such certification is required. We are planning further certifications for the future, but only where they are really necessary for our customers.

Advantages of open source

Security certifications are basically an incentive (or constraint) for manufacturers to develop sufficiently secure products. However, this is not the only way to create such an incentive. Instead of security certifications, we at Nitrokey rely on open source and independent, transparent security audits. This offers the following advantages:

  • The public has access to the source code and can therefore see the implementation quality and any errors at any time. Security by obscurity is not possible. Similar to certifications, this represents an economic incentive that ensures high quality and security, as otherwise many customers would not buy our products.
  • Unnecessary certification costs can be saved and used for development instead.
  • The community can provide technical feedback, contributions and corrections to improve quality.
  • Potential backdoors, whether malicious or out of convenience, could not be hidden and are therefore practically impossible.
  • Theoretically, any user can check the correctness, quality and security of the implementation.
  • To ensure that even technically inexperienced users and smaller companies can place their trust in us, we occasionally commission independent security audits. We always publish the results reports.

Investment security through firmware updates

Let's come back to the actual security vulnerability. The fact that affected devices cannot be corrected by firmware updates is especially dramatic. This means that no patches can be installed to fix this security vulnerability. Affected customers must therefore hope that the manufacturer will replace the devices free of charge (so far there has been no word of this). The more serious the security vulnerability and the more devices are affected, the more expensive and therefore less likely a free replacement will be, as some manufacturers simply cannot afford it. If manufacturers do offer a free replacement, this may be an acceptable solution for private customers. However, it can be assumed that it is unrealistic for corporate and government customers to replace hundreds or thousands of devices within a short period of time because the organizational effort would simply be too great. Either way, a complete replacement of a large number of devices means significant costs for organizations. For this reason, millions of vulnerable devices will probably still be in circulation many years from now.

Nitrokey's security is also based on microprocessors that could potentially have security vulnerabilities. In particular, Nitrokey 3 uses a security element from NXP that performs similar functions to the Infineon chip now affected. However, our architecture is based to a much greater extent on software and this can be updated. Firmware updates not only allow us to correct many errors retrospectively, but also to introduce new functions and improvements at a later date. If, for example, a standard such as OpenPGP, FIDO2/WebAuthn/Passkeys is developed further, we make this available to our customers free of charge (FIDO/CTAP 2.2 is under development). This means that expenses for Nitrokeys offer greater investment security than for devices that cannot be subsequently corrected and updated via firmware updates.

6.9.2024

Comments

After three years (since the first announcement) the software is still missing important functionality - number of resident keys, only ten - not all announced algorithms supported - number of bugs (in Github) is growing, some can be considered security relevant can you please provide some time frame when the firmware will reach feature completeness (for features announced in 2021)? and an outlook beyond that, e.g. CTAP 2.2 recap 12.08.2024 Nitrokey 3A Mini Receives Official FIDO2 Certification 13.05.2024 Nitrokey 3 Milestone: SE050 Secure Element 10.05.2023 Milestone for Nitrokey 3 Achieved: OpenPGP Card, One-Time Passwords and USB-C Availability! 07.12.2022 Nitrokey 3A is Available; OpenPGP Card and One-Time Passwords as Test Versions 02.03.2021 The New Nitrokey 3 With NFC, USB-C, Rust, Common Criteria EAL 6+
We mostly develop according to user requests and needs, as of today not a single user has approached us that they are missing Resident Key Slots - in fact I would struggle to name 10 different services that support Resident Key based logins - but anyways we are currently working on extending this number, to be precise the amount will be dynamic in the future to make the best use of the available space. For the announced algorithms, please feel free to name the one you are missing, we just released a test firmware with support for many more algorithms from brainpool to p512. And the number of bugs in github is usually a good sign, please feel free to point out which one you see as the most critical - then we'll do our best to resolve it - we by ourselves are not aware of any which do really block or reduce security for some use-case. Furthermore CTAP2.2 was actually already implemented by us? Which specific use-case are you referring to, why do you need CTAP2.2, please approach us, because as of today it looks like Nitrokey has the only open-source CTAP2.2 implementation available as of today. But it's not yet included into the firmware as a) the specification hasn't been finalized yet, b) we see nearly no realistic use-cases which require 2.2 as of today.
Since nowadays passkeys are getting some attention, I expect the number of sites supporting resident-keys/passkeys to increase. Good to hear that you are working on increasing the number of slots. Can you please provide an estimate, when this will become available? I made reference to CTAP2.2 because it was mentioned in the blog post and as an example of something beyond the original announcement. I was not implying that I had a use case for CTAP2.2, just that it would be interesting to know what else is in the pipeline. fido-authenticator #19 is one example that I would consider security relevant. It allows a local attacker to gain access to secrets generated with the hmac-extension even if during the generation of the secret user-presence was requested. In my opinion this gives a false sense of security, "nothing can happen without touching the NK" is no longer true in this case.
dynamic passkeys amount: I have some hopes that this will be part of the next test release - so let's make it some weeks + some more weeks for a stable release. I assume you mean nitrokey/fido-authenticator #19 ? Please make sure to comment this issue, if this is important for you - due to finite development time we have to prioritize and we mostly do this based on what our customers want.

Add new comment

Fill in the blank.