Hector Martin

(I don't know if newer YubiKeys do this, because they're a black box. This is part of the problem.)

Wrapping keys with a low entropy secret as a PIN does not bring much security. If you can get the wrapped key, it's game over! TBH, I don't know well Yubikey products. But maybe they go through 3rd party audit and cert...

"PIN" in PGP-card terminology means passphrase. It's not just 4 digits, it's up to 127 ASCII characters. It absolutely is not "low entropy" and beyond a certain length would certainly be uncrackable if implemented properly.

FWIW, our keys do go through 3rd party audits for security (code, side channel) as well as for certification (FIPS).

And I am not sure how effective wrapping really is. The secure element has very low compute performance as it needs to operate with just NFC power. Today brute force attacks run on huge farms of cheap AWS spot instances and even long PINs/Passwords offer little protection.

I'm sorry, you work for Yubico and you can't calculate entropy? "Even long PINs offer little protection" is BS. Past a certain point, even with minimal or no key stretching, you are not brute forcing things. Ever.

Of course, a completely random 256 bit entropy pass phrase you are fine. Most users though will pick much less. The real problem is that brute force attacks have gotten very cheap.

Quick napkin math: A GPU can do ~2^32 hashes/s or ~2^44 hashes/h. A spot g3s.xlarge on AWS goes for 40 cents/h. Let's assume I have a $400k budget (if I steal a key and compromise the secure element, I probably have that). This means I can factor 2^64 bits of entropy.