szszszsz
commented
6 years ago Merged, thank you!
I can include that directly in the tool, if you would like to. It would be an additional parameter to set command.
Closed kylerankin closed 6 years ago
szszszsz
commented
6 years ago Merged, thank you!
I can include that directly in the tool, if you would like to. It would be an additional parameter to set command.
szszszsz
commented
6 years ago I added you to the collaborators as well, so you could commit directly. In case my changes' review would be desired, just let me know!
kylerankin
commented
6 years ago I think it probably does make more sense to add an additional parameter to the set tool that would set the initial counter on the Nitrokey. It would at least be a lot cleaner than my approach. I just needed to solve this immediate need and didn't want to add any extra work to anyone else :)
szszszsz
commented
6 years ago OK! Great it works on your side :-) I assumed while writing that TPM's counter could be set freely. We could modify it later as well, in case it would become cumbersome to rewind the counter. I think in the edge case, rewinding to 0xFFFF could take some time (65536/10*40ms ~ 5 minutes).
Normally when one sets up the Nitrokey HOTP secret the assumption is that the counter starts at zero. However in the case of using a counter from a TPM, new counters are initialized at the value of the last counter plus one. This means we need to synchronize the Nitrokey counter with the TPM counter before we can use it.
This script takes advantage of the fact that the Nitrokey accepts the next ten HOTP values in a list and then sets the Nitrokey counter to that value, so the script "hops" ahead up until the point that the Nitrokey counter matches the specified counter.