I’ve been waiting for the Storage 2 for a few weeks now and planned to buy it the day it is released. I’m not sure anymore as I’ve seen that the Storage 2 only supports NIST and Brainpool and these two curves are both reputed unsafe.
I would agree with you, however I am hoping they know what they are doing.
But yeah, regardless of if those curves are safe in gnu privacy guard or not or in nitrokey-app, I would still highly recommend someday adding Curve25519.
Even if its a Nitrokey-Storage 3 option. Seriously, it would be awesome to have that curve… or one as secure.
Please be careful. At safecurves.cr.yp.to curves are primarily evaluated with focus on complexity and implementation considerations. There “unsafe” means that the implementation needs to be performed carefully and may be more complex and error-prone than for other curves. “Unsafe” is different from “insecure”.
If you don’t trust NIST curves, Brainpool is for you. I’m not aware of profound critic on Brainpool curves.
Because Curve 25519 isn’t supported by the smart card chip we are using. Also Curve 25519 has the disadvantage that it is hard to protect against side channel attacks when being implemented in embedded devices. From this perspective, NIST or Brainpool may be more secure.
Note that our Nitrokey Start does support Curve 25519, perhaps this is an option for you.
I didn’t mean that it is a show stopper to prevent the implementation of Curve 25519. I’m just saying that Curve 25519 isn’t perfect and that the devil is in detail.
A question/proposal to escape the “Curve vs Nitrokey-problem” :
Wouldn’t it be a reasonable approach to generate a Curve22519-Masterkey externally (only signing-capability) to have a “secure” identity even after the era of RSA4096 ends?
To use this master-key on the Nitrokey you generate RSA4096 subkeys for the daily routine and import it onto the Nitrokey.
When their time is over, you are able keep your Curve22519-Identity and just replace the subkeys?
Greetings,
niklas
You don’t need the signing capability for your master key, you need the Certify one. The Sign capability can be given to a dedicated sub-key that you would put on the token.
The Nitrokey might take quite some time (several seconds) to work with such large keys. You need to experiment to know if that is acceptable to you or not.
comio@gentoobox /tmp $ ls -al testfile.txt
-rw-r--r-- 1 comio users 5091 12 lug 16.19 testfile.txt
comio@gentoobox /tmp $ time gpg -a -r a@b.c --encrypt testfile.txt
real 0m0,102s
user 0m0,024s
sys 0m0,045s
comio@gentoobox /tmp $ time gpg -a --decrypt testfile.txt.asc > testfile.txt.decrypt
gpg: encrypted with 4096-bit RSA key, ID 0xD6B1D10FE58271F8, created 2017-08-01
"A B (comio) <a@b.c>"
real 0m3,612s
user 0m0,046s
sys 0m0,023s
comio@gentoobox /tmp $ diff -u testfile.txt testfile.txt.decrypt
Please note, that it is basically only the NK Start which is very slow with RSA-4096 (usually said to be about 8 seconds per operation). All other devices should be reasonable fast.
