The New Nitrokey 3 With NFC, USB-C, Rust, Common Criteria EAL 6+

The new Nitrokey 3 is the best Nitrokey we have ever developed. It offers NFC, USB-C and USB-A Mini (optional) for the first time. The Nitrokey 3 combines the features of previous Nitrokey models: FIDO2, one-time passwords, OpenPGP smart card, Curve25519, password manager, Common Criteria EAL 6+ certified secure element, firmware updates. This reliably protects your accounts against phishing and password theft, and encrypts your communications and data. With strong hardware encryption, trustworthy thanks to open source, quality made in Germany.

Pre order now!

Use Cases

For private and corporate use - protection against mass surveillance and hackers

  • Passwordless login: Forget your password to log in to Microsoft services (e.g. Office 365) and Nextcloud and use Nitrokey for passwordless login instead.
  • Protect online accounts using two-factor authentication (2FA): Nitrokey is your key to secure login to websites (e.g. Google, Facebook; overview at www.dongleauth.info). Using FIDO2, FIDO U2F, or one-time passwords (OTP), your accounts remain secure even if your password is stolen.
  • Phishing protection: When using FIDO, the respective domain is automatically checked and users are effectively protected against phishing attacks.
  • Mobile usage with smartphones: Using FIDO and NFC, you can also securely access your accounts on Android and iPhone smartphones.
  • Encrypt data and emails: Encrypt your emails with GnuPG, OpenPGP, S/MIME, Thunderbird or Outlook. Encrypt entire hard drives using TrueCrypt/VeraCrypt, LUKS or individual files using GnuPG. Your private keys are securely stored in Nitrokey and cannot be exported/stolen.

For companies - protection against hackers and industrial espionage

  • Passwordless logon to Windows 10 computers: Employees will be able to log in to their Windows 10 Pro computers managed by Azure Active Directory without passwords. All that is required is a Nitrokey 3.
  • Passwordless login to your own enterprise systems: Replace your password policy, unauthorized password slips and costly password resets with passwordless login with the Nitrokey 3. Security and acceptance through simplicity. We are happy to advise you on integration.

For IT administrators and security experts - protect critical infrastructure

  • Administering servers securely with SSH: Always have your SSH key securely with you in Nitrokey. Your key is PIN protected and cannot be exported/stolen from the Nitrokey. This eliminates the insecure and annoying synchronization of key files on client systems.
  • Protect Internet of Things (IoT) and own products: Protect your own hardware products by integrating Nitrokey. Ideal for remote maintenance and ensuring product authenticity.
  • Store cryptographic keys securely: Store cryptographic keys and certificates securely in Nitrokey, preventing their theft.
  • Protect computer BIOS integrity: Using the Nitrokey and Measured Boot, the integrity of the computer BIOS/firmware is verified. The colored LED of the Nitrokey signals whether the BIOS has integrity (green) or whether tampering has been detected (red). Compatible e.g. with NitroPads.

Functions

  • FIDO U2F, FIDO2 for passwordless login: FIDO sets new standards in easy usability and thus achieves high acceptance. FIDO reliably protects your accounts against password theft and phishing.
  • Disabled passwords to protect accounts against identity theft: Protect your accounts against identity theft. One-time passwords are generated in Nitrokey and serve as a second authentication factor for logins (in addition to your normal password). Thus, your accounts remain secure even if your password is stolen.
  • Secure cryptographic key storage: Store your private keys for encrypting emails, hard drives or individual files securely in Nitrokey. This way they are protected against loss, theft and computer viruses and are always with you. Key backups protect against loss.
  • Password Manager: Store your passwords securely encrypted in the integrated password manager. This way you always have your passwords with you and they remain protected even if you lose your Nitrokey.
  • Integrity Check / Tamper Detection: Verify the integrity from the computer BIOS using Verified Boot. The Nitrokey's colored LED indicates whether the BIOS has integrity (green) or tampering has been detected (red). Supported computers require a BIOS based on Coreboot and Heads such as the NitroPad.

Security Technology

The Nitrokey 3 is based on a novel security architecture:

  • All firmware is developed in the memory-safe programming language Rust. This avoids potentially security-critical memory errors.
  • The firmware is based on the framework Trussed developed in Rust, which is designed for security-critical embedded systems and developed in cooperation with our partner SoloKeys. Among other things, Trussed implements cryptographic operations. Of course, the code is published as open source.

    Trussed logo

  • The hardware is based on the LPC55S6x microprocessor, which has numerous security features, such as Secure Boot, ARM TrustZone, Physical Unclonable Functions (PUF).
  • Additionally, a Secure Element, quasi a smart card, is used for the cryptographic memory. This has been security-certified up to the operating system level according to Common Criteria EAL 6+ and thus also meets high security requirements. Due to the power requirement, the secure element can only be used via USB but not via NFC.
  • As with all Nitrokey developments, Nitrokey 3 is open source, so the secure implementation can be reviewed by anyone.

Pre order now!

 

4.3.2021

Comments

Ich freue mich richtig doll! Habe so lange auf die Vereinigung von FIDO2 und OpenPGP gehofft und freue mich schon darauf, das Teil für meinen Betrieb zu evaluieren. Lieben Dank an euch!
Da stimme ich Dir zu 100% zu... Es baumelt nur noch ein Stick am Schlüsselbund rum... :-)
> Passwordless login to your own enterprise systems: Replace your password policy, unauthorized password slips and costly password resets with passwordless login with the Nitrokey 3. Security and acceptance through simplicity. We are happy to advise you on integration. Are there any more details? How can one configure Windows? I assume it also supports Linux logins. Does it work with sssd?
These instructions apply to Nitrokey 3 too: docs.nitrokey.com/fido2/ It works for Linux logins too. No experience with sssd.
Where is the source code of OpenPGP implementation used in this version ?
It's in early development and not published yet.
Hallo! Welches Secure Element ist denn dort verbaut?
NXP SE050
Hi, I'm quite interested could you confirm that the full firmware is written in Rust and if so could you provide the link to the code? Thanks
Trussed firmware is published already but nothing else yet.
Yes, entire firmware is written in Rust.
Hi, Thanks for the information. I see that the Trussed part is indeed open source, but what about the rest of the Nitrokey 3 firmware ? Will it be open sourced ? Regarding the interactions with the NXP secure element, are the APIs public and will it be released? Thanks in advance for your answers.
Yes, it will be open sourced. NXP's secure element's API is public, see https://www.nxp.com/docs/en/application-note/AN12413-SE050_APDU_specific...
Direkt vorbestellt
Wird als OTP das Yubikey-Verfahren unterstützt?
Nein. Nur Standard-konformes HOTP und TOTP.
Freut mich zu hören! Wird es demnächst auch ein HSM3 mit ED25519 support geben?
Das ist leider noch nicht abzusehen.
Is the length of passwords saved into the password manager still limited to 20 characters as in previous models ? I already own a nitrokey and this has been a major limitation for me to actually use the key. I use other password management tools and thus define much longer password everywhere I can (i.e. which is almost everywhere). Nitrokeys will remain useless to me as long as this limitation persists and this is unfortunate as I’m otherwise sold on your product. Thanks
Nitrokey 3 has 2 MB of storage so that this limitation will be removed.
How many entries can you save in the Passwortmanager? Is this intended as an alternative to a usual password manager or just for special things like before?
The amount is not defined yet, but it will be significantly more than with the current Password Manager.
Second question. Is it possible to protect the key usage via an additional password or something? Or can you use every function as soon as you have physical access?
It will be like with the current Nitrokeys, where smart card, password manager and passwordless login are PIN protected and 2FA functions are not protected (but can be PIN-protected optionally to realize 3FA).
How many ECC key pairs will the new Nitrokeys be able to store?
The exact amount is not determined yet but we have a lot of space and therefore will be able to store plenty of them.
Wird es auch den Nitrokey Storage in der Version 3 mit NFC geben?
Zu einem späteren Zeitpunkt wollen wir auch einen Nitrokey Storage 3 mit NFC, FIDO2 herausbringen.
Wird es auch eine Version OHNE NFC geben? Vielleicht bin auch nur paranoid, aber Kabellosigkeit und Sicherheit scheinen keine guten Gesellen zu sein...
Ja, der USB-A Mini wird ohne NFC sein.
Vielen Dank für die Antwort! Wird der "USB-A Mini", abgesehen von NFC, dieselben technischen Daten wie seine größeren Brüder haben?
Ja, NFC und Formfaktor sind die einzigen Unterschiede.
Freut mich, dass es endlich eine Nitrokey gibt, der sowohl FIDO2, als auch die Features vom NK2 hat. Direkt mal vorbestellt, bin gespannt!
How many slots are available for TOTP?
The amount is not fixed yet but we have a 2 MB flash storage which provides plenty of space.
Do you plan to release the whole source code of the firmware in Rust (only Trussed is pointed here, which is a very small part)? Are there NDAs on the NXP secure element APIs or will it be publc? Also, regarding the firmware updates, what about their security: will there be details on this? Thanks in advance.
Yes, it will be open sourced. NXP's secure element's API is public, see https://www.nxp.com/docs/en/application-note/AN12413-SE050_APDU_specific... The firmware update security utilizes the MCU's Secure Boot.
Wieviele Passwörter können im Passwortmanager gespeichert werden?
Die Anzahl steht noch nicht fest aber wir haben 2 MB für Nutzdaten zur Verfügung, was für viele Passwörter reichen sollte.
Is there some functionality like encrypted backups for the password manager? Or what can I do if I lose my nitrokey or the nitrokey gets broken?
We have no plan for this yet. Perhaps in a later firmware version.
Funktioniert das NFC auch wenn der Nitrokey am Schlüsslebund hängt? Also wir die NFC-Antenne duch einen Metallring in dem vorgesehenen Loch nicht blockiert?
Vermutlich klappt das nicht. Dafür empfehlen wir ein kleines Schlüsselbändchen.
What's the timeline? When do you expect so ship?
As stated in the article.
Well, there is no date or timeline or any of that sort stated in the article. So does this mean you will never ship?
Sorry, indeed it's not stated in the article but in the linked shop page. We plan to ship it in 2nd quarter of 2021.
Gibt es eine Möglichkeit lange Passwörter etwa per Long Touch in ein Textfeld einzutragen, ähnlich wie beim Yubikey 5?
Möglicherweise mit einem späteren Firmware Update.
Can the Nitrokey 3 be used with an iOS device (iPhone, iPad)? If yes, please specify and provide some details.

Pages

Add new comment

Fill in the blank.