NK3C NFC & NK App 2: Managing keys

fermion · May 24, 2024, 8:19pm

Hi.

I’m new to the usage of NKs.

I have a NK3C NFC (FW 1.7.0) and I installed the latest NK App 2 (2.3.0 x64) on Windows 11.

I created my first key for my Nextcloud account on the NK3C.
It worked fine. I can log in with that key without problems.

Than I tried to check out how to manage keys with the NK App 2.

But my key is not shown in the app.

Is it true, that keys cannot be managed in that app?

Examples:
View a list of all keys.
Delete a single key.
(Re)Name a key.
Sort the list by domain.
…

And I couldn’t find an option to create a PIN for the key.

Thanks for your help : )

nku · May 25, 2024, 5:21am

This is all done with nitropy right now from cmdline.

fermion · May 25, 2024, 8:01am

Good to know, thanks : )

Windows support is still experimental – please use with caution.

https://docs.nitrokey.com/software/nitropy/windows/installation

Are there plans for the future to offer all nitropy functions in an app with a GUI?

About something else: macOS

There’s a tutorial how to install nitropy on macOS:
https://docs.nitrokey.com/software/nitropy/all-platforms/installation

It is not easy to understand (for me).
I followed all steps.

But I get an error message, when I enter:

$ nitropy list-credentials
/Users/***/.local/pipx/venvs/pynitrokey/lib/python3.9/site-packages/urllib3/__init__.py:34: NotOpenSSLWarning: urllib3 v2.0 only supports OpenSSL 1.1.1+, currently the 'ssl' module is compiled with 'LibreSSL 2.8.3'. See: https://github.com/urllib3/urllib3/issues/3020
  warnings.warn(
Usage: nitropy [OPTIONS] COMMAND [ARGS]...
Try 'nitropy -h' for help.

Error: No such command 'list-credentials'.

I think, users, who always use tools with GUI will never have a joyful user experience with a command line tool.
Command line tools are for nerds only.
IMHO.

nku · May 25, 2024, 9:48am

There is a „fido2“ missing in the command.

I am just a regular user and have no further info on Nitrokeys roadmaps but the App has been heavily worked on and got a lot of functionality. It is also based on Python and code can be shared.

I think they will add most important features to the app but must make sure that the featureset is the same on Windows, Mac and Windows and some functionality is only available on the CLIs

ChristianTacke · May 25, 2024, 10:06am

I haven’t followed the full discussion here. So please excuse if I am off-topic!

One note: FIDO1 keys and the non-“discoverable” keys in FIDO2 (most often used as a second factor) can’t be listed at all, because they are not stored on the NK.

Very, very simplified:

The server keeps an opaque blob
Sends it to the NK
The NK verifies the blob and decrypts it with its internal master key
The NK proofs to the server that it knows the secrets (using public key cryptography)

I haven’t tried Nextcloud for a while, but some time ago it exactly used the FIDO1 / U2F / non-discoverable way of handling things.

ChristianTacke · May 25, 2024, 10:10am

About Windows and FIDO2: Windows actually has some tools to manage FIDO2 hardware keys built in. They’re somewhere in the system settings. Something like “security keys”. There you can actually even do a complete reset of the FIDO2 part of the NK (be careful, all your keys are gone, it basically creates a new internal master key).

fermion · May 25, 2024, 10:14am

Thanks : )

When I try to list my key (I wrote in my first posting, that logging in works fine with my key with nextcloud) with:

nitropy fido2 list-credentials

I get

There are no registered credentials
There is an estimated amount of 10 credential slots left

In the nextcloud account they talk explicitly about FIDO2

Authentifizierung ohne Passwort
Richte dein Konto für die Authentifizierung ohne Passwort nach dem FIDO2-Standard ein.

How many FIDO2 keys can be stored on a NK3C NFC please?

fermion · May 25, 2024, 10:32am

Thanks for the hint. The name of the built in tool is: Windows Hello Setup.
Only two features are offered:
“Set a PIN” and “Reset the complete Nitrokey”.

At the moment I try to test the complete UX on Windows, macOS and iOS for an NGO, where normal users work. We want to understand if the UX will be OK for them or if we have to wait until the UX has been improved.

Beeing able to list all created FIDO2 and to delete single Keys (instead of deleting the whole Stick) is an essential feature for us.

nku · May 25, 2024, 10:36am

Right now 10 residential keys = passkeys. Nitrokey already said that they plan to increase this number.

When you have to enter your username and the server stores the encrypted key, then an unlimited number of server side keys can be associated with your token.

ChristianTacke · May 25, 2024, 10:46am

As explained above, some keys (the non-discoverable or non-resident ones) are not stored at all on the NK. So you can have an unlimited number of those.

Why do you want to list or even delete those? Can you please explain your use case for this?

You only need to delete (manage) them on the server.

fermion · May 25, 2024, 10:57am

Perhaps my previous understanding of FIDO2 in connection with a stick is wrong.

I thought every private key from the “passkey” procedure is generated on the stick and remains there.

The stick from Google named “Titan” offers a capacity of 300 passkeys.

The stick from Yubico named “Yubikey 5C” offers a capacity of 100 passkeys (with the latest firmware).

ChristianTacke · May 25, 2024, 11:05am

passkeys are the same as “resident keys” or “discoverable keys”. There the private key (and some meta information, like the website name and possibly the username) is really stored on the NK/token. And yes, currently the NK3 can only store 10 of them. And as already noted, they’re working on increasing it (I tried to find the posting, but failed).

On the other hand, FIDO2 has many variants / modes. And some of them (the non-passkey/etc ones) do not store anything on the NK. So there is nothing to manage on the NK, And those can be unlimited (on any FIDO2 compliant hardware token).

P.S.: If you want to try passkeys with the NK, just go to preferences → Security on this forum, there you can register a passkey for logging into this forum. And then the 10 free slots should go down to 9.

fermion · May 25, 2024, 11:33am

Thanks Christian! : )

I have now created a passkey for the forum on the NK3C.

Then “nitropy fido2 list-credentials” also lists this.

It’s amazing (for me) that the Nextcloud service apparently doesn’t create a resident key.

I didn’t know before that thread that there are other variants of FIDO2. I’ve only had the NK3C since the day before yesterday.

Until now, I thought that the most important reason for using extra hardware (which is a hassle) was:

the secret is generated exactly there and remains there.
the secret is not stored in an external location (server).

ChristianTacke · May 25, 2024, 11:56am

Yes, nextcloud uses some specific mode of operating FIDO2 (I think, facebook also did this once). Github even has both options: 1) Passkey with even the username stored on the NK 2) Second factor, where you have to provide username/password and then the NK as a second factor (in this mode, nothing is stored on the NK)

During registration: The secret (private key) is actually created on the NK. And then it is encrypted using the “master key” (also on the NK). This blob (and the public key) is sent to the server to store it.

The server only stores an encrypted blob that it can’t do anything with. Even if it could decrypt it, it would only be able to authenticate to itself (because every website gets a new private / public key).

mrpaule · May 30, 2024, 11:38pm

If you want a GUI-like experience then use the Chromeum option as seen here: Click this link then scroll down to " Setting PIN with the Chrom(e|ium) web-browser" Set PINs - Nitrokey Documentation