Nitrokey Start unterstützt elliptische Kurven (ECC)

RSA-2048 wird zunehmend unsicher

Das Bundesamt für Sicherheit in der Informationstechnik (BSI) empfiehlt RSA-Schlüssel mit einer Länge von 2048 Bit aus Sicherheitsgründen nicht mehr nach dem Jahr 2022 einzusetzen. In absehbarer Zeit müssen somit längere Schlüssel verwendet werden. Bei einer angenommenen Verwendungsdauer von fünf Jahren sollten bereits jetzt sicherere Schlüssel generiert werden. Längere RSA-Schlüssel mit 3072 Bit oder 4096 Bit sind jedoch deutlich langsamer. Deshalb unterstützt der Nitrokey Start (bzw. die zugrundeliegende Firmware Gnuk) seit einiger Zeit die Verschlüsselung mittels elliptischer Kurven (ECC). Dieses Verfahren gilt bei kleinerer Schlüssellänge als genauso sicher wie längere RSA-Schlüssel und ist dabei deutlich schneller.

Grundlagen elliptischer Kurven

Anders als bei RSA gibt es von elliptischen Kurven unterschiedliche Ausprägungen (sog. Kurven). Insbesondere den NIST-Kurven wurde die Involvierung der NSA bei der Entwicklung zulasten gelegt. Auch wenn es keine Belege für Hintertüren in den Kurven gibt, so kann die Verwendung einer bestimmten Kurve eine Vertrauensfrage darstellen. Zum Glück unterstützt der Nitrokey Start mehrere Kurven, nämlich NIST, SECG und Curve25519. Wir verwenden im Folgenden Curve25519 und das darauf aufbauende Ed25519, die einen guten Ruf haben und als sicher gelten. Dieser Artikel gibt einen guten Einstieg zum allgemeinem Verständnis elliptischer Kurven.

System-Vorraussetzungen

Um Schlüssel auf Basis elliptischer Kurven auf dem Nitrokey Start erstellen zu können, muss die Firmware 1.2 aufgespielt sein und GnuPG in Version 2.1.16 oder höher installiert sein.

Über 'gpg2 --card-status' kann man die Firmware-Version des Nitrokey Start ablesen:

> gpg2 --card-status
Reader ...........: 20A0:4211:FSIJ-1.2.4-67083322:0
...

Die Zahl hinter 'FSIJ' gibt den Stand der Software an, in diesem Fall ist es 1.2.4. Ab der Version 1.2 können elliptische Kurven mit dem Nitrokey Start verwendet werden. Falls noch eine ältere Firmware installiert ist, kann man diese mit Hilfe dieser Anleitung aktualisieren.

Die installierte Version von GnuPG erfährt man über 'gpg2 --version'. Es wird mindestens Version 2.1.16 benötigt. Für Windows erhält man die neueste GnuPG Version hier und für macOS hier. In den GNU/Linux-Distributionen Debian (ab Stretch), Arch Linux, Fedora (ab Release 26) und openSUSE Tumbleweed ist bereits eine passende Version von GnuPG enthalten. In der aktuellen Veröffentlichung von Ubuntu (17.10) ist derzeit leider nur GnuPG 2.1.15 enthalten und die Nutzung somit derzeit noch nicht ohne Weiteres möglich. Am Ende des Artikels gibt es Hinweise, wie GnuPG unter Ubuntu manuell aktualisiert werden kann.

Wichtig: GnuPG 2.0 wird noch verwendet, aber der Support wird ca. Ende 2017 auslaufen. Bei Emailverschlüsselung mittels ECC müssen alle Kommunikationspartner GnuPG 2.1 oder neuer verwenden. Andernfalls kann es zu Inkompatibilitäten kommen. Sie sollten daher ECC nur dann verwenden, wenn Sie dieses Problem in Ihrem Fall ausschließen können.

Schlüsselgenerierung auf dem Nitrokey Start

Sind diese Voraussetzungen erfüllt, kann es losgehen. (Achtung: bestehende Schlüssel werden bei diesem Vorgang überschrieben!) Es gibt nun zwei Möglichkeiten. Entweder erstellt man den Schlüssel direkt auf dem Nitrokey Start. Dies hat den Vorteil, dass der Schlüssel nie außerhalb des Gerätes liegt und somit zu keiner Zeit ausgelesen werden kann. Oder man importiert einen zuvor lokal erstellen Schlüssel. Hier liegt der Vorteil darin, dass man ein Backup des Schlüssels sicher verwahren kann und diesen bei Verlust des Nitrokey wiederherstellen kann. Im Folgenden wird nur die erste Variante beschrieben. Um einen Schlüssel mit Backup zu erstellen, kann auf folgende Anleitung zurückgegriffen werden und mittels dieser allgemeinen Hinweise kann der Schlüssel auf den Nitrokey übertragen werden.

Unter GnuPG gibt es bereits einen Befehl 'generate', mit dem auf einfache Weise Schlüssel direkt auf dem Gerät erstellt werden können. (Aktualisierung 20.11.2017: Mit GnuPG 2.2.2 und neuer, während des Kommandos "generate" können Sie die Schlüssellänge "25519" eingeben um Curve25519 auszuwählen. In diesem Fall können Sie die nächsten Zeilen überspringen.) Bisher kann damit allerdings nicht die Art des Schlüssels direkt ausgewählt werden. Also muss der Stick zunächst kurz vorbereitet werden. Dafür benutzen wir folgende Befehle:

> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 22 ed25519" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 18 cv25519" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 22 ed25519" /bye

Alternativ könnten andere Kurven ausgewählt werden, wie im nächsten Abschnitt beschrieben.

Nun geben wir 'gpg2 --card-edit' ein und sehen, dass nun unter 'Key attributes' ed25519 bzw. cv25519 anstatt rsa2048 steht.

> gpg2 --card-edit
Reader ...........: 20A0:4211:FSIJ-1.2.4-67083322:0
Application ID ...: D276000124010200FFFE670833220000
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: 67083322
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: ed25519 cv25519 ed25519
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Anschließend erstellen wir den Schlüssel.

gpg/card> admin
Admin commands are allowed

gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
Please note that the factory settings of the PINs are
PIN = '123456' Admin PIN = '12345678'
You should change them using the command --change-pin
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Jane Doe
Email address: [email protected]
Comment:
You selected this USER-ID:
"Jane Doe <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: key 7F8C68E1B084E169 marked as ultimately trusted
gpg: revocation certificate stored as '/home/jane/.gnupg/openpgp-revocs.d/F8C00BC1636A7D7604A31A877F8C68E1B084E169.rev'
public and secret key created and signed.

Nun enthält der Nitrokey Start elliptische Kurven anstatt RSA-Schlüssel und kann wie gewohnt verwendet werden.

Verfügbare Kurven

In dem Vorgehen oben haben wir uns für die Kurve ed25519 bzw. cv25519 von Daniel Bernstein entschieden. Alternativ können NIST oder SECG Kurven eingesetzt werden. Die Konfiguration wird entsprechend wie folgt vorgenommen:

Option NIST-Kurven:

> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 19 nistp256" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 18 nistp256" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 19 nistp256" /bye

Option SECG-Kurven: Warnung: Diese Kurve wird nicht für E-Mailverschlüsselung empfohlen sondern ausschließlich für Bitcoin-bezogene Anwendungsfälle!

> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 19 secp256k1" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 18 secp256k1" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 19 secp256k1" /bye

Option Curve25519:

> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 1 22 ed25519" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 2 18 cv25519" /bye
> gpg-connect-agent "SCD SETATTR KEY-ATTR --force 3 22 ed25519" /bye

Aktualisierung von GnuPG unter Ubuntu

Die folgenden Schritte sind nur nötig, wenn eine Ubuntu Version älter als 18.04 verwendet wird. Die unten stehenden Befehle installieren GnuPG 2.1.18 auf solch einem System. Dabei wird auf aktuellere Debian-Pakete zurückgegriffen, was die einfachste Möglichkeit ist. Dieses Vorgehen wurde unter Ubuntu 17.10 erfolgreich getestet und läuft vermutlich auch unter 16.04. Trotzdem kann nicht ausgeschlossen werden, dass bei der Benutzung Probleme auftreten.

$ mkdir gnupg_tmp
$ cd gnupg_tmp
$ wget http://ftp.debian.org/debian/pool/main/g/gnupg2/gnupg_2.1.18-8~deb9u1_amd64.deb
$ wget http://ftp.debian.org/debian/pool/main/g/gnupg2/dirmngr_2.1.18-8~deb9u1_amd64.deb
$ wget http://ftp.debian.org/debian/pool/main/g/gnupg2/gnupg-agent_2.1.18-8~deb9u1_amd64.deb
$ wget http://ftp.debian.org/debian/pool/main/g/gnupg2/scdaemon_2.1.18-8~deb9u1_amd64.deb
$ sudo dpkg -i *
$ cd ..
$ rm -rf gnupg_tmp

Falls Sie die Installation wieder rückgängig machen wollen, müssen Sie folgende Befehle ausführen:

$ sudo dpkg --remove --force-depends gnupg dirmngr gnupg-agent scdaemon
(entfernt die manuell installieren Pakete)
$ sudo apt-get install gnupg dirmngr gnupg-agent scdaemon
(installiert dieselben Pakete aus den regulären Paketquellen)

23.10.2019

Comments

Is there any plan to have this support on any other product any time soon (Nitrokey Storage in my case) ? Or did I miss it somehow ?

Yes, we want to add ECC support to NK Pro and NK Storage too sometime next year.

Hi,

by adding support to the Pro line, do you mean by way of buying a new device? I understand that the Storage firmware is upgradeable, but not the Pro firmware (barring flashing a new one via a serial connection).

regards, Antoine 

The next major version of Nitrokey Pro and Storage which supports ECC would require a new hardware. Firmware updates won't bring ECC support, other than for the Nitrokey Start.

Looking at the white paper for the OpenPGP 3.x cards I only see some references to curves based on Brainpool. As some have pointed out on the GnuPG mailing list Brainpool has a lot in common with the now untrusted NIST curves. Really hope the OpenPGP 3.x cards will support curve 25519 like the Gnuk does. I am also wondering when an actual ver. 3 smartcard will be made/sold to the public?

If NitroKey can get a device working with 25519 and storage Ill be buying a new device that day! Been using the Nitrokey Pro for about a year and love it!

Hello,

if Nitrokey Start supports Ecliptic curves, you should update it's page (https://shop.nitrokey.com/shop/product/nitrokey-start-6), as Id doesn't mention that.

 

Can you please confirm that Nitrokey Start supports EC.

Thank you for the reminder. We will update it later today. I confirm that NK Start supports ECC.

Hello,

how is the support coming along?

What do you mean?

I always used to read article in news papers but now as I am a user of net therefore from now I am using net for articles or reviews, thanks to web.
At this time I am ready to do my breakfast, after having my breakfast coming again to read other news.
Hi there would you mind letting me know which webhost you're utilizing? I've loaded your blog in 3 completely different browsers and I must say this blog loads a lot faster then most. Can you suggest a good hosting provider at a honest price? Thank you, I appreciate it!
Hey, sure we can, we use: https://www.dotplex.com/

Why would anyone even use RSA2048 by default, when RSA4096 has been out for long and is supported by all major distributions? Is the smart card on Nitrokey not compatible with 4k?

RSA-4096 with the Nitrokey Pro is reasonable fast. But with Nitrokey Start each operation takes about 8 seconds. Here ECC is a very good alternative.

Did I understand you right? As a Nitrokey Storage user, I won't get ECC as a firmware update but have to buy a new a new one?

Yes. This is because the cryptography in Nitrokey Storage is real hardware.

How about having a "loyal customer upgrade plan". Could upgrade the OpenPGP v2.1 card to a OpenGPG 3.x version.  Customers send in their old devices and pay for the upgrade?

Unfortunately this wouldn't work. Our prices are too low and we don't have margin for this. In addition, the handling of returned devices and associated payments would be extra effort which needs to be paid. It is the same as buying a new phone: You don't get points for being a loyal whatever-brand customer.

Any ETA for new Nitrokey Pro (With ECC support)?
Does Nitrokey Storage already support ECC?

Is it possible to boot OS with Nitrokey Storage? (This would be killer feature for me, so I don't have to carry extra memory stick with me)

Nitrokey Pro and Storage with ECC support should come in the next few weeks, maybe March.

Yes, you can boot operating systems from the Nitrokey Storage.

Ack!  I just ordered a Pro last week, and now a new version supporting ECC will be available in just a few weeks?!  This info should really be made [more] available on the web page - outside of the headline "Nitrokey Start Supports Elliptic Curves (ECC)"

I will be happy enough with the Pro, I imagine, but really would have preferred to have both RSA4096 and ECC.

 

RSA is becoming increasingly insecure, so if you want the storage, it will be for storing files not rsa. ;)

The storage does not interest me; I can secure commercial flash storage by other means. I only use NK for gpg and nothing else.

Excellent pieces. Keep writing such kind of information on your site. Im really impressed by your blog. Hi there, You've done an incredible job. I'll certainly digg it and personally recommend to my friends. I'm confident they'll be benefited from this site.

Just noticed, that social links in footer of the page aren't working.

They are working fine for me. But you really need to click them. Just hovering the mouse over it is not sufficient. Do you use an aggressive add-on like NoScript perhaps?

seriously, 3074 bit? is this a typo???

Correct is 3072 bit. Thank you for the notice.

Is there an estimate or at least vague idea when the new Nitrokey Pro with ECC will be available? I read "the next few weeks, maybe March." but no update since. I looking to buy a smartcard device and would be alright with waiting a bit.

We don't have an exact date yet but the device is working, we just need to get logistics sorted out. Latest would be June.

Thank you for your reply! Besides ECC, are there further improvements or changes?

No.

Does the Nitrokey Start support 3 RSA keys PLUS 3 ECC keys or 3 keys total which can be either RSA or ECC?

What about the Nitrokey Pro and Storage when they come out?

Any news when new version of NitrokeyPro will be available?

We are just launching a new NK Storage v2 this week. NK Pro v2 will be next, during this summer.

The details of the Nitrokey Storage says, that ECC is supported

"Secure key storage for encryption of emails, hard disks and files. Compatible with GnuPG/OpenPGP, S/MIME, X.509, SSH, TrueCrypt/VeraCrypt and many more. RSA-2048, RSA4096, and ECC-256 are supported."

however, the comparison sheet of the NitroKey devices says the opposite.

 

Do you need to update the table?

Thank you for the pointer. The data sheet has been updated just recently. We are going to launch an announcement soon.

Hey there,

after reading different comments and finding different information in different fact sheets I feel confused.

I want to switch away from my yubikey to a smartcard which is developed with a focus on OSS. Nitrokey seems to do the trick. What I need is Curve25519 for my GPG Key and TOTP slots.

I could not find a nitrokey product which has both. Am I right or did I miss something?

Cheers
Jakob

You are right. Curve25519 ist supported by Nitrokey Start. TOTP ist supported by Nitrokey Pro and Nitrokey Storage.

can this guide be used on Nitrokey Storage 2? If so, I would buy one.

"Update 20.11.2017: With GnuPG 2.2.2 and higher, during "generate" command you can enter the keysize "25519" to select Curve25519. In this case you can skip the following lines.) However it is not as yet possible to select the type of key directly, so the key must first be prepared."

Nitrokey Storage 2 (as well as Pro 2) doesn't support Curve25519 but Brainpool and NIST instead.

Oh, I see, in that case, is there a significant difference in level of security between, brainpool and rsa2048/rsa4096

I am just wondering how many times more secure brainpool is than RSA.

And if there will be a storage version that will support curve25519 in the future.

RSA 2048 is deprecated and shouldn't be used for keys which are assumed to be used for several years. Instead RSA-3072 and ECC-256 are recommended and secure alternatives. Of course, longer key length are even more secure. AFAIK, The particular curve (Brainpool, NIST, Curve25519) shouldn't make much of a difference in terms of security.

If that's the case, should I be upgrading my nitrokey-storages? Is that an option?

You can't upgrade Nitrokey Storage but you can use RSA-4096 with Nitrokey Storage 1 already.

Any possibility to see a Nitrokey Pro equipped w/ RSA 4096 AND Curve25519 support? Maybe in the course of 2019? For many people I know (including myself) this is really the feature combination they are waiting for. Thanks!
Sooner or later, that will come. Please subscribe our newsletter to get informed right away.
Also add a German made Elliptic Curve with a 1033 bit prime called "anders_1032_1" made by Prof. Dr. Michael Anders to all your line of products. Is the only elliptic curve the author makes openly available for commercial use at no cost. The author himself thinks there is consensus that 256 bit elliptic curves should be enough for decades. My personal opinion is that in the past NSA has made DES to be a secure algorithm but small enough to crack it... probably they are doing the same with P-256, P-384 and P-512 even if they don't contain some vulnerability themselves (safecurves web site and others seems to think otherwise) they can just be too small and the several sizes are just to make people think they have options... while all can be to small to start with... not for normal computer world but for those with billions of dollars and own laboratories to make things happen. At least in dedicated security hardware like Nitrokey should be safe to use these "anders_1032_1" elliptic curve. For what? Currently there is no software for it, but make it available and I'm sure people will start modifying GnuPG, E-mail programs and maybe others to benefit from the much higher security level of the elliptic curve... that if the current comparisons are to be hold truth should give equivalent symmetric security up to ~516 bit. Heck, those "military grade" (no such grade in most countries... but who cares?) software company's will love to have support for that for sure... "be even more secure than your bank", "your bank may use 384 bit elliptic curve but we offer support for a 1033 bit one" or even better "have the most secure bank in the country with our {insert here your random company name} encryption/ digital signature/ authentication solution, and use Nitrokey to keep the key secure on hardware". You get the idea... even if it is not really needed it will be nice to have a bigger option already available... specially if someone finds out in the near future that 256 bit elliptic curves are not so secure as they would hope. Parameters: ID: anders_1032_1 MODUL: fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc73 coeff_A: fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc70 coeff_B: d02a1d001500bad000000d02a1d001500f0e000000d02a1d001500acc1de24000000d02a1d001500bad000000d02a1d001500f0e000000d02a1d001500acc1de24000000d02a1d001500bad000000d02a1d001500f0e000000d02a1d001500acc1de24000000d02a1d001500bad000000d02a1d001500f0e000000d02a1d0015b3 q_MODUL: 0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000184ce99c462d57387687f83e43f191166f0a07b527136b230558cabe982fc856bf6239a1c95e44421a71c553d223e1e8b6941687648973a94d4027ca61abe02331 X0: 0d02a1d001500bad000000d02a1d001500f0e000000d02a1d001500acc1de24000000d02a1d001500bad000000d02a1d001500f0e000000d02a1d001500acc1de24000000d02a1d001500bad000000d02a1d001500f0e000000d02a1d001500acc1de24000000d02a1d001500bad000000d02a1d001500f0e000000d02a1d0015d Y0: 57029d58aeccbf320f5c337d84b7b30d8a412149ed8c526a4d9c0faa829f4ebfbb966bd235bf7dbcb21679b463ecdf73eb80031fb1855e96d37b67731863374e4295dcf904eac0f4cf22604bbfb66c6e4b1e72de7ad6a7289b6c921f8bebf2fcef346ba5f9ce1d6ce660510e345118d42168edb704be01b3ac41f7e485cfdd3df9 END

Pages

Add new comment

Fill in the blank.