Configuração do KDF-DO#
Introdução#
KDF-DO stands for Key Derived Function - Data Object. With this data object the card can inform clients that it supports derived keys. (For details see section 4.3.2 of the OpenPGP Smart Card 3.4 specification) The benefit of using derived keys is, that instead of transmitting passwords in clear text only hashes are transmitted to the card and therefore only hashes are stored on the card. Since a derived key will be longer than the original password it will also be harder to successfully run a brute force attack.
Nota
No momento só é possível ajustar o KDF-DO, quando o Nitrokey Start está vazio (logo após um reset de fábrica).
Steps to Configure KDF-DO#
Executar reset de fábrica
Configurar o KDF-DO usando GnuPG
Alterar PIN de Admin (opcional; sem as teclas só é possível alterar o PIN de Admin)
Importar / gerar chaves
Alterar PIN de usuário e administrador
Configuração do KDF-DO usando GnuPG#
Run
gpg2 --card-edit
$ admin
$ kdf-setup
Digite o PIN de Administração
Verify current state state by looking at the card details (
gpg2 --card-status
), whereKDF setting ......: on
should be visible, e.g.:
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
KDF setting ......: on
Signature key ....: [none]
Testado com#
gpg (GnuPG) 2.2.20 / 2.2.25
Nitrokey Start RTM.10
Curva 25519 teclas