The New Nitrokey 3 With NFC, USB-C, Rust, Common Criteria EAL 6+

The new Nitrokey 3 is the best Nitrokey we have ever developed. It offers NFC, USB-C and USB-A Mini (optional) for the first time. The Nitrokey 3 combines the features of previous Nitrokey models: FIDO2, one-time passwords, OpenPGP smart card, Curve25519, password manager, Common Criteria EAL 6+ certified secure element, firmware updates. This reliably protects your accounts against phishing and password theft, and encrypts your communications and data. With strong hardware encryption, trustworthy thanks to open source, quality made in Germany.

Pre order now!

Use Cases

For private and corporate use - protection against mass surveillance and hackers

  • Passwordless login: Forget your password to log in to Microsoft services (e.g. Office 365) and Nextcloud and use Nitrokey for passwordless login instead.
  • Protect online accounts using two-factor authentication (2FA): Nitrokey is your key to secure login to websites (e.g. Google, Facebook; overview at www.dongleauth.com). Using FIDO2, FIDO U2F, or one-time passwords (OTP), your accounts remain secure even if your password is stolen.
  • Phishing protection: When using FIDO, the respective domain is automatically checked and users are effectively protected against phishing attacks.
  • Mobile usage with smartphones: Using FIDO and NFC, you can also securely access your accounts on Android and iPhone smartphones.
  • Encrypt data and emails: Encrypt your emails with GnuPG, OpenPGP, S/MIME, Thunderbird or Outlook. Encrypt entire hard drives using TrueCrypt/VeraCrypt, LUKS or individual files using GnuPG. Your private keys are securely stored in Nitrokey and cannot be exported/stolen.

For companies - protection against hackers and industrial espionage

  • Passwordless logon to Windows 10 computers: Employees will be able to log in to their Windows 10 Pro computers managed by Azure Active Directory without passwords. All that is required is a Nitrokey 3.
  • Passwordless login to your own enterprise systems: Replace your password policy, unauthorized password slips and costly password resets with passwordless login with the Nitrokey 3. Security and acceptance through simplicity. We are happy to advise you on integration.

For IT administrators and security experts - protect critical infrastructure

  • Administering servers securely with SSH: Always have your SSH key securely with you in Nitrokey. Your key is PIN protected and cannot be exported/stolen from the Nitrokey. This eliminates the insecure and annoying synchronization of key files on client systems.
  • Protect Internet of Things (IoT) and own products: Protect your own hardware products by integrating Nitrokey. Ideal for remote maintenance and ensuring product authenticity.
  • Store cryptographic keys securely: Store cryptographic keys and certificates securely in Nitrokey, preventing their theft.
  • Protect computer BIOS integrity: Using the Nitrokey and Measured Boot, the integrity of the computer BIOS/firmware is verified. The colored LED of the Nitrokey signals whether the BIOS has integrity (green) or whether tampering has been detected (red). Compatible e.g. with NitroPads.

Functions

  • FIDO U2F, FIDO2 for passwordless login: FIDO sets new standards in easy usability and thus achieves high acceptance. FIDO reliably protects your accounts against password theft and phishing.
  • Disabled passwords to protect accounts against identity theft: Protect your accounts against identity theft. One-time passwords are generated in Nitrokey and serve as a second authentication factor for logins (in addition to your normal password). Thus, your accounts remain secure even if your password is stolen.
  • Secure cryptographic key storage: Store your private keys for encrypting emails, hard drives or individual files securely in Nitrokey. This way they are protected against loss, theft and computer viruses and are always with you. Key backups protect against loss.
  • Password Manager: Store your passwords securely encrypted in the integrated password manager. This way you always have your passwords with you and they remain protected even if you lose your Nitrokey.
  • Integrity Check / Tamper Detection: Verify the integrity from the computer BIOS using Verified Boot. The Nitrokey's colored LED indicates whether the BIOS has integrity (green) or tampering has been detected (red). Supported computers require a BIOS based on Coreboot and Heads such as the NitroPad.

Security Technology

The Nitrokey 3 is based on a novel security architecture:

  • All firmware is developed in the memory-safe programming language Rust. This avoids potentially security-critical memory errors.
  • The firmware is based on the framework Trussed developed in Rust, which is designed for security-critical embedded systems and developed in cooperation with our partner SoloKeys. Among other things, Trussed implements cryptographic operations. Of course, the code is published as open source.

    Trussed logo

  • The hardware is based on the LPC55S6x microprocessor, which has numerous security features, such as Secure Boot, ARM TrustZone, Physical Unclonable Functions (PUF). Update: The hardware is based on different microprocessors that support Secure Boot and other security features.
  • Additionally, a Secure Element, quasi a smart card, is used for the cryptographic memory. This has been security-certified up to the operating system level according to Common Criteria EAL 6+ and thus also meets high security requirements. Due to the power requirement, the secure element can only be used via USB but not via NFC.
  • As with all Nitrokey developments, Nitrokey 3 is open source, so the secure implementation can be reviewed by anyone.

Pre order now!

Status Update, 8/25/2021

  • The development of the Nitrokey 3C NFC casing has been completed.
  • Planned delivery date for the PCBs is week 40. The subsequent assembly is planned with a few days.

Status Update, 8/11/2021

  • Development of the Nitrokey 3A Mini and Nitrokey 3C NFC enclosures has made significant progress. We plan to complete the enclosure development concurrently with the availability of the assembled electronics.
  • The required NFC chips have been delivered and tested successfully. Barring any further supply bottlenecks, the electronics will be assembled shortly.
  • In order to achieve the best possible availability despite the global electronics shortage, we will equip the Nitrokey 3 with different microprocessors. Users will not notice this internal difference, but for us it means more effort. Therefore we had to redesign the electronics of the NK3A Mini using the nRF52. We expect the electronics samples next week. We have already got the firmware working on the nRF52 but the porting is not finished yet.

We plan to start shipping the Nitrokey 3A NFC and 3C NFC first. The Nitrokey 3A Mini is expected to start a little later. We are now waiting for our contract manufacturer to assemble it. We can't give a specific delivery date yet but it shouldn't be long.
 

Status Update, 6/11/2021

In the last months and weeks the development of the Nitrokey 3 has made significant progress. Nevertheless, its delivery will unfortunately have to be delayed, especially due to lack of electronics.

We have achieved:

  • The electronics development is finished and the electronics works stable.
  • The firmware has FIDO2, which can be used via USB and NFC.


In work at the moment is:

  • Electronics procurement and production has started
  • Firmware development of one-time passwords (OTP) and the password safe.
  • Porting of firmware to the nRF52 microprocessor. This is important to be able to avoid future supply shortages that we are facing due to the global electronics shortage.


The delivery of the Nitrokey 3 depends on:

  • We are waiting for an electronics component to arrive no later than July.
  • Completion of the case development


It is anticipated that the Nitrokey 3 will ship in the next few weeks or during the summer. We apologize for the delay and ask for your understanding.

25.8.2021

Comments

Q2 ist da. Habt Ihr schon angefangen auszuliefern?
Nein, wir wollen die Nitrokeys im Laufe dieses Quartals ausliefern.
Der USB-A Mini ist interessant. Für NFC fallen mir nur sehr seltene Anwendungsfälle ein. - Aktuelle Handys haben einen integrierten FIDO2-tauglichen Chip. - Durch die geringe Spannungsversorgung über NFC sind die Funktionen meist auf FIDO2 und FIDO U2F beschränkt. TOTP und En-|Decrypt sind bestimmt nur über USB möglich. Einen PIN protected NitroKey mit direkter PIN Eingabe wie beim OnlyKey fände ich interessant.
Feeling a bit silly asking this question, when you have so many knowledgeable tech people query your upcoming Nitrokey as I am a newbie to this area, but will this new USB be able to unlock a Big Sur Mac? Can I use the Nitrokey to fill the Mac’s Password Login? Also can I change the passwords on the key regularly, or are the passwords fixed and not able to be updated once set? Also, could someone please explain how the NFC is used. Apologies for my ignorance, but think this could help me make my digital life and password security/strength way more secure?
Unlocking macOS should work with PIV which we plan to implement. Ohh, this was secret... Passwords can be updated. NFC and FIDO2 are used to login to websites. In such case, when prompted by the website, simply put the Nitrokey on your NFC-capable phone (e.g. iPhone) and that will confirm the login.
Is it possible to use ed25519-sk ssh keys or can i only use ecdsa-sk like the current fido key?
ed25519-sk ssh keys will be supported eventually.
For people that manage their private keys on an air-gapped machine, is there a way to upgrade the firmware without an internet connection?
Yes. Currently our software expects an online connection to download the firmware automatically but that can easily be modified to provide a local file instead.
Will vulnerabilities of nitrokeys mentioned in report „Security and Trust in Open Source Security Tokens“ of iacr org be fixed with vanilla firmeware when you release Nitrokey 3 or will you prepare a firmware update close to release?
I expect those to be addressed by the very first release, because Nitrokey 3 uses an entirely different architecture.
I've read that you'll be using Secure Boot, will it still be possible to flash custom firmware to the USB-A Mini Nitrokey 3 over USB ? Or will that require accessing pins not exposed over USB (and therefor a nitrokey where they are more accessible) ?
For security reasons the MCU will be locked. In order to allow custom firmware, we plan to ship a hacker-edition.
Thanks, that is reassuring. Is it already possible to pre-order such a hacker-edition, or will I have to wait until pre-ordering of the normal Nitrokey 3 has finished ?
We want to focus on "normal" Nitrokey 3 first and ship those before offering a hacker edition.
Would Nitrokey 3 have a HSM version?
Currently not planned. Any specific feature you miss of the Nitrokey HSM 2?
Gibt 's wieder Zeitpläne, wann der jetzt kommt?
Hallo. Ja wann kommt er denn nun? Ich habe extra vorbestellt. Martin
Siehe Statusupdate oben im Artikel.
Which OpenPGP version is the smart card app going to support?
The latest 3.4
Will they start shipping out on June?
Please see the status update in the article above.
Hello! Is there any update on the delivery schedule? I have also preorderd and the latest news is from march. now it is nearly june. Any Update?
Please see the status update in the article above.
The Nitrokey 3 series is a really welcome addition. I really like the mini form factor. Thank you for all your hard work on accomplishing this. Hopefully, at some point you will also be introducing a 'Nitrokey 3C Mini', so we can keep it connected to our mobile phones. Similarly to Yubikey 5C nano.
My address changed since the original order. Will we be asked to confirm the delivery address before the actual shipment?
Not automatically. Please send the update to shop@
Thanks
I cannot find any information about water resistance. Is it really not resistant at all? Almost all competitors are water resistant now (the Solokey v2 is as well). I think this is a requirement for something carried around 24/7. I can see that this has been asked for for the previous key as well.
We never heard of *any* water accident which resulted in our device failure since Nitrokey exists (for 6,5 years).
Hi, Will I be able to use OpenPGP and pkcs11 or PIV at the same time or is there a shared recource the scdaemon(1) will be locking exclusively?
As far as I know since the new GnuPG release 2.3.0 the connection exclusiveness should be removed, and instead shared by reusing the one made from OpenSC (which provides the PIV and pkcs11 access).
The general description says LPC55S6x will serve as the MCU, but the June status update says you're proting the FW to nRF52, so will that one be used instead? And if so, which specific version?
The 1st batch will have the LPC55S6x and the next ones will be equipped with Nordic nRF52840. We expect that both will have the same functionalities and the difference will not be noticeable for user.
Why did you choose the nRF52 as a backup SoC if researchers have already demonstrated a successful fault injection attack on it? limitedresults.com/2020/06/nrf52-debug-resurrection-approtect-bypass-part-2/
In general MCUs don't have 100% protection agains tampering. Over time most MCUs seem to get broken sooner or later. This is why we include a secure element so that we don't rely on MCU's protection.
Wollte eben 2 Nitrokeys bei euch bestellen doch die Versandkosten von 11,94€ innerhalb Deutschlands haben mich dann doch vom Kauf abgehalten. Wenn ich 5 bestellen möchte werde ich für den Versand mit 39,71€ zur Kasse gebeten. Für diese utopischen Versandkosten habe ich überhaupt kein Verständnis. Mich würde mal interessieren wie sich die Versandkosten zusammensetzen?
Hallo, ja da ist der Wurm drin. Die Versandkosten sollten natürlich nicht mit der Anzahl der Nitrokey multipliziert werden. Bitte einfach die Bestellung an shop@nitrokey.com schicken bis wir das Problem gelöst haben.
How will the "real-world wear and tear proofing" look like? I.e., I own quite a few nitrokeys and I love them, but I have always felt that I am a bit worried about their resistance to wear / tear / water etc since they are on my keyring all the time and quite exposed. Though I have not had any failures yet in quite a few years of use, this is still a "fear factor" for me. Any hope that you may put special emphasis on making these tough? Could there be some form of IP67 or IP68 version, with maybe a water tight body and a quite water tight connector protector? That would have a lot to say for me and I would happily pay extra money for that (and I am not alone, know quite many people who think the same).
We try to stress-test the devices a lot from mechanical perspective, clearly the trade-off is here robustness vs. handling, i.e., adding robustness mostly implies a bigger, chunkier casing. Although, as of today we have not planned to do any kind of IP-certification or more specific toughness tests/certifications. But we also see increasing demand for this, so I would not exclude it entirely for the future.
Würde gern solch einen Stick für meine Mama verwenden, da Sie doch Probleme hat, sich die ganzen Passwörter zu merken. Wird es möglich sein, bestehende Passwörter in den Passwordmanager zu importieren? Wird es eine hübsche GUI geben für Linux um die Passwörter zu verwalten? Micha
Wir arbeiten gerade an einer next-generation nitrokey-app, die gerade im Bereich des Passwortmanagements verbessert werden soll. Importieren neuer Passwörter steht nicht weit oben auf der ToDo-Liste aktuell, aber würde ich alles andere als ausschließen.
Ein OLED für otp um z.b. auf den nitrokey zuzugreifen wäre auch was feines.
Das wäre in der Tat fein, ich persönliche hätte sowas auch gerne, aktuell ist das aber dann leider doch eher ein Traum. Der Entwicklungsaufwand und entsprechend die Kosten als Produkt für den Kunden wären dann doch ziemlich abschreckend und nicht rentabel leider.
So sehr ich mich auf den Nitrokey3 freue, so sehr nervt mich die endlosen Verzögerungen...
Verstehen wir sehr gut, wir geben unser Bestes. Gegen die Halbleiterknappheit ist aber momentan nur Abwarten und Gegenlenken möglich, letzteres versuchen wir, wie auch im Artikel beschrieben, so gut es geht.
Are the shop prices for delivery correct at the moment? They seem to increase with the amount of keys ordered (but it does not seem to be linear), they change after the page has finished refreshing (for a few seconds they show up at some value, and then they change to a higher value), and also seem to spike depending on whether express shipping is selected or not before refreshing the page.
Hey, yes there is an bug currently in the shop. You can either wait until the upcoming week (then it should be fixed) or you can order and write an email to shop@nitrokey.com with your order-no. and we'll update your recipe/order.

Pages

Add new comment

Fill in the blank.