One-time passwords and GnuPG with Nitrokey

This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible.

A few years ago, the hardware vendor Yubico made a bit of a splash when it introduced its YubiKey line of inexpensive hardware security tokens powered by open-source software. With its most recent product release, however, Yubico has dropped open source and started deploying only proprietary software in its devices. Consequently, many community members have started looking for a viable replacement that will adhere to open-source principles. At present, one of the leading contenders for Yubico's departed customers is Nitrokey, which manufactures a line of hardware tokens capable of generating one-time passwords (OTPs), storing and using OpenPGP keys, and several other features. The devices made by Nitrokey run open-source software and are open hardware as well.

To recap, Yubico had produced YubiKey products for several years and, historically, released its own open-source software for working with the devices. The original devices focused on OTP, and they were popularized by their ability to support the Hash-based message authentication code (HMAC)-based One-Time Password (HOTP) and the Time-based One-Time Password (TOTP) algorithms. HOTP and TOTP were already used in a number of two-factor authentication smartphone apps; the YubiKey's ability to replace a smartphone with a small, lightweight, and nigh-indestructible hardware token was a selling point.

The YubiKey NEO line expanded the available functionality by adding smartcard functionality; applets for OpenPGP and Open Authentication (OATH) were released as open-source software; source code for other applets was available on GitHub (even at that time, it should be noted, the YubiKey firmware itself was not open source). We looked at the YubiKey NEO in April 2014 and at the smartcard functionality in particular again that November.

In late 2015, Yubico released the Yubikey 4 product line, which—for the first time—did not include source code. When asked in a GitHub discussion, Yubico employee Dain Nilsson confirmed that no source release would be made, and that the new devices were running a proprietary OpenPGP implementation. "We're all for open source, and we try to open source as much of our code as possible when and where it makes sense, but in this case it was determined not to be so."

That response drew heavy criticism from around the open-source and free-software community. Included among the critics was kernel.org system administrator Konstantin Ryabitsev, who had helped distribute YubiKeys to kernel developers in 2014 in an effort to tighten up kernel-development security. In May 2016, Ryabitsev publicly withdrew his recommendation of YubiKey over the new, proprietary software. For its part, Yubico responded with a statement contending that trying to ship open-source software was ultimately incompatible with building secure hardware devices.

Enter the Nitro

Regardless of how one feels about Yubico's stance on open source, though, it is good to know and evaluate the alternatives. Perhaps the product line most similar to the YubiKey is the Nitrokey.

The Nitrokey line started out as a personal side project of Jan Suhr and Rudolf Böddeker, but was taken commercial in 2014. At present, the company makes three devices: the Nitrokey Start (which is a GnuPG-compatible USB smartcard), the Nitrokey Pro (which combines smartcard and OTP functionality), and the Nitrokey HSM (which is a secure key-storage token designed to hold up to 108 key pairs).

The company also offers the Nitrokey U2F, which is a rebranded third-party token for use with the Universal 2nd Factor (U2F) OTP protocol. Nitrokey makes neither the hardware nor the software for that device. A fifth product has been announced but not yet released: the Nitrokey Storage, which combines the functionality of the Pro with a built-in encrypted mass-storage volume.

Nitrokey was kind enough to send us a Pro device to test with. Physically, the key is the size of a smallish USB drive, making it fatter than a YubiKey but still not large enough to impede plugging something in to a neighboring port. The device case is plastic and has seams running lengthwise down the sides; the site highlights Nitrokey's tamper-resistance, but that feature appears to apply only to the contents of the smartcard element. Attackers might be able to crack open the plastic case without destroying the chips inside, and in various places the documentation notes that OTP secrets are not saved in tamper-proof storage.

On Linux systems, the Nitrokey Pro requires only a small amount of setup: adding a udev rule to match the device's ID and adding the vendor and product IDs to the /etc/libccid_Info.plist file, which is used by the Chip/Smart Card Interface Devices (CCID) library. Subsequently, one can plug in the Nitrokey and configure it through the Nitrokey App program, which the company provides in native packages for a number of distributions as well as in a Snap package.

OTP and traditional password usage

The App lets users manage HOTP/TOTP configuration and save passwords in a built-in password safe. The Pro includes slots for 15 separate TOTP configurations, three additional HOTP configurations, and 16 password slots. For the HOTP and TOTP slots, users can adjust the update interval and several other parameters. The password safe provides fields to store usernames and identifiers for the site or service, and the App includes a tool to generate random passwords.

In general, the password-storage and OTP functionality depends on using Nitrokey on a system with the official Nitrokey App installed; one must open the app, move to the tab of interest, copy the necessary OTP or password to the clipboard, then paste it into the appropriate application or login page.

But it is also possible to configure the Nitrokey to emit the OTP from either the first or second HOTP slot whenever a special key sequence is pressed. In the version of the Nitrokey App I tested, the key-sequence options available were double pressing NumLock , CapsLock , and ScrollLock . Once configured in Nitrokey App, the device can be plugged in and will appear to the system as a USB keyboard, where it will monitor the input layer, watching for the specified key sequence. Whenever the key sequence is pressed—on a real, physical USB keyboard—the Nitrokey will send out the HOTP code.

That last feature feels like something of an afterthought, given its odd limitations (such as supporting the first two HOTP slots but not the third), but perhaps there is simply room for improvement. In comparison to the YubiKey NEO, the Nitrokey unquestionably wins the configuration contest. The NEO provides just two configurable slots and, as mentioned in our November 2014 coverage, using the NEO for TOTP requires pairing it up with a separate application that does not store the TOTP secrets on the device.

On the other hand, the NEO includes NFC support, so its TOTP support can be used with an Android app (given an NFC-capable phone) as well as with a desktop application, and the Nitrokey evidently stores OTP secrets where they could theoretically be removed by an attacker with physical access to the device. Still, the greater number of configuration slots on the Nitrokey are a welcome change, and the password-safe functionality is useful as well.

Smartcard usage and development

The Nitrokey Pro also includes a smartcard element conforming to the OpenPGP card standard. At present, there are two use cases supported: using the card directly with GnuPG (or with OpenSSH, which can use GnuPG as an authentication agent), and using the card with a PKCS #11 driver.

Like most GnuPG-compatible cards, the Nitrokey's smartcard's storage element provides three key-storage slots that are designed to serve as subkeys attached to a single identity. The Nitrokey does support RSA key lengths of up to 4096 bits, however, in comparison to the YubiKey NEO's 2048 bits. Keys can be generated on the card or imported with the GnuPG command-line tool.

A PKCS #11 driver can be used instead, which opens the door to using the Nitrokey with several applications beyond GnuPG and SSH. The documentation notes, though, that for best results one should generate keys with GnuPG. Subsequently, those key slots can be accessed by the PKCS #11 driver from the OpenSC project. The reverse situation—initializing the card with OpenSC then trying to use with GnuPG—will not work, however.

The reason for this is that the OpenSC tools initialize the card in a different format, which GnuPG cannot read. If the card is initialized with GnuPG and the slots filled with GnuPG RSA keys, though, OpenSC can still be used to access the slots. However, if one wants to use the Nitrokey with applications that require a different type of key material (such as TLS certificate authority (CA) keys or X.509 certificates), then initializing the card for PKCS #11 is the only option.

The documentation goes on to warn users against using PKCS #11 and GnuPG in parallel, and notes a few alternative PKCS #11 projects that may someday prove more useful than OpenSC's offering.

At the moment, the Nitrokey site does not offer guidance to developers interested in writing and uploading their own smartcard applets. However, the Nitrokey does ship with a known administrator password (which the user can change), so it should be possible for knowledgeable users. The company's wiki on GitHub notes several possibilities, including switching from the OpenPGP card format to Java Card, which is a more flexible platform. In contrast, the Yuibkey NEO does use Java Card, but the devices are locked so that users can not upload their own—or update existing—applets.

For standard uses, the Nitrokey Pro is easily the equivalent of the YubiKey NEO, if one is comfortable giving up NFC support and the NEO's external "emit the password" button. In exchange, one gets longer GnuPG keys, PKCS #11 support, and more configurable OTP and password slots. Far more importantly, however, the makers of Nitrokey have committed to keeping the product line running entirely on open-source software, and have released the hardware design as well. For the security conscious, the choice is simplified.

