Why Nitrokey Is More Secure Than Password-Protected Key Files

An ordinary key file (e.g. GnuPG key ring) can be stolen if your computer is lost or compromised. Using a strong (and usually difficult to remember) password can help unless your computer is infected with a keylogger or if the attacker discovers your password through other means. Nitrokey protects your private keys from being stolen in both instances.

If you use Nitrokey and in case your computer is compromised by a virus or malware, the malware could theoretically log your PIN and perform signatures, authentications or decryption without your agreement. But in practice this attack is far more difficult to execute than stealing your key files. The Nitrokey device would need to be connected at the time when the keys are being misused, which means you would have a greater chance of noticing the attack because the Nitrokey indicates its usage via an LED and counts the performed signatures. Once the attack had been identified you could easily stop it by cleaning your computer and changing the User PIN. You would not need to generate any new keys or revoke your current keys because they would still be secure. (However, this implicates that initially you generated your keys and initialized the Nitrokey in a secure environment/computer. For this purpose we recommend using a Linux live system such as USB drive or DVD.)

We started the Nitrokey project (originally under the name of Crypto Stick) because we wanted to use email encryption in internet cafes while travelling. Even though malware could have stolen our emails, the Nitrokey protects our private keys.

Furthermore the Nitrokey uses PINs which can be six digits short and still be secure. After three incorrect attempts the Nitrokey will reject any access to the private keys. Whereas key files require passwords which need to be long and complex in order to be secure against brute force attacks.

Another advantage: Many users working with multiple computers like to use the Nitrokey because it allows them to securely and easily use their key without the burden of having to sync key files on multiple computers.



Thanks for this post.

Add new comment

Fill in the blank.