With the mounting online security risks, simple one-step security no longer suffices, and people resort to multiple layers of security to thwart increasingly sophisticated attacks on their digital assets and online privacy. An advanced form of security defense often employed in financial sectors and other corporate environments is hardware-based protection, where a tamper-proof physical security key (also known as “security token” หรือ “hardware token”) acts as a protection layer for secret software keys or login credentials. The hardware based security can be useful in various contexts, for example to implement things like รับรองความถูกต้องสองปัจจัย, VPN access control, secure password vault, และอื่น ๆ.
If you are a DIY type of guy, you might be tempted to create your own USB-based security key using an off-the-shelf USB thumbdrive. อย่างไรก็ตาม, commodity USB drives are intrinsically vulnerable to viruses or malware specifically targeting the repgrammable nature of stock USB firmware. Personally I would not trust my private key with a $5 USB thumbdrive.
Recently I stumbled across USB-based security key hardware called Nitrokey (formerly known as “Crypto Stick”), and really liked it. Nitrokey is not a cheap USB memory stick, but its price range (20-50 USD) is still affordable, and given its all-in-one versatile security capabilities, I don’t think it is overpriced. ในโพสต์นี้, I will specifically talk about Nitrokey Pro model and present its real-world use cases.
What is Nitrokey Pro?
สั้น, Nitrokey Pro is a tamper-proof, PIN-protected, secure key storage hardware with a USB interface. It has an embedded smart card which implements various open security standards such as the OpenPGP protocol, S/MIME, HOTP (HMAC-based one time password) and TOTP (time-based one time password). Thus once you store your secret keys on Nitrokey Pro, it is able to sign, เข้ารหัสลับ, decrypt and authenticate on the hardware itself, and thus your secret keys will never be exposed to the computer the smart card is connected to. This gives you a peace of mind when you need to run various security tasks on an untrusted (potentially malware-ridden) third-party computer. OATH one-time passwords generated by Nitrokey Pro are compatible with Gmail, Dropbox, AWS and many other websites. Nitrokey Pro also has a secure password vault built-in, allowing you to store your hard-to-remember login credentials on the tamper-proof hardware should you not trust any software password manager.
All these goodies aside, what I like the most about Nitrokey is its openness. As they say, “proprietary security” ไม่ปลอดภัย, and that motivates folks at Nitrokey to open up both hardware and software of their products to the open-source community, so they can be audited and vetted for any security flaws. You can access 100%-open PCB hardware design, firmware and software source code of all Nitrokey smart card lineup at their official Github repository.
In the rest of this article, I will show you how to set up Nitrokey Pro on Linux computer, and demonstrate how to use it in several real-world scenarios.
Set up Nitrokey Pro on Linux
To set up Nitrokey Pro on Linux, first plug the card into your computer’s USB port. If you are running the latest Linux distribution, it should have no problem finding the necessary USB device driver for the card. Use the lsusb command to verify that Nitrokey Pro is visible on your system, in which case the card will show up as “Clay Logic.”
Once you verify the USB device is recognized, you need to set up udev rule for Nitrokey Pro USB device, and restart udev service as follows.
$ wget https://www.nitrokey.com/sites/default/files/40-nitrokey.rules
$ sudo cp 40-nitrokey.rules /etc/udev/rules.d/
$ sudo service udev restart
ถัดไป, ดาวน์โหลดและติดตั้ง Nitrokey App. This dedicated GUI app is needed if you want to use Nitrokey Pro to generate one-time passwords or use it as a password manager. In most other cases, อย่างไรก็ตาม, Nitrokey App is not required to operate Nitrokey USB key.
To install Nitrokey app on Linux desktop:
On Debian-based system:
$ sudo apt-get install gdebi-core
$ sudo gdebi nitrokey-XXXXXX.deb
On Red Hat-based system:
$ sudo rpm -ivh nitrokey-XXXXXX.rpm
After installing Nitrokey App, launch the app as follows.
If the app is successfully hooked up with the Nitrokey USB hardware, it will show “Nitrokey connected” แจ้งเตือนบนเดสก์ท็อป.
Nitrokey Pro smart card is protected with two PINs: user PIN (default: 123456) and admin PIN (default: 12345678). Be careful with those PINs as more than three incorrect typing of the user PIN will lock you out of the card (unless the admin PIN overrides it), and more than three incorrect typing of the admin PIN will destroy the USB key hardware irreparably. Such stringent PIN-based hardware protection is vital in case the smart card falls into the wrong hands.
Once the Nitrokey Pro becomes accessible on your system, the first thing to do is to change the default user/admin PINs. สำหรับเรื่องนี้, right-click on Nitrokey icon at the top of the desktop, และไป “ตั้งค่าคอนฟิก” เมนู. There you will be able to change both user and admin PINs.
Note that PIN management can also be done with gpg command as I will demonstrate later.
Manage Nitrokey Pro with GnuPG
As a standard-compatible OpenPGP card, Nitrokey Pro can in fact be managed with GnuPG. The majority of its security functions (e.g., generating/storing GPG keys, encrypting/decrypting a file, signing a message, etc.) performed on the hardware can be controlled by the gpg command. So even if it is connected to a desktop-less server, you should be able to manage Nitrokey Pro without any issue.
ตัวอย่างเช่น, type the following gpg command to view information about the connected USB security key.
$ จีพีจี –card-status
Similar to how you changed user/admin PIN on Nitrokey app, you can also change the PINs using gpg command:
$ จีพีจี –change-pin
Now to test its security functionality, let’s start by storing your GPG keys on the Nitrokey USB hardware. Note that you can move your existing GPG keys to Nitrokey card. Here let’s create new GPG keys from scratch.
สำหรับที่, type the command:
$ จีพีจี –card-edit
ที่ “gpg/card>” พรอมต์, ชนิด “ผู้ดูแล” and press ENTER. You will then enter the admin mode, where you can perform various administrative tasks including key generation. พิมพ์ “วิธีใช้” will show all available admin commands.
To generate new GPG keys, ชนิด “generate” คำสั่ง. This will take you through a series of standard steps to generate the master key and sub-keys for signing, encryption and authentication.
After key generation is completed, ชนิด “รายการ” command to view generated keys. You can also view the same information by running gpg command:
$ จีพีจี –card-status
You will see three different subkeys generated above. The signature key is a signing-only subkey used as the master key. The encryption key is a subkey used for encryption. ในที่สุด, the authentication key is not directly used by GnuPG, but used for other authentication purposes such as PAM authentication and SSH login.
Once you generated GPG keys, it is recommended to publish your public key at existing PGP key servers, so that others can download your key using your email address or key ID should they want to securely communicate with you. The following command will upload your public key to a key server. “D7F6C175” is the key ID for your public key which is found in the above key information. Replace the key ID with your own.
$ จีพีจี –คีย์ keys.gnupg.net –send-keys D7F6C175
Now we are ready to use GPG keys stored on Nitrokey Pro. In the rest of this article, I am going to go over several examples of how to use Nitrokey Pro smart card.
Nitrokey Pro Use Case #1: File Encryption and Decryption
The simplest use case is to encrypt and decrypt a file using the encryption key stored on the USB hardware.
Someone sent you an encrypted file after encrypting the file using your GPG user ID (e.g., [email protected]) as follows.
$ gpg -r [email protected] -e secure.txt
Once you receive the file, you can decrypt it using “-d” option as long as the Nitrokey card where your secret key is stored is plugged into your computer.
$ gpg -d secure.txt.gpg
Note that you will be asked to enter your Nitrokey user PIN (not GPG key passphrase) for decryption. Without Nitrokey card, คุณจะพบข้อผิดพลาดต่อไปนี้.
gpg: sending command `SCD PKDECRYPT' to agent failed: ec=5.99 gpg: encrypted with 2048-bit RSA key, ID E04A33F0, สร้าง 2015-12-21 "Dan Nanni " gpg: public key decryption failed: general error gpg: decryption failed: secret key not available
Nitrokey Pro Use Case #2: SSH Authentication
You can use Nitrokey Pro smart card for SSH authentication. ในกรณีนี้, you use an OpenPGP key stored on Nitrokey card as an SSH key, and rely on gpg-agent to retrieve an OpenPGP key from Nitrokey card for SSH login. โดยค่าเริ่มต้น, อย่างไรก็ตาม, OpenSSH client would try to obtain a private key from ssh-agent which cannot access smart card hardware directly. Thus we need to configure gpg-agent as a drop-in replacement for ssh-agent during key-based SSH authentication.
สำหรับเรื่องนี้, we first need to enable SSH support in gpg-agent. Add the following line in ~/.gnupg/gpg-agent.conf.
Then add the following lines to ~/.bashrc
envfile="$HOME/.gnupg/gpg-agent.env" if [[ -e "$envfile" ]] && ฆ่า -0 $(grep SSH_AGENT_PID "$envfile" | cut -d= -f 2) 2>/dev/null; then eval "$(cat "$envfile")" else eval "$(gpg-agent --daemon --write-env-file "$envfile")" fi export SSH_AUTH_SOCK
It is also recommended to disable GNOME Keyring (if you are using it), since it can interfere with gpg-agent.
Now open a new terminal (or reload ~/.bashrc), and try typing the following command as a test.
$ ตัวแทน gpg
If gpg-agent is set up properly, you should see the output that says “gpg แทน: gpg แทนทำงานอยู่ และพร้อมใช้งาน”.
ถัดไป, find out the encryption subkey ID with the following command. ECD8F07F is your own GPG key ID, which can be found in the output of “จีพีจี –card-status” คำสั่ง. Replace it with your own.
$ จีพีจี –edit-key ECD8F07F
The output lists all available subkeys associated with your key ID. The last column labeled “การใช้งาน” indicates the role of each subkey: “S” for signature, “C” for certificate, “A” for authentication and “อี” for encryption.
ในตัวอย่างนี้, the subkey ID for authentication is 81398BBF.
Using gpgkey2ssh command, generate compatible authorized_key string from the authentication subkey ID:
$ gpgkey2ssh 81398BBF > authorized_keys
Verify that the content of authorized_keys is the same as the output of the following command.
$ ssh-add -L
Once this is confirmed, move authorized_keys to ~/.ssh/authorized_keys at the remote host that you want to SSH to. Make sure that the permission of ~/.ssh/authorized_keys is set to 0600.
To test key-based SSH authentication, คุณควร disable password authentication at the remote host’s SSH server.
ในที่สุด, check that you can SSH to the remote host while Nitrokey smart card is plugged in to the local computer. You will be asked to enter the Nitrokey user PIN if gpg-agent has not yet cached your private key from the card. If you attempt to SSH without Nitrokey card, you will see the following error.
Permission denied (publickey).
Nitrokey Pro Use Case #3: Two-Factor Authentication for Dropbox Website Login
Another use case of the Nitrokey Pro smart card is one-time password (OTP) generation. โดยเฉพาะอย่างยิ่ง, Nitrokey Pro is capable of generating time-based OTP or HMAC-based OTP which are compatible with two-factor authentication supported by many commercial websites nowadays. One-time security codes will be generated by the Nitrokey app you installed earlier.
ตัวอย่างเช่น, let me show you how to set up two-factor authentication with Nitrokey Pro on Dropbox website.
ครั้งแรก, log in to your Dropbox account, and enable two-step verification. เลือก “แอพบนมือถือ” option (not SMS option) to receive security codes. Eventually you will be using Nitrokey app, not a mobile app.
Dropbox website will then enable time-based authentication and generate a secret key in base32 format.
เปิด “ตั้งค่าคอนฟิก” setting of Nitrokey app, และไป “OTP and Password Safe” เมนู. ภายใต้ “OTP Slot Configuration” แท็บ, เปิดใช้งาน “TOTP” โหมด, choose an available TOTP slot (e.g., สล็อต 1), and copy the above secret key into “Secret Key” ว่างเปล่า.
As a final step, Dropbox will ask you to enter the code generated by authenticator app. Simply right-click on Nitrokey app icon, และเลือก “Dropbox” ภายใต้ “รหัสผ่าน” เมนู.
Then one-time password will be generated and automatically copied to clipboard.
Now paste the OTP stored in clipboard into the security code blank at Dropbox page, and that completes two-step verification set up. Now whenever you need a one-time security code for Dropbox login, use Nitrokey app to get one.
ในกวดวิชานี้, I presented a USB-based smart card called Nitrokey Pro, and its several use cases. Besides the three examples I covered, there are great many other use cases of Nitrokey Pro (e.g., PAM authentication, email encryption, hard disk encryption, VPN access, PKI certificate, and password manager). Nitrokey website maintains pretty good documentation of these use cases for Linux, Windows and MacOS X platforms, so I encourage you to check them out if you are interested.
As I mentioned at the beginning, a strong selling point of USB Nitrokey is its transparent development process. 100% open hardware and 100% open-source software allow their products to be vetted by community-driven code review and penetration tests, which makes them more trustworthy, leads to fast discovery and security update of any vulnerabilities, and foster integration with other apps. Following the spirit of this openness, folks behind Nitrokey are planning on another product called Nitrokey Storage (which basically adds mass secure storage to Nitrokey Pro), and have been running Indiegogo fundraising campaign to solicit financial support. If you want to help make it happen, why not donate and support them?