The officially official Devuan Forum!

You are not logged in.

#1 2019-11-08 16:20:46

bimon
Member
Registered: 2019-09-09
Posts: 12  

Do maintainers use cryptographic keys like Nitrokey to access source?

For example Gentoo developers got Nitrokey Pro 2 keys to secure their distribution.

https://www.gentoo.org/news/2019/04/16/nitrokey.html

Last edited by bimon (2019-11-08 16:21:24)

Offline

#2 2019-11-08 16:41:25

HevyDevy
Member
Registered: 2019-09-06
Posts: 38  

Re: Do maintainers use cryptographic keys like Nitrokey to access source?

Sounds like a good idea but wouldnt that be allowing Nitrokey to handle sensitive info? Its kind of like VPN, you are trusting an outside source to secure your credentials, just hope they are good enough i suppose. Interesting question though.

Offline

#3 2019-11-09 03:13:45

bimon
Member
Registered: 2019-09-09
Posts: 12  

Re: Do maintainers use cryptographic keys like Nitrokey to access source?

Nitrokey is a type of a dedicated microcomputer specialized for cryptographic operations.

So it is possible to keep your private keys inside Nitrokey and never export or extract them.
Internal Nitrokey hardware and software supplied required OpenSC APIs for doing encryption and singing.

It is declared as difficult (or impossible) to pawn Nitrokey internals from an outside trojaned computer where it is attached to.
Anyway I would suggest a mechanical switch to break USB cable line like a chinese washing machine timer to connect Nitrokey only for a few minutes just to create a new session like SSH or GPG.

Last edited by bimon (2019-11-09 03:34:34)

Offline

#4 2019-11-09 03:23:04

bimon
Member
Registered: 2019-09-09
Posts: 12  

Re: Do maintainers use cryptographic keys like Nitrokey to access source?

Though Nitrokey uses open source software to build its firmware it seems like it is not customize-able and even not update-able  at least in Pro2 model.

There is a completely free FST 01 hardware to get a similar functionality:

https://www.gniibe.org/FST-01/fst-01.html

Online FSF.org shop for ordering:
https://shop.fsf.org/storage-devices/ne … -generator

Its firmware can be changed from a random number generator to GNUK to become a cryptographic token.


There is an opinion about Nitrokey vs FST-01:

https://news.ycombinator.com/item?id=11693888

IMHO if you trust Nitrokey company a non update-able Nitrokey Pro2 firmware looks like even a more secure than an update-able FST 01.

To protect even from government agencies FST-01 or a custom made from some older SoC like ARMv5 or earlier may be better in terms of security,

Last edited by bimon (2019-11-09 04:49:37)

Offline

#5 2019-11-09 03:26:18

bimon
Member
Registered: 2019-09-09
Posts: 12  

Re: Do maintainers use cryptographic keys like Nitrokey to access source?

HevyDevy wrote:

Sounds like a good idea but wouldnt that be allowing Nitrokey to handle sensitive info? Its kind of like VPN, you are trusting an outside source to secure your credentials, just hope they are good enough i suppose. Interesting question though.

Nitrokey Pro2 and FST-01 tokens do not transfer any sensitive info via Internet, they even do not transfer it to your computer, they keep your personal generated private keys withing it selves never extracting them. The private keys are generated INSIDE the token and never leave it even over USB.

That is the main reason to get such keys for maintainers to avoid bigger problems even if their computers are partially hacked.
Please take into account an existence of fully invisible boot kits activated from BIOS and running in negative rings of CPU.
It is not possible to detect them and even not possible to erase them by reflashing BIOS from the computer due to virtualization protection often integrated into such bootkits.  Need to use an external reflashing device attaching it to motheboard BIOS chips to clean out from this type of a malware to prevent active bootkit
protecting itself from erasing it from BIOS chip.

All users of a distribution can get a damage if developers keys stored on general disks are stolen.
But it applies to Debian too, for a protection it would be preferred both Debian and Devuan developers would get Nitrokeys.

Actually all active developers of useful open source software on Github like repositories shall get Nitrokeys to protect user's community.

Last edited by bimon (2019-11-09 04:55:13)

Offline

#6 2019-11-09 13:11:32

HevyDevy
Member
Registered: 2019-09-06
Posts: 38  

Re: Do maintainers use cryptographic keys like Nitrokey to access source?

Ok thanks bimon, looks to be all opensource, they even have all there firmwares up on github and will supply development boards and give instructions.

https://github.com/Nitrokey/nitrokey-pro-firmware

Offline

#7 2019-11-10 02:45:44

bimon
Member
Registered: 2019-09-09
Posts: 12  

Re: Do maintainers use cryptographic keys like Nitrokey to access source?

Please note, that this approach only works for older Nitrokey Pro device, not Nitrokey Pro 2 (all devices purchased before 04/04/2018).

Offline

Board footer