Nitrokey vs. onlykey

Hey!

I am really new to this topic and really not a expert in security things. I am just part of a peace community and so i want to protect my data. After searching the web for a while i found two poroducts i am really interested in: The Nitrokey, because it is made in germany and the onlykey because it seems the most secure password manager/creator on the market. It has external keys to enter the pin which makes it for my understanding impossible to grab the pin(s) with a keylogger. So what do you think about this? Am i wrong?

Thank you a lot for your reply!

I only can give you my personal opinion, but I don’t think that keys with a keyboard are more secure. I have read multiple reviews of Sticks ( like Padlock von Corsair) that have design issues ( you could unlock it without the keys on the stick)
So to my mind, the keys are a show. I rather recommend to use a SoC system without network to use for communication between crypto key and yourself.

Please also be aware that you don’t get the full functionality of only key outside US. Also they claim as marketing things that Nitrokey already has. And I also think, NK does it in the right way to share the source of Firmware and supporting Software. Are you sure that only key doesn’t#t send data elsewhere ?

And - regarding the key logger - to attack you need not only a key logger on your computer, you also need physical access to the key itself. Let’s say sitting in China, knowing your PIN, doesn’t help if you are in US :smiley:
So for me, NK is the better product !

Thanks for your reply. But i have to tell you that you are wrong with your opinion. Probably you are right that it isn’t s benefit of onlykey that you are entering the pin external.

But onlykey is opensource like nitokey so probably not i but anyone else could check the code for security issues and if the key sends data somewhere?!

And at least you get the full functionality outside the us. You could download the original firmware and reflash it. It’s mentioned everywhere on the page!

I just don’t like that you are bound to the chrome browser with onlykey… And i want to support the european market and not the us!

Am 6. Sep. 2017, 12:53, um 12:53, Peacekeeper noreply@support.nitrokey.com schrieb:

Ok, I have not found everything about onlykey , but I only quickly googled to find something about it. And the things you mentioned are not stated there.

NK have done and passed an external audit and also published the results. So I trust them.

Yeah, but only if you do it by yourself. NK Storage comes with it out of the box.

… I am aligned with you - that is another reason why NK :slight_smile:
But again: only my opinion :smile:

I don’t know anything about Onlykey. Of course an integrated Keyboard is a great way to stop keylogging of your pin, there is no better option, so in this special point it offers a better security then - for the scenario that a person was able to log and to get the key in hand.
As you told, it seem to be an US product. There is a story about another key that was produced in US, they posted this message on their site after their close:
https://www.sigilance.com/
This message marked (for me in my oppinion) all US products as a possibility for backdoors (especially Yubikey, which was interesting for me because of the integrated button, and I decided for Nitrokey.
So your choise: Possible higher security vs possible backdoor :wink:

Hello @Nafion13,

to be honest I don’t know much about the onlykey either. But in general I guess what the best solution for you is, depends on what you want the stick to do and what aspects are most important for you (e.g. origin of the stick). There are different Nitrokeys for different purposes as well. For example the NK Storage gives you a feature the onlykey definitely does not have: encrypt not only keys but data in hardware.

Besides the things already mentioned above I realized that the onlykey does not have openpgp support yet (though they seem to plan to integrate it). For me personally the openpgp smartcard feature is important to use it for email encryption.

Maybe you have look at your needs. If you are unsure if the Nitrokey can handle a special use case, we can surely help you :slight_smile:

Kind regards
Alex

Thank you very much for your reply.

I have made my decision and i’ve chosen the onlykey. I am really sorry
about that, because i like your product and the possibility to support a
german company. But as part of the peace community i believe in “we are
one” so it shouldn’t mind for me from who i am buying. Probably this
discussion is a possibility to improve your product. For me it was
important to have a key with the possibility to enter the pin external.
There are some more things like te encryption and yes it already
supports openpgp. And for me i don’t need the data encryption.

So at least i don’t want to make advertisement for the onlykey so if you
would like to - delete my posts.

For your future i wish you all the best!!

This stick i completely open source so i don’t believe that are any
backdoors, even it is from the US!

And at least what do you think who produces the chips which are in the
Nitrokey? Possibly there is a backdoor too? I am really paranoid, but
you never know who is spying you.

At least thank you for your reply!

Hey @Nafion13,

nevermind, it is of course your choice. We would have been happy to see a new user though :wink:.

About openpgp: mh, I guess I read wrong on their site, but still this blog post that is linked on their site suggests, that openpgp is still not implemented in a common and fully functional fashion and some fuctions are in beta.

The OnlyKey have surely some interesting features. I still would say it is just a design decision. I am not sure, whether a pinpad is necessarily better. A party which is able to insert a keylogger into your device and steal your nitrokey is probably able to look over your shoulder while you type in the pin of your onlykey as well.

On the other hand for the onlykey you must choose pin greater than 6 characters, as 6^6 combinations are far less than 10^6 on a number-based userpin for the nitrokey (you can choose a character-based pin on nitrokey as well, which increases the possible combinations a lot). Until now I did not find out what happens if an attacker tries a brute force method on the onlykey. But it looks like a brute force attack is possible as there is no limitation mentioned in the user manual.

As for the Nitrokey the key got deleted if the pin is typed in wrong too often. In the case of onlykey the attacker even knows, that she/he must only try combination of the six keys. For the Nitrokey the possible set is much higher (and key gots deleted anyway, as I said :blush:).

I do not want to lead this to far. What I want to say: it is difficult to design a key with a really secure pinpad without making the stick to fat. The six button solution is surely a good idea, but it is not too convincing if you think about it.

Kind regards
Alex

PS: I am sorry, that I did not write this before. I found the site of onlykey a bit confusing… :blush:

To elaborate on the security of pin pads, you should read Bruce Schneier’s post on a similar product. The key point is that a physical pin pad doesn’t necessarily provide good security but it depends on its specific implementation.