Nitrokey 3A Multi-factor Authentication

Linux

SSH

Security

Published

April 28, 2023

Modified

May 4, 2023

Nitrokey is a German manufacturer of hardware security tokens…

…hardware based asymmetric key cryptography for protection from phishing attacks
…USB devices to connect to a workstation or portable …Bluetooth and NFC for wireless security access
See…

Nitrokey 3 (is planed to) support….

…secure login using One Time Passwords (OTP), U2F or ordinary static passwords
…email encryption with GnuPG, OpenPGP, S/MIME
…FIDO2 and FIDO U2F security protocol standard

Supports Multi-factor authentication (MFA)…

…requires two or more authentication factors to prove your identity
…aka Two-Factor Authentication (2FA)
…two passwords ≠ two-factor authentication …factors must be different

`nitropy`

Command-line interface to interact with Nitrokey 3

Setting udev rules for nitropy…

cd /tmp && wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules
sudo mv 41-nitrokey.rules /etc/udev/rules.d/

# ...reload rules
sudo udevadm control --reload-rules && sudo udevadm trigger

Install nitropy…

python3 -m ensurepip
python3 -m pip install --user pipx
python3 -m pipx ensurepath
pipx install pynitrokey

# ...for later upgrades
pipx upgrade pynitrokey

nitropy list lists all connected devices…

…each device type is supported with an individual subcommand
…use nk3 subcommand to interact with Nitrokey 3 devices

Upgrade & Test

Upgrade of the firmware may erase device data depending on the current version…

# ...querying device information
nitropy nk3 version

# ...update firmware
nitropy nk3 update

nitropy nk3 test to test the device functionality…

Running tests for Nitrokey 3 at /dev/hidraw3

[1/4]   uuid            UUID query                      SUCCESS         # key UUID
[2/4]   version         Firmware version query          SUCCESS         v1.3.1
[3/4]   status          Device status                   SUCCESS         # ...
Please press the touch button on the device ...
[4/4]   fido2           FIDO2                           SUCCESS

User PIN

Nitrokey uses PINs instead of password…

…used to get access to the content of the Nitrokey
…at least 6-digits long …up to 16 digits and other characters
…hardware limits the amount of tries to three …blocking the PIN
…a blocked PIN requires a factory reset losing all secret material stored!

Use Chrome(ium) to set the PIN chrome://settings/securityKeys …or use:

>>> nitropy nk3 secrets set-pin
Command line tool to interact with Nitrokey devices 0.4.36
Password: 
Repeat for confirmation: 
Please touch the device if it blinks
Password set

OTP Security Token

One-time password or passcode (OTP)…

…a string of characters or numbers that authenticates a user
…for a single login attempt or transaction
OTP algorithms use two inputs…
- …a seed …static value (secret key) created during registration
- …a moving factor …changes each time a new OTP is requested

$name used as reference for the secret key …typically the name of the service
$secret_key (seed) imported during registration with the authentication service
Variants with option --kind…
- …TOTP Time-based One-time Password…
  - …time-based moving factor
  - …password valid for a limited time (typically 30 to 60 seconds)
- …HOTP Hash-based Message Authentication Code (HMAC) OTP
  - …counter based moving factor
  - …counter valid until revalidation by the authentication server

nitropy nk3 secrets register --kind TOTP $name $secret_key

# ...list the secret keys by name
nitropy nk3 secrets list

# ...remove a credential from the device
nitropy nk3 secrets remove

# ...generate OTP code from registered credential
nitropy nk3 secrets get $name

OpenPGP Smart Card

Still in development…

Nitrokey has OpenPGP smart card support to store cryptographic keys…

…used for email encryption, SSH authentication …other cryptographic use cases
…Nitrokey 3 firmware includes opcard-rs …requires at least v1.4
- …a Rust implementation of the OpenPGP smart card specification v3.4
- …functionality for key generation, key import, signing, decrypting, card administration
- …algorithms X25519 & Ed25519, ECDH & ECDSA over NIST P-256

FIDO

FIDO second-factor authentication framework…

…protection from phishing and channel attacks
…protect user privacy, login credentials and biometrics (when used)
…three sets of protocols…
- …FIDO Universal Second Factor (FIDO U2F)
- …FIDO Universal Authentication Framework (FIDO UAF)
- …FIDO2 (Client to Authenticator Protocols and Web Authentication)

sudo dnf install -y fido2-tools libfido2-devel

# ...list authenticators
fido2-token -L

# ...device information
fido2-token -I ${device:-/dev/hidraw7}

SSH Keys

OpenSSH 8.2 added support for FIDO/U2F hardware security keys …two additional key types…

…ecdsa-sk and ed25519-sk …sk suffix for “security key”
…ssh-keygen used to generate a FIDO token-backed key…

ssh-keygen -t ed25519-sk ...

# ...if the key type above is not supported
ssh-keygen -t ecdsa-sk ...

Resident Keys

See related bugs on GitHub

FIDO2 standard support resident keys…

…“resident” means that the key is effectively retrievable from the token
…increases the likelihood of an attacker being able to use a stolen token device
- …tokens should enforce PIN authentication before allowing download of keys
- …users should set a PIN on their tokens before creating any resident keys

# ...generate a resident key
ssh-keygen -O resident ...

Option -K loads resident keys from a FIDO authenticator

# ...download resident keys from a hardware token
ssh-keygen -K ...

# ...download and add resident keys directly to ssh-agent
ssh-add -K

Resident keys are indexed on the token by the application string…

…ssh: with empty user ID by default
Multiple resident keys on a single token…
- …overwrite default with -O application= or -O user=
- …application string requires a ssh: prefix

ssh-keygen -t ed25519-sk -O resident -O user=<username> -O application=ssh:<string> ...

Key Handler

Not supported…

…non-resident key mode:

ssh-keygen -t ed25519-sk -f ~/.ssh/path/id_ed25519_sk

Private portion of the key pair stored on the hardware token…

…none of the sensitive information ever leaves the hardware token
…key handle part stored in the private key file on the host
…references the security key on the hardware token

Actual private key combined by the hardware at authentication time…

…to sign authentication challenges
…usually requires PIN and/or tap of the hardware token to confirm generation

Unless -O no-touch-required option used during generation…

…sshd rejects no-touch-required keys by default …
…enable it for an individual key in the authorized_keys

no-touch-required sk-ssh-ed25519@openssh.com #....

WebAuthn

Browser-based API that uses registered devices as authentication factors…

…recommended …use other OTP methods as backup/recovery
…web standard published by W3C
- …conforms to the FIDO Client to Authenticator Protocol (CTAP)
- …backward compatible with the FIDO Universal 2nd Factor (U2F)
Modes…
- …single-factor …test of user presence typically button push (no password required)
- …multi-factor …performs user verification with PIN or passcode

--- title: Nitrokey 3A Multi-factor Authentication categories: - Linux - SSH - Security date: 2023/04/28 date-modified: 2023/05/04 --- Nitrokey is a German manufacturer of hardware security tokens... - ...hardware based asymmetric key cryptography for protection from phishing attacks - ...USB devices to connect to a workstation or portable ...Bluetooth and NFC for wireless security access - See... - <https://www.nitrokey.com> - <https://docs.nitrokey.com> - <https://support.nitrokey.com> - <https://github.com/Nitrokey> Nitrokey 3 (is planed to) support.... - ...secure login using One Time Passwords (OTP), U2F or ordinary static passwords - ...email encryption with GnuPG, OpenPGP, S/MIME - ...FIDO2 and FIDO U2F security protocol standard Supports **Multi-factor authentication (MFA)**... - ...requires two or more authentication factors to prove your identity - ...aka Two-Factor Authentication (2FA) - ...two passwords ≠ two-factor authentication ...factors must be different ## `nitropy` Command-line interface to interact with Nitrokey 3 Setting `udev` rules for `nitropy`... ```sh cd /tmp && wget https://raw.githubusercontent.com/Nitrokey/libnitrokey/master/data/41-nitrokey.rules sudo mv 41-nitrokey.rules /etc/udev/rules.d/ # ...reload rules sudo udevadm control --reload-rules && sudo udevadm trigger ``` Install `nitropy`... ```sh python3 -m ensurepip python3 -m pip install --user pipx python3 -m pipx ensurepath pipx install pynitrokey # ...for later upgrades pipx upgrade pynitrokey ``` `nitropy list` lists all connected devices... - ...each device type is supported with an individual subcommand - ...use `nk3` subcommand to interact with Nitrokey 3 devices ### Upgrade & Test Upgrade of the firmware may erase device data depending on the current version... ```sh # ...querying device information nitropy nk3 version # ...update firmware nitropy nk3 update ``` `nitropy nk3 test` to test the device functionality... ```sh Running tests for Nitrokey 3 at /dev/hidraw3 [1/4] uuid UUID query SUCCESS # key UUID [2/4] version Firmware version query SUCCESS v1.3.1 [3/4] status Device status SUCCESS # ... Please press the touch button on the device ... [4/4] fido2 FIDO2 SUCCESS ``` ### User PIN Nitrokey uses PINs instead of password... - ...used to get access to the content of the Nitrokey - ...at least 6-digits long ...up to 16 digits and other characters - ...**hardware limits the amount of tries to three** ...blocking the PIN - ...a **blocked PIN requires a factory reset** losing all secret material stored! Use Chrome(ium) to set the PIN <chrome://settings/securityKeys> ...or use: ```sh >>> nitropy nk3 secrets set-pin Command line tool to interact with Nitrokey devices 0.4.36 Password: Repeat for confirmation: Please touch the device if it blinks Password set ``` ## OTP Security Token One-time password or passcode (OTP)... - ...a string of characters or numbers that authenticates a user - ...for a single login attempt or transaction - OTP algorithms use two inputs... - ...a **seed** ...static value (secret key) created during registration - ...a **moving factor** ...changes each time a new OTP is requested Register a new credential with the device... - `$name` used as reference for the secret key ...typically the name of the service - `$secret_key` (seed) imported during registration with the authentication service - Variants with option `--kind`... - ...**TOTP** Time-based One-time Password... - ...time-based moving factor - ...password valid for a limited time (typically 30 to 60 seconds) - ...**HOTP** Hash-based Message Authentication Code (HMAC) OTP - ...counter based moving factor - ...counter valid until revalidation by the authentication server ```sh nitropy nk3 secrets register --kind TOTP $name $secret_key # ...list the secret keys by name nitropy nk3 secrets list # ...remove a credential from the device nitropy nk3 secrets remove # ...generate OTP code from registered credential nitropy nk3 secrets get $name ``` # OpenPGP Smart Card **Still in development...** Nitrokey has OpenPGP smart card support to store cryptographic keys... - ...used for email encryption, SSH authentication ...other cryptographic use cases - ...Nitrokey 3 firmware includes [opcard-rs][opcard] ...**requires at least v1.4** - ...a Rust implementation of the OpenPGP smart card specification v3.4 - ...functionality for key generation, key import, signing, decrypting, card administration - ...algorithms X25519 & Ed25519, ECDH & ECDSA over NIST P-256 [opcard]: https://github.com/Nitrokey/opcard-rs # FIDO [FIDO](https://fidoalliance.org) second-factor authentication framework... - ...protection from phishing and channel attacks - ...protect user privacy, login credentials and biometrics (when used) - ...three sets of protocols... - ...FIDO Universal Second Factor (FIDO U2F) - ...FIDO Universal Authentication Framework (FIDO UAF) - ...FIDO2 (Client to Authenticator Protocols and Web Authentication) ```sh sudo dnf install -y fido2-tools libfido2-devel # ...list authenticators fido2-token -L # ...device information fido2-token -I ${device:-/dev/hidraw7} ``` ## SSH Keys OpenSSH 8.2 added support for FIDO/U2F hardware security keys ...two additional key types... - ...`ecdsa-sk` and `ed25519-sk` ...`sk` suffix for "security key" - ...`ssh-keygen` used to generate a FIDO token-backed key... ```sh ssh-keygen -t ed25519-sk ... # ...if the key type above is not supported ssh-keygen -t ecdsa-sk ... ``` ### Resident Keys **See related bugs on GitHub** FIDO2 standard support resident keys... - ...“resident” means that the key is effectively retrievable from the token - ...**increases the likelihood of an attacker being able to use a stolen token device** - ...tokens should enforce PIN authentication before allowing download of keys - ...users should set a PIN on their tokens before creating any resident keys ```sh # ...generate a resident key ssh-keygen -O resident ... ``` Option `-K` loads resident keys from a FIDO authenticator ```sh # ...download resident keys from a hardware token ssh-keygen -K ... # ...download and add resident keys directly to ssh-agent ssh-add -K ``` Resident keys are indexed on the token by the application string... - ...`ssh:` with empty user ID by default - Multiple resident keys on a single token... - ...overwrite default with `-O application=` or `-O user=` - ...application string requires a `ssh:` prefix ```sh ssh-keygen -t ed25519-sk -O resident -O user=<username> -O application=ssh:<string> ... ``` ### Key Handler **Not supported...** ...non-resident key mode: ```sh ssh-keygen -t ed25519-sk -f ~/.ssh/path/id_ed25519_sk ``` Private portion of the key pair stored on the hardware token... - ...none of the **sensitive information ever leaves the hardware token** - ...key handle part stored in the private key file on the host - ...references the security key on the hardware token Actual private key combined by the hardware at authentication time... - ...to sign authentication challenges - ...usually **requires PIN and/or tap of the hardware token** to confirm generation Unless `-O no-touch-required` option used during generation... - ...`sshd` rejects no-touch-required keys by default ... - ...enable it for an individual key in the `authorized_keys` ```sh no-touch-required sk-ssh-ed25519@openssh.com #.... ``` ## WebAuthn Browser-based API that uses registered devices as authentication factors... - ...recommended ...use other OTP methods as backup/recovery - ...web standard published by W3C - ...conforms to the FIDO Client to Authenticator Protocol (CTAP) - ...backward compatible with the FIDO Universal 2nd Factor (U2F) - Modes... - ...single-factor ...test of user presence typically button push (no password required) - ...multi-factor ...performs user verification with PIN or passcode