Nitrokey

Last updated
Nitrokey GmbH
TypePrivate
Industry Hardware
Founded2015
Headquarters Germany
Key people
 Jan Suhr (CEO and Founder)
Website www.nitrokey.com

Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware (such as computer viruses) and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. [1] [2] The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD. [3] [4]

Contents

History

In 2008 Jan Suhr, Rudolf Böddeker, and another friend were travelling and found themselves looking to use encrypted emails in internet cafés, which meant the secret keys had to remain secure against computer viruses. Some proprietary USB dongles existed at the time, but lacked in certain ways. Consequently, they established as an open source project - Crypto Stick [5] - in August 2008 which grew to become Nitrokey. [6] It was a spare-time project of the founders to develop a hardware solution to enable the secure usage of email encryption. The first version of the Crypto Stick was released on 27 December 2009. In late 2014, the founders decided to professionalize the project, which was renamed Nitrokey. Nitrokey's firmware was audited by German cybersecurity firm Cure53 in May 2015, [7] and its hardware was audited by the same company in August 2015. [8] The first four Nitrokey models became available on 18 September 2015.

Technical features

Several Nitrokey models exist which each support different standards. For reference S/MIME is an email encryption standard popular with businesses while OpenPGP can be used to encrypt emails and also certificates used to login to servers with OpenVPN or OpenSSH. [9] One-time passwords are similar to TANs and used as a secondary security measure in addition to ordinary passwords. Nitrokey supports the HMAC-based One-time Password Algorithm (HOTP, RFC 4226) and Time-based One-time Password Algorithm (TOTP, RFC 6238), which are compatible with Google Authenticator.

Nitrokey 3Nitrokey Storage 2Nitrokey Pro 2 [10] Nitrokey Start [11] Nitrokey HSM 2 [12] Nitrokey FIDO2 [13]
U2F/FIDO2 YesNoNoNoNoYes
One-time passwords YesYesYesNoNoNo
S/MIME YesYesYesYesYesNo
OpenPGP YesYesYesYesNoNo

The Nitrokey Storage product has the same features as the Nitrokey Pro 2 and additionally contains an encrypted mass storage. [14]

Characteristics

Nitrokey's devices store secret keys internally. As with earlier technologies including the trusted platform module they are not readable on demand. This reduces the likelihood of a private key being accidentally leaked which is a risk with software-based public key cryptograhpy. The keys stored in this way are also not known to the manufacturer. Supported algorithms include AES-256 and RSA with key lengths of up to 2048 bits or 4096 bits depending on the model.

For accounts that accept Nitrokey credentials, a user-chosen PIN can be used to protect these against unauthorized access in case of loss or theft. However, loss of or damage to a Nitrokey (which is designed to last for 5-10 years) can also prevent the key's owner from being able to access his or her accounts. To guard against this, it is possible to generate keys in software so that they may be securely backed up to the best of the user's ability before they undergo a one-way transfer to the secure storage of a Nitrokey. [15]

Nitrokey is published as open source software and free software which ensures a wide range of cross platform support including Microsoft Windows, macOS, Linux, and BSD. It is designed to be usable with popular software such as Microsoft Outlook, Mozilla Thunderbird, and OpenSSH. It is also open hardware [16] to enable independent reviews of the source code and hardware layout and to ensure the absence of back doors and other security flaws. [17]

Philosophy

Nitrokey's developers believe that proprietary systems cannot provide strong security and that security systems need to be open source. For instance there have been cases in which the NSA has intercepted security devices being shipped and implanted backdoors into them. In 2011 RSA was hacked and secret keys of securID tokens were stolen which allowed hackers to circumvent their authentication. [18] As revealed in 2010, many FIPS 140-2 Level 2 certified USB storage devices from various manufacturers could easily be cracked by using a default password. [19] Nitrokey, because of being open source and because of its transparency, wants to provide highly secure system and avoid security issues which its proprietary rivals are facing. Nitrokey's mission is to provide the best open source security key to protect the digital lives of its users. [20]

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

Key management refers to management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, crypto-shredding (destruction) and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. It acts like an electronic key to access something. Examples of security tokens include wireless keycards used to open locked doors, or a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

The security of cryptographic systems depends on some secret data that is known to authorized persons but unknown and unpredictable to others. To achieve this unpredictability, some randomization is typically employed. Modern cryptographic protocols often require frequent generation of random quantities. Cryptographic attacks that subvert or exploit weaknesses in this process are known as random number generator attacks.

<span class="mw-page-title-main">Trusted Platform Module</span> Standard for secure cryptoprocessors

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a chip conforming to the standard.

In Microsoft Windows, a Cryptographic Service Provider (CSP) is a software library that implements the Microsoft CryptoAPI (CAPI). CSPs implement encoding and decoding functions, which computer application programs may use, for example, to implement strong user authentication or for secure email.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

<span class="mw-page-title-main">Network Security Services</span> Collection of cryptographic computer libraries

Network Security Services (NSS) is a collection of cryptographic computer libraries designed to support cross-platform development of security-enabled client and server applications with optional support for hardware TLS/SSL acceleration on the server side and hardware smart cards on the client side. NSS provides a complete open-source implementation of cryptographic libraries supporting Transport Layer Security (TLS) / Secure Sockets Layer (SSL) and S/MIME. NSS releases prior to version 3.14 are tri-licensed under the Mozilla Public License 1.1, the GNU General Public License, and the GNU Lesser General Public License. Since release 3.14, NSS releases are licensed under GPL-compatible Mozilla Public License 2.0.

This is a technical feature comparison of different disk encryption software.

In cryptography, a key ceremony is a ceremony held to generate or use a cryptographic key.

In computer security, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer performs a memory dump of a computer's random-access memory (RAM) by performing a hard reset of the target machine. Typically, cold boot attacks are used for retrieving encryption keys from a running operating system for malicious or criminal investigative reasons. The attack relies on the data remanence property of DRAM and SRAM to retrieve memory contents that remain readable in the seconds to minutes following a power switch-off.

Hardware-based full disk encryption (FDE) is available from many hard disk drive (HDD/SSD) vendors, including: ClevX, Hitachi, Integral Memory, iStorage Limited, Micron, Seagate Technology, Samsung, Toshiba, Viasat UK, Western Digital. The symmetric encryption key is maintained independently from the computer's CPU, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

wolfSSL is a small, portable, embedded SSL/TLS library targeted for use by embedded systems developers. It is an open source implementation of TLS written in the C programming language. It includes SSL/TLS client libraries and an SSL/TLS server implementation as well as support for multiple APIs, including those defined by SSL and TLS. wolfSSL also includes an OpenSSL compatibility interface with the most commonly used OpenSSL functions.

The OpenBSD Cryptographic Framework (OCF) is a service virtualization layer for the uniform management of cryptographic hardware by an operating system. It is part of the OpenBSD Project, having been included in the operating system since OpenBSD 2.8. Like other OpenBSD projects such as OpenSSH, it has been ported to other systems based on Berkeley Unix such as FreeBSD and NetBSD, and to Solaris and Linux. One of the Linux ports is supported by Intel for use with its proprietary cryptographic software and hardware to provide hardware-accelerated SSL encryption for the open source Apache HTTP Server.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device supporting MFA

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, and authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows for storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Cure53 is a German cybersecurity firm. The company was founded by Dr. Mario Heiderich, a client side security researcher.

<span class="mw-page-title-main">Librem</span> Computer line by Purism featuring free software

Librem is a line of computers manufactured by Purism, SPC featuring free (libre) software. The laptop line is designed to protect privacy and freedom by providing no non-free (proprietary) software in the operating system or kernel, avoiding the Intel Active Management Technology, and gradually freeing and securing firmware. Librem laptops feature hardware kill switches for the microphone, webcam, Bluetooth and Wi-Fi.

<span class="mw-page-title-main">Mailvelope</span> Browser extension for OpenPGP encryption with webmail services

Mailvelope is free software for end-to-end encryption of email traffic inside of a web browser that integrates itself into existing webmail applications. It can be used to encrypt and sign electronic messages, including attached files, without the use of a separate, native email client using the OpenPGP standard.

<span class="mw-page-title-main">Bitwarden</span> Open-source password manager

Bitwarden is a freemium open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a free US or European cloud-hosted service as well as the ability to self-host.

References

  1. "Nitrokey | Secure your digital life". www.nitrokey.com. Retrieved 2016-01-07.
  2. "Introduction | Nitrokey". www.nitrokey.com. Retrieved 2016-01-07.
  3. "Krypto-Stick verschlüsselt Mails und Daten". c‘t Magazin für Computer und Technik. Retrieved 2016-05-31.
  4. "Krypto-Multitool". c‘t Magazin für Computer und Technik. Retrieved 2016-10-31.
  5. "Der mit Open-Source-Methoden entwickelte Crypto-USB-Stick". Linux-Magazin. Retrieved 2016-01-15.
  6. "GnuPG-SmartCard und den CryptoStick". Privacy-Handbuch. Retrieved 2016-01-15.
  7. Heiderich, Mario; Horn, Jann; Krein, Nikolai (May 2015). "Pentest-Report Nitrokey Storage Firmware 05.2015" (PDF). Cure53. Retrieved 15 February 2016.
  8. Nedospasov, Dmitry; Heiderich, Mario (August 2015). "Pentest-Report Nitrokey Storage Hardware 08.2015" (PDF). Cure53. Retrieved 15 February 2016.
  9. "How to secure your Linux environment with Nitrokey USB smart card". Xmodulo. Retrieved 2016-01-15.
  10. "Nitrokey Pro". Nitrokey Pro Shop. Retrieved 2018-06-29.
  11. "Nitrokey Start". Nitrokey Start Shop. Retrieved 2018-06-29.
  12. "Nitrokey HSM". Nitrokey HSM Shop. Retrieved 2018-06-29.
  13. "Nitrokey FIDO2". Nitrokey FIDO2 Shop. Retrieved 2020-01-02.
  14. "Nitrokey Storage: USB Security Key for Encryption". Indiegogo. Retrieved 2016-01-15.
  15. Thomas Ekström Hansen (2021-07-28). "Recovering from a broken smartcard". St Andrews University. Retrieved 2023-09-30.
  16. "Nitrokey". GitHub. Retrieved 2016-01-15.
  17. "Nitrokey Storage Firmware and Hardware Security Audits". Open Technology Fund. Retrieved 2016-01-15.
  18. "RSA Break-In Leaves SecurID Users Sweating Bullets | Security | TechNewsWorld". www.technewsworld.com. Retrieved 2016-01-07.
  19. "FIPS 140-2 Level 2 Certified USB Memory Stick Cracked - Schneier on Security". www.schneier.com. Retrieved 2016-01-07.
  20. "Using CryptoStick as an HSM". Mozilla Security Blog. Retrieved 2016-01-07.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.