The New Nitrokey 3 With NFC, USB-C, Rust, Common Criteria EAL 6+

The new Nitrokey 3 is the best Nitrokey we have ever developed. It offers NFC, USB-C and USB-A Mini (optional) for the first time. The Nitrokey 3 combines the features of previous Nitrokey models: FIDO2, one-time passwords, OpenPGP smart card, Curve25519, password manager, Common Criteria EAL 6+ certified secure element, firmware updates. This reliably protects your accounts against phishing and password theft, and encrypts your communications and data. With strong hardware encryption, trustworthy thanks to open source, quality made in Germany.

Pre order now!

Use Cases

For private and corporate use - protection against mass surveillance and hackers

  • Passwordless login: Forget your password to log in to Microsoft services (e.g. Office 365) and Nextcloud and use Nitrokey for passwordless login instead.
  • Protect online accounts using two-factor authentication (2FA): Nitrokey is your key to secure login to websites (e.g. Google, Facebook; overview at www.dongleauth.info). Using FIDO2, FIDO U2F, or one-time passwords (OTP), your accounts remain secure even if your password is stolen.
  • Phishing protection: When using FIDO, the respective domain is automatically checked and users are effectively protected against phishing attacks.
  • Mobile usage with smartphones: Using FIDO and NFC, you can also securely access your accounts on Android and iPhone smartphones.
  • Encrypt data and emails: Encrypt your emails with GnuPG, OpenPGP, S/MIME, Thunderbird or Outlook. Encrypt entire hard drives using TrueCrypt/VeraCrypt, LUKS or individual files using GnuPG. Your private keys are securely stored in Nitrokey and cannot be exported/stolen.

For companies - protection against hackers and industrial espionage

  • Passwordless logon to Windows 10 computers: Employees will be able to log in to their Windows 10 Pro computers managed by Azure Active Directory without passwords. All that is required is a Nitrokey 3.
  • Passwordless login to your own enterprise systems: Replace your password policy, unauthorized password slips and costly password resets with passwordless login with the Nitrokey 3. Security and acceptance through simplicity. We are happy to advise you on integration.

For IT administrators and security experts - protect critical infrastructure

  • Administering servers securely with SSH: Always have your SSH key securely with you in Nitrokey. Your key is PIN protected and cannot be exported/stolen from the Nitrokey. This eliminates the insecure and annoying synchronization of key files on client systems.
  • Protect Internet of Things (IoT) and own products: Protect your own hardware products by integrating Nitrokey. Ideal for remote maintenance and ensuring product authenticity.
  • Store cryptographic keys securely: Store cryptographic keys and certificates securely in Nitrokey, preventing their theft.
  • Protect computer BIOS integrity: Using the Nitrokey and Measured Boot, the integrity of the computer BIOS/firmware is verified. The colored LED of the Nitrokey signals whether the BIOS has integrity (green) or whether tampering has been detected (red). Compatible e.g. with NitroPads.

Functions

  • FIDO U2F, FIDO2 for passwordless login: FIDO sets new standards in easy usability and thus achieves high acceptance. FIDO reliably protects your accounts against password theft and phishing.
  • Disabled passwords to protect accounts against identity theft: Protect your accounts against identity theft. One-time passwords are generated in Nitrokey and serve as a second authentication factor for logins (in addition to your normal password). Thus, your accounts remain secure even if your password is stolen.
  • Secure cryptographic key storage: Store your private keys for encrypting emails, hard drives or individual files securely in Nitrokey. This way they are protected against loss, theft and computer viruses and are always with you. Key backups protect against loss.
  • Password Manager: Store your passwords securely encrypted in the integrated password manager. This way you always have your passwords with you and they remain protected even if you lose your Nitrokey.
  • Integrity Check / Tamper Detection: Verify the integrity from the computer BIOS using Verified Boot. The Nitrokey's colored LED indicates whether the BIOS has integrity (green) or tampering has been detected (red). Supported computers require a BIOS based on Coreboot and Heads such as the NitroPad.

Security Technology

The Nitrokey 3 is based on a novel security architecture:

  • All firmware is developed in the memory-safe programming language Rust. This avoids potentially security-critical memory errors.
  • The firmware is based on the framework Trussed developed in Rust, which is designed for security-critical embedded systems and developed in cooperation with our partner SoloKeys. Among other things, Trussed implements cryptographic operations. Of course, the code is published as open source.

    Trussed logo

  • The hardware is based on the LPC55S6x microprocessor, which has numerous security features, such as Secure Boot, ARM TrustZone, Physical Unclonable Functions (PUF).
  • Additionally, a Secure Element, quasi a smart card, is used for the cryptographic memory. This has been security-certified up to the operating system level according to Common Criteria EAL 6+ and thus also meets high security requirements. Due to the power requirement, the secure element can only be used via USB but not via NFC.
  • As with all Nitrokey developments, Nitrokey 3 is open source, so the secure implementation can be reviewed by anyone.

Pre order now!

 

4.3.2021

Comments

It should work with all NFC-capable devices with most recent iOS.
Wird man den Nitrokey 3 mit iOS Geräten (iPhone, iPad) verwenden können? Falls ja, bitte ausführen - welche iPhone- / iPad-Modelle? - ab welcher iOS Version? - welche Verbindung? (NFC? USB-C?) - welche Anwendung(en)? - ist eine iOS App geplant? - sonstiges
FIDO2 funktioniert mit allen Geräten mit NFC-Schnittstelle und aktuellem iOS. Ältere iOS Versionen und USB könnten funktionieren, haben wir aber nicht getestet. Eine iOS App planen wir nicht.
Werden die 2MB Storage direkt anwählbar sein oder nur über die Nitrokey Software, Stichwörter: Backup oder speichern einer Keepass-Db?
Vorerst werden wir die MB für die interne Speicherung von Daten verwenden. Für die Speicherung von Dateien ist der Nitrokey Storage gedacht.
Will the OpenPGP implementation support ed25519?
yes
Es sieht so aus als hätten die Nitrokeys 3 USB-A und USB-C ein Tastenfeld und der Mini nicht. Wozu?
Alle drei Modelle haben einen Touch Sensor.
Wird der Nitrokey 3 vom Mac mit M1 Prozessor unterstützt?
Grundsätzlich ja. Die Frage ist welchen Anwendungsfall genau? Unsere Nitrokey App ist für Einmalpasswörter und Passwort-Safe nötig, und die gibt es noch nicht für M1. Das werden wir aber in nächster Zeit machen. Für FIDO2/U2F und GnuPG ist keine solche Zusatzsoftware nötig und daher funktioniert es problemlos.
Wird es auch einen Nitrokey Storage 3 USB-A MINI ohne NFC geben? Und wenn ja, gibt es schon einen ungefähren Zeitplan?
Es wird irgendwann einen Nitrokey Storage 3 geben, aber nicht im Mini Format, möglicherweise aber in einer Größe wie der Nitrokey Pro. Einen konkreten Plan und Datum gibt es noch nicht.
I assume SSH keys will be able to be generated via gpgkey2ssh. Will it be possible to have multiple different identities with separate PGP keys? So to have separate SSH keys for work, private, etc?
yes
I see the exact number of keys is not determined yet ? I want to use using 3 authentication keys, 1 encryption. compatible with microsoft Smartcard minidriver. (nice to have gpg smartcard function), and fido2 Is this asking to much ?
That should be working easily.
Is there a hardware OpenPGP v3.4 smart card or is all the PGP stuff done Software side, like in Nitrokey Start?
OpenPGP smart card's security will be implemented by SE050. Optionally, a software-only implementation like with Nitrokey Start can be used.
Ist auch otp per Android Smartphone möglich?
Nein. Wir haben leider keine Android oder iOS app.
ich hab gleich zwei fragen zu den Sticks. könntet Ihr die https://www.nitrokey.com/de#comparison mal vervollständigen mit dem NitroKey 3 (zumindest kann ich mir dann ein besseres Bild darüber machen was dier 3er können soll wenn er mal rauskommt. Und wie lange hälten sich die unterschiedlichen KEY's, Passwortlisten auf dem Stick denn so (also im Tresor oder Nachtschränkchen also in dem Fall das man einen zweiten als Ersatz hat der aber nie genutzt wird) bei SSD, SD, USB-Datensticks und so sagt man ja das die ca. 2 Jahre ohne sie anschließen zu müssen ihre Daten halten können. Wie sieht es mit den NitroKey 3 da so aus.
Die Tabelle werden wir noch aktualisieren. Die Datenspeicherdauer wird mehrere Jahre betragen, ohne ein zwischenzeitliches Einstecken.
HMAC-SHA1 Challenge Response für KeepassXC geplant?
Ja, via FIDO2. Soweit ich weiß soll das auch mit KeepassXC funktionieren oder ist dort in Entwicklung.
Mir ist gerade unklar: Kann der Nitrokey 3 alle Features des Nitrokey Pro 2 und ist damit auch dessen Nachfolger?
ja
Kann der Nitrokey 3 auch, wie der Nitrokey Start, mehrere Identitäten und PGP-Schlüssel?
ja
Is the touch button intended to be used for confirmation before the password is extracted? On non-mini models is it a physical button, or is it triggered based on the electric capacity of the finger?
All models contain a touch sensor, based on electric capacity. It is used to confirm FIDO operations and key operations (OpenPGP Card). Not sure if we want to use it for the password manager too. It sounds like a good idea but we need to test how well it works in practice...
None of keys comes with a cap, correct?
Nitrokey 3A NFC contains a cap.
Hallo, wann werden die neuen Nitrokeys vermutlich ausgeliefert?
Im 2. Quartal 2021
I bought a couple of solokeys a few weeks ago. From what I remember, they ought to support GPG keys "soon" back in 2019/20 which they actually don't do up until now. Will I make similar experiences with the new nitro keys?
No. We started almost all our products as a pre-order and always stick to our promises.
I'm an enthusiast suer and I preorderd a couple of keys. Is there any ETA?
2nd Quarter 2021
1) Is NFC only working for FIDO? 2) Is the public key (FIDO) transferred over NFC?
1) yes 2) yes, as specified in WebAuthn.
Is there a plan to support keepassxc? Which offline Password Managers do you support?
We are waiting for this issue to be solved in KeepassXC https://github.com/keepassxreboot/keepassxc/issues/3560
Are there significant differences in hardware between regular and mini variants (except NFC)? It is possible to fit LPC55S6x into mini (packaged as VFBGA98), but is it possible to fit SE050 as well? What about reliability? It is obvious that regilar model should be more reliable just because it is bigger (less stress on the connector) and most likely has some extra circuitry to protect against static discharge on usb ports. Will it be possible to disable NFC functionality?
Beside of NFC and USB the hardware is pretty much identical among all NK3 models including SE050. Regarding physical reliability, we don't expect any significant differences but that has to be proven in practice. The casing of Nitrokey 3A NFC has already been proven for years so in doubt this would be the most safe bet. Yes, NFC can be disabled in software.

Pages

Add new comment

Fill in the blank.