Nitrokey Explained

Nitrokey GmbH
Type:Private
Foundation:2015
Location:Germany
Key People:Jan Suhr (CEO and Founder)
Industry:Hardware

Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware (such as computer viruses) and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft.[1] [2] The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD.[3] [4]

History

In 2008 Jan Suhr, Rudolf Böddeker, and another friend were travelling and found themselves looking to use encrypted emails in internet cafés, which meant the secret keys had to remain secure against computer viruses. Some proprietary USB dongles existed at the time, but lacked in certain ways. Consequently, they established as an open source project - Crypto Stick[5] - in August 2008 which grew to become Nitrokey.[6] It was a spare-time project of the founders to develop a hardware solution to enable the secure usage of email encryption. The first version of the Crypto Stick was released on 27 December 2009. In late 2014, the founders decided to professionalize the project, which was renamed Nitrokey. Nitrokey's firmware was audited by German cybersecurity firm Cure53 in May 2015,[7] and its hardware was audited by the same company in August 2015.[8] The first four Nitrokey models became available on 18 September 2015.

Technical features

Several Nitrokey models exist which each support different standards. For reference S/MIME is an email encryption standard popular with businesses while OpenPGP can be used to encrypt emails and also certificates used to login to servers with OpenVPN or OpenSSH.[9] One-time passwords are similar to TANs and used as a secondary security measure in addition to ordinary passwords. Nitrokey supports the HMAC-based One-time Password Algorithm (HOTP, RFC 4226) and Time-based One-time Password Algorithm (TOTP, RFC 6238), which are compatible with Google Authenticator.

Nitrokey 3Nitrokey Storage 2Nitrokey Pro 2[10] Nitrokey Start[11] Nitrokey HSM 2[12] Nitrokey FIDO2[13]
U2F/FIDO2
One-time passwords
S/MIME
OpenPGP

The Nitrokey Storage product has the same features as the Nitrokey Pro 2 and additionally contains an encrypted mass storage.[14]

Characteristics

Nitrokey's devices store secret keys internally. As with earlier technologies including the trusted platform module they are not readable on demand. This reduces the likelihood of a private key being accidentally leaked which is a risk with software-based public key cryptography. The keys stored in this way are also not known to the manufacturer. Supported algorithms include AES-256 and RSA with key lengths of up to 2048 bits or 4096 bits depending on the model.

For accounts that accept Nitrokey credentials, a user-chosen PIN can be used to protect these against unauthorized access in case of loss or theft. However, loss of or damage to a Nitrokey (which is designed to last for 5-10 years) can also prevent the key's owner from being able to access his or her accounts. To guard against this, it is possible to generate keys in software so that they may be securely backed up to the best of the user's ability before they undergo a one-way transfer to the secure storage of a Nitrokey.[15]

Nitrokey is published as open source software and free software which ensures a wide range of cross platform support including Microsoft Windows, macOS, Linux, and BSD. It is designed to be usable with popular software such as Microsoft Outlook, Mozilla Thunderbird, and OpenSSH. It is also open hardware[16] to enable independent reviews of the source code and hardware layout and to ensure the absence of back doors and other security flaws.[17]

Philosophy

Nitrokey's developers believe that proprietary systems cannot provide strong security and that security systems need to be open source. For instance there have been cases in which the NSA has intercepted security devices being shipped and implanted backdoors into them. In 2011 RSA was hacked and secret keys of securID tokens were stolen which allowed hackers to circumvent their authentication.[18] As revealed in 2010, many FIPS 140-2 Level 2 certified USB storage devices from various manufacturers could easily be cracked by using a default password.[19] Nitrokey, because of being open source and because of its transparency, wants to provide highly secure system and avoid security issues which its proprietary rivals are facing. Nitrokey's mission is to provide the best open source security key to protect the digital lives of its users.[20]

Notes and References

  1. Web site: Nitrokey Secure your digital life. www.nitrokey.com. 2016-01-07.
  2. Web site: Introduction Nitrokey. www.nitrokey.com. 2016-01-07.
  3. Web site: Krypto-Stick verschlüsselt Mails und Daten. c‘t Magazin für Computer und Technik.. 2016-05-31.
  4. Web site: Krypto-Multitool. c‘t Magazin für Computer und Technik.. 2016-10-31.
  5. Web site: Der mit Open-Source-Methoden entwickelte Crypto-USB-Stick. Linux-Magazin. 2016-01-15.
  6. Web site: GnuPG-SmartCard und den CryptoStick. Privacy-Handbuch. 2016-01-15.
  7. Web site: Heiderich. Mario. Horn. Jann. Krein. Nikolai. Pentest-Report Nitrokey Storage Firmware 05.2015. Cure53. 15 February 2016. May 2015.
  8. Web site: Nedospasov. Dmitry. Heiderich. Mario. Pentest-Report Nitrokey Storage Hardware 08.2015. Cure53. 15 February 2016. August 2015.
  9. Web site: How to secure your Linux environment with Nitrokey USB smart card. Xmodulo. 2016-01-15.
  10. Web site: Nitrokey Pro. Nitrokey Pro Shop. 2018-06-29.
  11. Web site: Nitrokey Start. Nitrokey Start Shop. 2018-06-29.
  12. Web site: Nitrokey HSM. Nitrokey HSM Shop. 2018-06-29.
  13. Web site: Nitrokey FIDO2. Nitrokey FIDO2 Shop. 2020-01-02.
  14. Web site: Nitrokey Storage: USB Security Key for Encryption. Indiegogo. 2016-01-15.
  15. Web site: Recovering from a broken smartcard. Thomas Ekström Hansen. St Andrews University. 2021-07-28. 2023-09-30.
  16. Web site: Nitrokey. GitHub. 2016-01-15.
  17. Web site: Nitrokey Storage Firmware and Hardware Security Audits. Open Technology Fund. 2016-01-15.
  18. Web site: RSA Break-In Leaves SecurID Users Sweating Bullets Security TechNewsWorld. www.technewsworld.com. 18 March 2011 . 2016-01-07.
  19. Web site: FIPS 140-2 Level 2 Certified USB Memory Stick Cracked - Schneier on Security. www.schneier.com. 2016-01-07.
  20. Web site: Using CryptoStick as an HSM. Mozilla Security Blog. 13 February 2013 . 2016-01-07.