Ive tried to start using it, but i only get errors :c
Im using archlinux. I have installed the udev rules. I also managed to install nitropy
I’ve updated the firmware to 1.6.0, all test suceeded.
1st problem: factory-reset is not working:
~/.local/bin/nitropy nk3 factory-reset
Command line tool to interact with Nitrokey devices 0.4.44
This feature is experimental, which means it was not tested thoroughly.
Note: data stored with it can be lost in the next firmware update.
Please pass --experimental switch to force running it anyway.
Aborted!
❯ ~/.local/bin/nitropy nk3 factory-reset --experimental
Command line tool to interact with Nitrokey devices 0.4.44
Please touch the device to confirm the operation
Critical error:
Factory reset is not supported by the firmware version on the device
❯ ~/.local/bin/nitropy nk3 version
Command line tool to interact with Nitrokey devices 0.4.44
v1.6.0
2nd problem:
i installed gpa but it doesnt let me generate keys:
i also tried under tails with kleopatra, it ask me 3? times for admin password(12345678 in docs), then 3 times user password 123456… 2048 bit rsa works, but 4096 is always:
Failed to generate new key: General error
log says smth with scdaemon and gpg-agent (can this be a conflict?) both ERR 100663404
could you please help me best would be if it works on tails
# Reset FIDO2
$ nitropy fido2 reset
# Reset static passwords and OTP
$ nitropy nk3 secrets reset
# To reset OpenPGP-SmartCard
$ gpg --card-edit,
# then enter "admin" and after that "factory-reset"
# Resetting PIV feels and looks kinda hacky
$ opensc-tool \
-s 00:A4:04:00:0B:A000000308000010000100 \
-s 00:20:00:80:08:FFFFFFFFFFFFFFFF \
-s 00:20:00:80:08:FFFFFFFFFFFFFFFF \
-s 00:20:00:80:08:FFFFFFFFFFFFFFFF \
-s 00:FB:00:00
After that ensure that you follow the init process at a minimum set all needed PINs on each module. Each module has its own PIN or even multiple PINs! IIRC you can not configure credentials on FIDO2 if there is no PIN set. Same for PIV.
May I ask why gpa is needed? I only have seen and used gpg --card-edit to interact with the PGP SmartCard of Nitrokey 3 and Yubikey.
No guaranty, but as far I’ve understood PGP SmartCards, you have 3 slots and “normally” people generate a key and 2 subkeys:
One key with “C” (Certificate) and “S” (Signing), and
one key with “E” ("Encrypt),
and one with “A” (Authenticate), to be used with SSH.
Maybe you can try to generate 3 keypairs with your desired key functions and load them on the SC, or generate them on the SC as you like. Either nuke your test setup later or stick with it… But what would be the point in having 3 independent key pairs?
No pin, no and they are working on improving reception. In my case with a NK3 A nfc it gets recognised easily, but it takes a bit trying to find the correct spot to touch. Perhaps set a fido2 pin first, because you need that functional for it.
Regarding NFC: did you have tested to use the NK with an OTG USB cable too? My NFC support is not great/reliable and other HSM work with OTG but for some reason the Nitrokey 3 does not
(I am using android 12.)
I’ve now tried it via OTG (USB A-C adapter) and it works too, yes.
Perhaps, nfc.fail helps to figure the spot on your phone. On mine the spot is close to the flashlight and I hold the backside of the Nitrokey flat onto it. For the test, I’ve had bad results to register with the https://webauthn.io/ demo. I know there are other alternatives, but I used the webauthn demo at yubico, which works fine. It just shows “unknown device”, but you can register and authenticate and see the authentication data. For good measure I used brave for nfc and firefox for OTG on android 13. Their default OTG demo uses touch to confirm presence, the NFC demo not.
Is there any difference to android 12? I do not need to “setup” anything, do I?
Edit: I’ve tested the yubico webauthn demo. NFC works. Even with the phone cover. But OTG still results in “oops”. But cool, now I know at least that NFC works. Thanks again, @ion
After doing this webauthn demo twice, shouldn’t I see something with nitropy fido2 list-credentials ? I still do see only an SSH ed25519-sk entry, and that 1 out of 10 slots is used. But I would have expected 2 more credentials from the demo registration?
The demo triggers an android pop-up to choose between a nfc or usb key here. Perhaps double-check you can transfer data to a regular usb storage device via OTG (perhaps an adapter problem). If that works, I don’t see why it should fail for your Nitrokey.
Not with demo defaults, those only derive a key from the fido2 secret. I’m sure you can use the demo playground to create a resident credential. Check the details and explanation here: Number of FIDO2 keys I can store? - #2 by daringer
And for PGP, in Openkeychain i get “Error intialization failed”
Interesting: if no APP is opened and i stick the usb on my phone it opens the website https://www.nitrokey.com, so just the URL link is working over NFC and i cant even change it with the app “NFC Tools”
Yes, Firefox offers that dialog, and NFC works (with the yubico demo), even with my silicon cover. But for unknown reason OTG does not. I just confirmed with my Onlykey and its FIDO2: I select USB, the Token blicks, I interact, and everything “just works”…
With the NK3 however I can “register”, but the “auth” immediately fails.
However: I’ve just tested with Github (at least they say their 2FA is webauth so it should be fido2), and this works with USB/OTG but not with NFC
It’s confusing.
Thanks. But I might want to ask a follow up question: I have a hard time to understand “what the fido2 secret is”. Is it correct that the user can not configure this secret? Is it generated on the key or burned in?
If it is generated on the HSM, then does a factory reset triggers a re-key/re-generation, or are just all slots deleted?
I’d like to get a little bit more details here. Most sites just do boring “end user” marketing bla bla but skip over all details “what is actually happening” and “how”… This would be great if you could point me in a direction…
With fido2-token regarding its man-page, I can list credentials and remove credentials; or I can do a “reset” and set a new pin. But it also does not cover the topic of key generation…
PS: I’m somehow sorry about taking over this thread But now it’s to late to start a new one
Openkeychain with NFC complains I’ve removed the NK to early. And if attached via OTG, Openkeychain states that “this security key is currntly not supported”.
I have no use case for gpg on the phone, so I don’t use the tools. I’ve noticed that Nitrokey deactivated NFC for the ccid smartcard protocol, because it’s not supported. Perhaps that is related to the error.
As for FIDO: the Nitrokey url is preconfigured in the firmware, so it works. While I don’t know the NFC tools app features, try the web demo like Bernd and me. Pretty sure now that will work for you too.
The point of fido2 is to authenticate with a service, be it online or local…
Yes, but it is important to define the FIDO2 secret, because it has a number of components, some optional. The whole FIDO2 specification is geared to make the authentication safe for both parties. For example, (just speculating, I don’t use FIDO2 for github) your github trial may fail via NFC because github expects a resident key - validated via PIN (and you can’t do that via NFC). I find the specification itself quite helpful, also to get an overview of what happens in the background, along with the man page of fido2-token. But yes, it is complicated and user documentation is poor. Then again, fido2-token is a universal tool to manage fido2 keys and is usually called by a service/application/relying party. The specs and properties of the key define what operations are supported, the relying party defines its requirements, and only then the complete, individual fido2 secret for the service is generated.
Finally, quickly back to the PIN: Consider the authenticator (Nk3) does never get the PIN, but only receives a hash (to keep it simple), which it can verify against. Still, you are able to change the PIN, and it does not invalidate the FIDO2 secrets which were generated with the old PIN. Does that not imply the authenticator needs a [shared] secret, independent of user choice?