Comments (7)
Hi @MaVo159 !
Are your codes PIN protected?
I do not have to authorize getting HOTP codes otherwise AFAIR. Please check this simple example code
from nitrokey-pro-firmware.
I'm testing with TOTP. I'm not sure what you mean with "Are your codes PIN protected?". The first step (USER_AUTHENTICATE) involves sending the pin if I remember correctly, so that would mean they are PIN protected, I guess. I'm fairly certain not doing the USER_AUTHENTICATE & USER_AUTHORIZE thing first gives an error even on the first GET_CODE.
Actually, I assumed you were aware of this bug since it seems familiar from nitrokey-app#82. But that is just a guess.
Your test code only does HOTP from what I can see, so I wouldn't be surprised if the bug doesn't show up there. I'll get to checking the HOTP stuff in detail at some point. So far I have only tested TOTP thoroughly.
If you can't reproduce this with TOTP, comment again. In about a week I am back from vacation and may have time to deal with this.
from nitrokey-pro-firmware.
I have asked about PIN protection since this switch possibly could force user to authenticate each code request (it does in application and from your description it looks like it is checked on device). When I have this one checked the test code I have linked was not working. The option state is visible in Nitrokey App's Safe settings as in mentioned nitrokey-app#82.
As for HOTP & TOTP, the GET_CODE should be the same for both, since they differ only with slot number as far as I remember. If in doubt, you can always check how App handles this (the commands sequence) with running nitrokey-app -d
and selecting Debug
from context menu.
Let me know has this worked for you. Have a nice holidays!
from nitrokey-pro-firmware.
Ah. Makes sense. I'll check.
from nitrokey-pro-firmware.
Yes you were right. It is checked. Unchecking it allow multiple OTP requests. However, now it doesn't require any PIN at all.
Just so I get this straight... This does not work as intended, right? The only way I can wrap my head around all these different commands is that the idea behind the temporary password is: Do authentication via PIN once and then authorize the generation of OTPs many times via temporary password without reentering the PIN or keeping it in memory.
from nitrokey-pro-firmware.
Just to leave a solution - the culprit is here:
https://github.com/Nitrokey/nitrokey-pro-firmware/blob/master/src/keyboard/report_protocol.c#L757
https://github.com/Nitrokey/nitrokey-pro-firmware/blob/master/src/keyboard/report_protocol.c#L733
cmd_authorize should not clear temporary password, but it does.
Reseting temporary password on authorization cancels whole purpose of using it - protecting OTP codes with PIN needs providing PIN from user each time, while temporary password should be used.
This is already fixed on NK Storage in same places.
from nitrokey-pro-firmware.
The fix for this should be done together with #8 since the same code will be touched.
from nitrokey-pro-firmware.
Related Issues (20)
- Nitrokey HSM: handle v4.0 smart cards
- Question: Support EC operations HOT 1
- Request: support longer OTP secrets, up to 64 bytes
- Nitrokey HSM: timeout on initialization after heavy use
- Nitrokey HSM: invalid serial number after a heavy load
- Allow to set a custom USB serial number
- WRONG_PASSWORD after accessing Nitrokey with scdrand HOT 10
- Adjust firmware for the new MCU
- Customise firmware HOT 3
- Adding Curve25519 support (on my own) HOT 2
- Consider using stack canaries via -fstack-protector* flags HOT 2
- Instructions with modern OpenOCD? HOT 6
- HW4: swapped red and green LEDs
- Lock device before Factory Reset execution
- Add HMAC for AES key
- OTP functionality HOT 7
- Document minimum compiler version
- Nitrokey Pro firmware upgrade from 0.9 -> 0.14 impossible from nitropy? HOT 6
- R3 Nitrokey Pro failure to enable update mode HOT 6
- PGP key used to sign binary firmware is not available HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nitrokey-pro-firmware.