Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default values for optional security configurations? #26

Open
sosthene-nitrokey opened this issue Jul 27, 2022 · 0 comments
Open

Default values for optional security configurations? #26

sosthene-nitrokey opened this issue Jul 27, 2022 · 0 comments
Labels
enhancement New feature or request
Milestone
v1.0.0

Comments

@sosthene-nitrokey
Copy link
Collaborator

Some optional security configurations are by default not on the most secure setting:

  • KDF-DO is off by default
  • All UIF (require button press for Sign/Dec/Aut) are off by default.

Given that these features improve the security of the user but are not very discoverable (and even if a user becomes aware of KDF-DO, it can only be set when no keys are stored on the device), should we consider setting default values for these? I'm thinking unique randomly generated salts for KDF-DO for each device and UIF to enabled for all. KDF-DO would be especially great as it prevents leaking the length of the PIN with CHANGE REFERENCE DATA
@robin-nitrokey robin-nitrokey changed the title Default values for optionnal security configurations? Default values for optional security configurations? Jul 28, 2022
@robin-nitrokey robin-nitrokey added the enhancement New feature or request label Jul 28, 2022
@robin-nitrokey robin-nitrokey added this to the v1.0.0 milestone Jul 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v1.0.0
Development

No branches or pull requests
2 participants
@robin-nitrokey @sosthene-nitrokey