This is a text-only version of the following page on https://raymii.org: --- Title : Three new NitroKeys! Nitrokey Pro 2, Storage 2 and a FIDO-U2F Nitrokey Author : Remy van Elst Date : 08-11-2018 URL : https://raymii.org/s/tutorials/Three_New_Nitrokeys_Pro_2_Storage_2_and_Fido_u2f.html Format : Markdown/HTML --- ![][1] Last week I received several newsletters from Nitrokey. As you might know, I'm a fan of their (mostly open source) hardware security devices. I've written articles on the [NitroKey HSM][2] (even on [extracting private key material][3]), on the [NitroKey Start][4] and some [firmware][5] [update][6] guides. Their newsletters introduced two new keys, the Nitrokey Pro 2 and the Nitrokey FIDO-U2F key. On their website I also saw the Nitrokey Storage Pro 2. This article is a summary of the newsletters and goes over the new features in the new hardware. It boils down to a new OpenPGP smartcard version (3.3, it was 2.1) in the Nitrokey Pro 2 and Storage 2. The FIDO-U2F device is an entirely new Nitrokey (with a button). <p class="ad"> <b>Recently I removed all Google Ads from this site due to their invasive tracking, as well as Google Analytics. Please, if you found this content useful, consider a small donation using any of the options below:</b><br><br> <a href="https://leafnode.nl">I'm developing an open source monitoring app called Leaf Node Monitoring, for windows, linux & android. Go check it out!</a><br><br> <a href="https://github.com/sponsors/RaymiiOrg/">Consider sponsoring me on Github. It means the world to me if you show your appreciation and you'll help pay the server costs.</a><br><br> <a href="https://www.digitalocean.com/?refcode=7435ae6b8212">You can also sponsor me by getting a Digital Ocean VPS. With this referral link you'll get $100 credit for 60 days. </a><br><br> </p> I recommend you get a Nitrokey. The [open hardware and mostly open software][8] part is what I like the most, next to the pricing and their support. I've been in contact with the company a few times, both with the CEO Jan and a developer Szczepan. That guy is active on the Gnuk mailing list and does, as far as I can tell, most of their embedded development. If you ask me if I prefer a Nitrokey over a yubikey, then I would choose the Nitrokey. The yubikey is closed source all together, relying on their infrastructure in the default (otp) mode. The nitrokey gives you more freedom. The nitrokey is a full USB A plug as well, where as the yubikey is half, or in the USB slot all together. So, the Nitrokey is more durable. In the past I got hardware sponsored from Nitrokey. Not for this article. ### What are Nitrokeys? NitroKey creates hardware security tokens. The Nitrokey Pro is a OpenPGP smartcard in a USB stick with a companion application. It allows you to securely store your GPG key, among other things. The Nitrokey HSM is a hardware security module. It is also a smartcard in a USB key, but this time it utilizes different firmware to present itself as a [Smartcard-HSM][9], using PKCS-11 (cryptoki) as the protocol. The Nitrokey Start is a soft-token (meaning no smartcard). It uses the [gnuk][10] firmware to also be a OpenPGP-token. That hardware and software is fully open source, the Pro and HSM are up until the smartcard software. The Nitrokey storage is a Nitrokey Pro with USB storage that is encrypted (by the smartcard). I haven't used a Nitrokey Storage, so no experience with that. ### Nitrokey Pro 2 The feature most exciting in this new hardware version is ECC support. Copying from their newsletter, all the new features: #### Support of elliptic curve cryptography (ECC) > > In addition to RSA (2048-4096 bit), Nitrokey Pro 2 supports elliptic curve cryptography (ECC. Brainpool and NIST). Because RSA-2048 is not considered [safe for use beyond 2022][11], ECC is becoming increasingly important as a fast and secure alternative. [See instructions][12]. This feature requires the new Nitrokey Pro 2 hardware and cannot be installed by upgrading the firmware. Editors addition: the ECC key length is between 256 and 512 bit. Bernstein's Curve 25519 is not supported do to lack of support in the smartcard. The [Nitrokey start does support 25519][13]. #### Improved keystore support for Windows > > It is now possible to [roll out company certificates via Active Directory][12] on Windows devices. These certificates can be used for Windows logon and for e-mail encryption using S/MIME. In addition, OpenPGP and S/MIME email encryption can be easily used in parallel on a single Nitrokey Pro 2. This feature requires the new Nitrokey Pro 2 hardware and cannot be installed by upgrading the firmware. #### Integrity verification of Purism laptops > > The Nitrokey Pro 2 can be used as a part of the tamper-evident boot protection which Purism integrates into their Librem Linux laptops. [Read more][12]. #### Hardware differences? Reading through the [forum][14], the exact hardware change is a new version of the OpenPGP smartcard (namely, version 3). On the [gnupg site][15] you can download the [specification for 3.3][16] as well as the [specification for 2.2][17]. Major difference is support for ECC crypto, as is reflected in the new nitrokey. #### GnuPG version An important note is that you do need a recent version of Gnupg (> 2.1.16). The version with Ubuntu 16.04 or 16.10 will not work and you manually need to upgrade it. Either by installing newer packages (not recommended) or by compiling the newer version of GnuPG yourself. You could also update your entire distro to at least 18.04. More information and getting started with ECC can be found [here][12] ### Nitrokey Storage 2 This was the first of the new hardware, available since June as far as I can see. Since the NitroKey Storage is based on the Nitrokey pro (it is an OpenPGP card), the above new features (ECC support and Active Directory integration) are new in the hardware of the Storage 2 as well. (The storage 2 also has an OpenPGP 3 smartcard). The nitrokey storage has an extra SD card which houses the encrypted storage part, whereas the Smartcard does the encryption of said storage. You can read [more in the manual][18] on how the exact storage encryption works. The new features exclusive to the Nitrokey Storage are, as you might expect, related to it's storage functions. In addition to what I listed above, here are the new features for the Storage 2: #### Manual initialization of the storage is not necessary > > On delivery, the device's storage is already initialized with random numbers and an encrypted partition is set up. This eliminates manual setup and Nitrokey Storage 2 can be used immediately. #### Protection of unencrypted storage > > The Nitrokey App for Windows, macOS and Linux (AppImage) is now pre- installed on the unencrypted storage. In addition, the unencrypted storage is read-only, which can only be changed with the Admin PIN (requires Nitrokey App 1.3.1). This prevents the unintentional distribution of viruses and the unintentional storage of sensitive data on the unencrypted storage. This function is particularly interesting for enterprise customers who configure Nitrokey Storage 2 centrally and whose employees only use the user PIN. [Read the full announcement here][19] ### Nitrokey Fido U2F ![][20] > Early dev version of the Nitrokey U2F The Nitrokey Fido U2F is an entirely new key. It's based on the [U2F Zero][21], It is open hardware and the software is open source as well. It differs physically from the other nitrokey devices in that it has a touch button. With the Nitrokey FIDO U2F, after the initial configuration, you just need to touch the button on the device each time you are logging in to your various accounts. Universal Second Factor, or FIDO U2F is a standard for 2 factor auth with USB dongles. It is developed by Google and Yubico There is [a site][22] with more information and a list of supported sites. There is also an [unofficial FAQ here][23]. [This PDF][24] states that the Nitrokey FIDO U2F supports the FIDO Universal 2nd Factor (U2F) 1.2 standard. The Nitrokey Fido U2F also supports [WebAuthn][25]. At the moment there is no support for FIDO2. More information [on the site][26] #### FIDO U2F, FIDO2 and WebAuthN??? FIDO U2F and FIDO2 and WebAuthn are not the same. This Nitrokey does not support FIDO2 at the moment, but I suspect it could be added in a later firmware version. I'll try to give a simple explanation of the FIDO's: * FIDO U2F is for second factor only (next to a username/password). * FIDO2 is for both second factor, as well as replacing a username/password completely (with a public/private keypair) * WebAuthn is the Web and browser API for authentication. It supports both FIDO U2F (CTAP1) and FIDO2 (CTAP2). (CTAP == Client to Authenticator Protocol) Websites can utilize the WebAuthn standard together with a protocol like CTAP1 or CTAP2 to provide functionality so that the user can use their USB token to authenticate. A more technical explanation of CTAP can [be found here][27] I have not used this standard (u2f) before but it seems to be comparable with the Yubikey process (press a button for 2 factor). It is the cheapest of Nitrokeys so far (22 euro's) and works with all major operating systems (Windows, Linux, OS X and BSD (but which bsd?)) and all major browsers, including Opera. There is a lot of documentation [on the security and key generation][28] here. [1]: https://raymii.org/s/inc/img/nitrokey-u2f.jpg [2]: https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html [3]: https://raymii.org/s/articles/Decrypt_NitroKey_HSM_or_SmartCard-HSM_private_keys.html [4]: https://raymii.org/s/articles/Nitrokey_Start_Getting_started_guide.html [5]: https://raymii.org/s/tutorials/Nitrokey_gnuk_firmware_update_via_DFU.html [6]: https://raymii.org/s/tutorials/FST-01_firmware_upgrade_via_usb.html [7]: https://www.digitalocean.com/?refcode=7435ae6b8212 [8]: https://github.com/Nitrokey [9]: https://www.smartcard-hsm.com/ [10]: http://www.fsij.org/doc-gnuk/ [11]: https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.pdf;jsessionid=064DAA7AD3195C1C87B1C71B2760DB4E.1_cid360?__blob=publicationFile&v=7 [12]: https://www.nitrokey.com/documentation/elliptic-curves-ecc-support-nitrokey-storage-2-and-pro-2 [13]: https://www.nitrokey.com/news/2017/nitrokey-start-supports-elliptic-curves-ecc [14]: https://support.nitrokey.com/t/what-is-the-difference-between-prov1-and-pro-v2/1406 [15]: https://gnupg.org/ftp/specs/ [16]: https://raymii.org/s/inc/downloads/OpenPGP-smart-card-application-3.3.1.pdf [17]: https://raymii.org/s/inc/downloads/OpenPGP-smart-card-application-2.2.pdf [18]: https://raymii.org/s/inc/downloads/nitrokey-storage-Manual.pdf [19]: https://www.nitrokey.com/news/2018/nitrokey-storage-2-released [20]: https://raymii.org/s/inc/img/nitrokey-u2f-2.jpg.png [21]: https://github.com/conorpp/u2f-zero/ [22]: https://www.dongleauth.info/ [23]: https://web.archive.org/web/20181107115126/https://medium.com/@nparlante/the-unofficial-fido-u2f-faq-9201fa5cb4da [24]: https://raymii.org/s/inc/downloads/Nitrokey_FIDO_U2F_factsheet.pdf [25]: https://en.wikipedia.org/wiki/WebAuthn [26]: https://www.nitrokey.com/news/2018/new-nitrokey-fido-u2f [27]: https://web.archive.org/web/20181107114622/https://www.imperialviolet.org/2018/03/27/webauthn.html [28]: https://github.com/Nitrokey/nitrokey-fido-u2f-firmware/blob/master/doc/security_architecture.md --- License: All the text on this website is free as in freedom unless stated otherwise. This means you can use it in any way you want, you can copy it, change it the way you like and republish it, as long as you release the (modified) content under the same license to give others the same freedoms you've got and place my name and a link to this site with the article as source. This site uses Google Analytics for statistics and Google Adwords for advertisements. You are tracked and Google knows everything about you. Use an adblocker like ublock-origin if you don't want it. All the code on this website is licensed under the GNU GPL v3 license unless already licensed under a license which does not allows this form of licensing or if another license is stated on that page / in that software: This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Just to be clear, the information on this website is for meant for educational purposes and you use it at your own risk. I do not take responsibility if you screw something up. Use common sense, do not 'rm -rf /' as root for example. If you have any questions then do not hesitate to contact me. See https://raymii.org/s/static/About.html for details.