Royce Williams roycewilliams

(reproduced from an email I received 2025-09-06 1:03AM AKT)

(Nitrokey Logo)

Nitrokeys Offer Investment Security Without Infineon's Security Vulnerability

Recently, a significant security vulnerability in Infineon security chips was made public. Nitrokeys do not contain Infineon chips and are therefore not affected by this security vulnerability! Nevertheless, this incident holds interesting lessons for Nitrokey and our customers. In a nutshell: Security certifications are overrated and open source offers advantages over them. Nitrokeys offer a high level of investment security thanks to firmware updates. More on this below.

What has happened?

(mirror snapshot of: https://infosec.exchange/@tychotithonus/111924626712765292)

summary: new DNSSEC validation DoS vulnerabilities CVE-2023-50387 ("KeyTrap"), CVE-2023-50868 (NSEC3 vuln)

(living doc, updated regularly - if you prefer a low-edit post to boost, use https://infosec.exchange/@tychotithonus/111926621712441626)

Looks like DNS-OARC coordinated fixes in advance, but I don't see a centralized analysis, other than this announcement from the team who discovered KeyTrap: https://www.athene-center.de/en/news/press/key-trap ... and their technical paper: https://www.athene-center.de/fileadmin/content/PDF/Technical_Report_KeyTrap.pdf

	# hashcat rule to only insert non-contiguous dots/periods
	# Created 2024-04-13 by TychoTithonus (Royce Williams)
	# Source:
	:
	i1.
	i2.
	i2.i1.
	i3.
	i3.i1.

	#!/usr/bin/python
	# -- coding: utf-8 --
	#
	# Copyright 2017, Francesco "dfirfpi" Picasso <francesco.picasso@gmail.com>
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0

	# 10,000 iterations of SHA256 hash of an "empty" password (zero-length string).
	# Generated with: echo "" \| mdxfind -h '^SHA256$' -i 10000 -z -f /dev/null stdin
	# MDXfind version: $Header: /home/dlr/src/mdfind/RCS/mdxfind.c,v 1.120 2024/01/22 20:41:23 dlr Exp dlr $
	# Source: https://gist.github.com/roycewilliams/35a015f3914541ce829e2718dd4af871
	SHA256x01 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855:
	SHA256x02 cd372fb85148700fa88095e3492d3f9f5beb43e555e5ff26d95f5a6adc36f8e6:
	SHA256x03 e67e72111b363d80c8124d28193926000980e1211c7986cacbd26aacc5528d48:
	SHA256x04 f7d062d662826ed95869851db06bb539b402047baee53a00e0aa35bfbe98265d:
	SHA256x05 2a132dbfe4784627b86aa3807cd19cfeff487aab3dd7a60d0ab119a72e736936:
	SHA256x06 bdca9e8dbca354e824e67bfe1533fa4a238b9ea832f23fb4271ebeb3a5a8f720:

	# 10,000 iterations of SHA1 hash of an "empty" password (zero-length string).
	# Generated with: echo "" \| mdxfind -h '^SHA1$' -i 10000 -z -f /dev/null stdin
	# MDXfind version: $Header: /home/dlr/src/mdfind/RCS/mdxfind.c,v 1.120 2024/01/22 20:41:23 dlr Exp dlr $
	# Source: https://gist.github.com/roycewilliams/2b071bb9f6f73d0968583de3509d9525
	SHA1x01 da39a3ee5e6b4b0d3255bfef95601890afd80709:
	SHA1x02 10a34637ad661d98ba3344717656fcc76209c2f8:
	SHA1x03 3e6c06b1a28a035e21aa0a736ef80afadc43122c:
	SHA1x04 3c7435cfd4e31b9be3991041c9a4f8292b752e5b:
	SHA1x05 63027d7630360e4203c0e3f970ec2ffcfe5f8f1b:
	SHA1x06 ecc1978dca2e31d10751ede8d8753f1cbded832e:

	# 10,000 iterations of MD5 hash of an "empty" password (zero-length string).
	# Generated with: echo "" \| mdxfind -h '^MD5$' -i 10000 -z -f /dev/null stdin
	# MDXfind version: $Header: /home/dlr/src/mdfind/RCS/mdxfind.c,v 1.120 2024/01/22 20:41:23 dlr Exp dlr $
	# Source: https://gist.github.com/roycewilliams/bcb1b6b59f107c228bd4eca72862044d
	MD5x01 d41d8cd98f00b204e9800998ecf8427e:
	MD5x02 74be16979710d4c4e7c6647856088456:
	MD5x03 acf7ef943fdeb3cbfed8dd0d8f584731:
	MD5x04 5a8dccb220de5c6775c873ead6ff2e43:
	MD5x05 76682f743ae018364a082b2e87f2d2f5:
	MD5x06 0f62265227df1b6d6deec36ab4bc5e76:

	# Various hashes of an "empty" password (zero-length string).
	# Generated with: echo "" \| mdxfind -h ALL -h '!salt' -z -f /dev/null stdin
	# MDXfind version: $Header: /home/dlr/src/mdfind/RCS/mdxfind.c,v 1.120 2024/01/22 20:41:23 dlr Exp dlr $
	# Source: https://gist.github.com/roycewilliams/845c6105ef359976e1e884260aeda7aa
	BLAKE224x01 7dc5313b1c04512a174bd6503b89607aecbee0903d40a8a569c94eed:
	BLAKE256x01 716f6e863f744b9ac22c97ec7b76ea5f5908bc5b2f67c61510bfc4751384ea7a:
	BLAKE384x01 c6cbd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706:
	BLAKE512x01 a8cfbbd73726062df0c6864dda65defe58ef0cc52a5625090fa17601e1eecd1b628e94f396ae402a00acc9eab77b4d4c2e852aaaa25a636d80af3fc7913ef5b8:
	BMW224x01 e57c183da7e2cd3e90258ca04499b222420f9b6797bbab131b4d286e:
	BMW256x01 82cac4bf6f4c2b41fbcc0e0984e9d8b76d7662f8e1789cdfbd85682acc55577a:

	{
	"_comment1": "Tycho Mastodon filter: Temperatures",
	"_comment2": "as of 2023-09-11",
	"_comment3": "https://gist.github.com/roycewilliams/86d110141d45439fa7b9da5ae2445219",
	"_comment4": "Note: leading and trailing spaces in keywords are usually deliberate",

	"context": [
	"home",
	"public"
	],

	{
	"_comment1": "Tycho Mastodon filter: Weather",
	"_comment2": "as of 2023-09-11",
	"_comment3": "https://gist.github.com/roycewilliams/ca24a766bede8a185264734e99668a01",
	"_comment4": "Note: leading and trailing spaces in keywords are usually deliberate",

	"context": [
	"home",
	"public"
	],