Category Archives: EviKey NFC HSM

image_pdfimage_print

Terrapin attack: How to Protect Yourself from this New Threat to SSH Security

SSH handshake with Terrapin attack and EviKey NFC HSM

Terrapin Attack: How to Protect Your SSH Security

The Terrapin attack is a serious vulnerability in the SSH protocol that can be used to downgrade the security of your SSH connections. This can allow attackers to gain access to your sensitive data. In this article, we will explain what the Terrapin attack is, how it works, and how you can protect yourself from it.

2024 Digital Security

Europol Data Breach: A Detailed Analysis

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense

2024 Digital Security

Apple M chip vulnerability: A Breach in Data Security

2024 Digital Security

Cybersecurity Breach at IMF: A Detailed Investigation

2024 DataShielder Digital Security PassCypher Phishing

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?

2024 Digital Security

PrintListener: How to Betray Fingerprints

Terrapin attack: CVE-2023-48795 SSH security vulnerability articles for in-depth threat reviews and solutions. Stay informed by clicking on our scrolling topics.

Shield Your SSH Security from the Sneaky Terrapin Attack written by Jacques Gascuel, inventor of sensitive data safety and security systems. Are you safeguarding your SSH connections? Stay vigilant against the Terrapin attack, a stealthy vulnerability that can compromise your SSH security and expose your sensitive data.

Protect Yourself from the Terrapin Attack: Shield Your SSH Security with Proven Strategies

SSH is a widely used protocol for secure communication over the internet. It allows you to remotely access and control servers, transfer files, and encrypt data. However, SSH is not immune to attacks, and a recent vulnerability OpenSSH before 9.6 (CVE-2023-48795) has exposed a serious flaw in the protocol itself. This flaw, dubbed the Terrapin attack, can downgrade the security of SSH connections by truncating cryptographic information. In this article, we will explain what the Terrapin attack is, how it works, and how you can protect yourself from it.

Why you should care about the Terrapin attack

The Terrapin attack is not just a theoretical threat. It is a real and dangerous attack that can compromise the security of your SSH connections and expose your sensitive data. The consequences of a successful Terrapin attack can be severe, such as:

  • Data breaches: The attacker can access your confidential information, such as passwords, keys, files, or commands, and use them for malicious purposes.
  • Financial losses: The attacker can cause damage to your systems, services, or assets, and demand ransom or extort money from you.
  • Reputation damage: The attacker can leak your data to the public or to your competitors, and harm your credibility or trustworthiness.

Therefore, it is important to be aware of the Terrapin attack and take the necessary measures to prevent it. In the following sections, we will show you how the Terrapin attack works, how to protect yourself from it, and how to use PassCypher HSM PGP and EviKey NFC HSM to enhance the security of your SSH keys.

A prefix truncation attack on the SSH protocol

The Terrapin attack is a prefix truncation attack that targets the SSH protocol. It exploits a deficiency in the protocol specification, namely not resetting sequence numbers and not authenticating certain parts of the handshake transcript. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary amount of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

This manipulation allows the attacker to perform several malicious actions, such as:

  • Downgrade the connection’s security by forcing it to use less secure client authentication algorithms
  • Bypass the keystroke timing obfuscation feature in OpenSSH, which may allow the attacker to brute-force SSH passwords by inspecting the network packets
  • Exploit vulnerabilities in SSH implementations, such as AsyncSSH, which may allow the attacker to sign a victim’s client into another account without the victim noticing

To pull off a Terrapin attack, the attacker must already be able to intercept and modify the data sent from the client or server to the remote peer. This makes the attack more feasible to be performed on the local network.

Unveiling the SSH Handshake: Exposing the Terrapin Attack’s Weakness

The SSH Handshake Process

The SSH handshake is a crucial process that establishes a secure channel between a client and server. It consists of the following steps:

  1. TCP connection establishment: The client initiates a TCP connection to the server.
  2. Protocol version exchange: The client and server exchange their protocol versions and agree on a common one. Then, the algorithm negotiation takes place.
  3. Algorithm negotiation: The client and server exchange lists of supported algorithms for key exchange, encryption, MAC, and compression. Then, they select the first matching algorithm.
  4. Key exchange: The client and server use the agreed-upon key exchange algorithm to generate a shared secret key. They also exchange and verify each other’s public keys. Then, the service request is sent.
  5. Service request: The client requests a service from the server, such as ssh-userauth or ssh-connection. Then, the client authenticates itself to the server using a supported method, such as password, public key, or keyboard-interactive.
  6. User authentication: The client authenticates itself to the server using a supported method, such as password, public key, or keyboard-interactive. Then, the channel request is sent.
  7. Channel request: The client requests a channel from the server, such as a shell, a command, or a subsystem. Thus, encrypted communication is enabled.

The Terrapin Attack

The Terrapin attack exploits a vulnerability in the SSH handshake by manipulating the sequence numbers and removing specific messages without compromising the secure channel integrity. This stealthy attack is difficult to detect because it doesn’t alter the overall structure or cryptographic integrity of the handshake.

For example, the attacker can eliminate the service request message sent by the client, which contains the list of supported client authentication methods. This forces the server to resort to the default method, typically password-based authentication. The attacker can then employ keystroke timing analysis to crack the password.

Alternatively, the attacker can target the algorithm negotiation message sent by the server, which lists the supported server authentication algorithms. By removing this message, the attacker forces the client to use the default algorithm, usually ssh-rsa. This opens the door for the attacker to forge a fake public key for the server and deceive the client into accepting it.

To illustrate the process of a Terrapin attack, we have created the following diagram:

Hackers exploit OAuth2 flaw to bypass 2FA on google accounts google account security flaw
Hackers exploit OAuth2 flaw to bypass 2FA on google accounts google account security flaw

As you can see, the diagram shows the steps from the interception of the communication by the attacker to the injection of malicious packets. It also highlights the stealthiness and the difficulty of detection of the attack.

Summery

The Terrapin attack is a serious threat to SSH security. By understanding how it works, you can take steps to protect yourself from it. Here are some tips:

  1. Make sure your SSH server is up to date with the latest security patches.
  2. Use strong passwords or public key authentication.
  3. Enable SSH key fingerprint verification.

How to protect yourself from the Terrapin attack: Best practices and tools

The Terrapin attack is a serious threat to SSH security, and it affects many SSH client and server implementations, such as OpenSSH, PuTTY, FileZilla, and more. Here are some steps you can take to protect yourself from it:

  • Update your SSH client and server to the latest versions. Many vendors have released patches that fix the vulnerability or introduce a strict key exchange option that prevents the attack. You can check if your SSH software is vulnerable by using the Terrapin vulnerability scanner.
  • Use strong passwords and public key authentication. Avoid using weak or default passwords that can be easily guessed by the attacker. Use public key authentication instead of password authentication, and make sure your public keys are verified and trusted.
  • Use secure encryption modes. Avoid using vulnerable encryption modes, such as ChaCha20-Poly1305 or AES-CBC with default MACs. Use encryption modes that use authenticated encryption with associated data (AEAD), such as AES-GCM or Chacha20-Poly1305@openssh.com.
  • Use a VPN or a firewall. If possible, use a VPN or a firewall to encrypt and protect your SSH traffic from being intercepted and modified by the attacker. This will also prevent the attacker from performing other types of attacks, such as DNS spoofing or TCP hijacking.
  • Implement a strict security policy on your local networks. Limit the access to your SSH servers to authorized users and devices, and monitor the network activity for any anomalies or intrusions.

How to use PassCypher HSM PGP and EviKey NFC HSM to protect your SSH keys: A secure and convenient solution

A good way to enhance the security of your SSH keys is to use PassCypher HSM PGP and EviKey NFC HSM. These are products from PassCypher), a company specialized in data security. They offer a secure and convenient solution for generating and storing your SSH keys.

PassCypher HSM PGP is a system that embeds a SSH key generator, allowing you to choose the type of algorithm – RSA (2048, 3072, 4096) or ECDSA (256,384, 521), and ED25519. The private key is generated and stored in a secure location, making it inaccessible to attackers.

EviKey NFC HSM is a contactless USB drive that integrates with PassCypher HSM PGP. It provides an additional layer of security and convenience for users who can easily unlock their private SSH key with their smartphone.

To show how PassCypher HSM PGP and EviKey NFC HSM can protect your SSH keys from the Terrapin attack, we have created the following diagram:

SSH handshake process with Terrapin attack illustration
This image illustrates the Terrapin attack, a stealthy attack that exploits a vulnerability in the SSH handshake. The attacker can manipulate the sequence numbers and remove specific messages without compromising the secure channel integrity. This can lead to a variety of security risks, including password cracking and man-in-the-middle attacks.

As you can see, the diagram shows how this solution effectively protects your SSH keys from the Terrapin attack. It also shows the benefits of using a contactless USB drive, such as:

  • Enhanced security: The private key is physically externalized and protected with a contactless authentication mechanism.
  • Convenience: Easy unlocking with a smartphone.
  • Ease of use: No additional software required.
  • Industrial-grade security: Equivalent to SL4 according to the standard IEC 62443-3-3.

Safeguarding Your SSH Keys with a Contactless USB Drive: A Comprehensive Guide

If you’re seeking a comprehensive guide to securely store your SSH keys using a contactless USB drive, look no further than this detailed resource: [Link to the article ([https://freemindtronic.com/how-to-create-an-ssh-key-and-use-a-nfc-hsm-usb-drive-to-store-it-securely/])]

This guide meticulously walks you through the process of:

  1. Generating an SSH key pair leveraging PassCypher HSM PGP
  2. Protecting the private SSH key within the EviKey NFC HSM USB drive
  3. Unlocking the private SSH key employing your smartphone
  4. Establishing a secure connection to an SSH server using the EviKey NFC HSM USB drive

Alongside step-by-step instructions, the guide also includes illustrative screenshots. By adhering to these guidelines, you’ll effectively safeguard and conveniently manage your SSH keys using a contactless USB drive.

Statistics on the Terrapin attack: Facts and figures

Statistics on the Terrapin attack: Facts and figures

The Terrapin attack is a serious cybersecurity threat that affects SSH connections. We have collected some statistics from various sources to show you the scale and impact of this attack. Here are some key facts and figures:

  • The Shadowserver Foundation reports that nearly 11 million SSH servers exposed on the internet are vulnerable to the Terrapin attack. This is about 52% of all IPv4 and IPv6 addresses scanned by their monitoring system.
  • The most affected countries are the United States (3.3 million), China (1.3 million), Germany (1 million), Russia (704,000), Singapore (392,000), Japan (383,000), and France (379,000).
  • The Terrapin attack affects many SSH client and server implementations, such as OpenSSH, PuTTY, FileZilla, Dropbear, libssh, and more. You can see the complete list of known affected implementations here).
  • You can prevent the Terrapin attack by updating your SSH software to the latest version, using secure encryption modes, and enabling strict key exchange. You can also use the Terrapin vulnerability scanner, available on GitHub, to check your SSH client or server for vulnerability.
  • A team of researchers from the Horst Görtz Institute for IT Security at Ruhr University Bochum in Germany discovered and disclosed the Terrapin attack. They published a detailed paper and a website with the technical details and the implications of the attack. Conclusion: How to stay safe from the Terrapin attack

The Terrapin attack is a serious threat to SSH security. It lets hackers break into SSH servers by exploiting a vulnerability in the protocol. To protect yourself effectively, you need to do the following:

  • Update your SSH software to the latest version
  • Use two-factor authentication
  • Store your SSH keys securely
  • Use PassCypher HSM PGP and EviKey NFC HSM

Conclusion: How to stay safe from the Terrapin attack

The Terrapin attack is a serious threat to SSH security. It allows hackers to break into SSH servers by exploiting a vulnerability in the protocol. To protect yourself effectively, you need to update your SSH software, use two-factor authentication, store your SSH keys securely, and use PassCypher HSM PGP and EviKey NFC HSM. If you found this article useful, please feel free to share it with your contacts or leave us a comment.

How to secure your SSH key with NFC HSM USB Drive EviKey

NFC HSM USB drive SSH Contactless keys manager EviKey NFC & EviCore NFC HSM Compatible Technologies patented from Freemindtronic Andorra Made in France - JPG

How to Create and Store Your SSH Key Securely with EviKey NFC HSM USB Drive

NFC HSM USB Drive EviKey revolutionizes SSH key storage in our digital era. In a world teeming with cyber threats, safeguarding SSH keys remains paramount. Yet, striking a balance between top-notch security and effortless access often poses challenges. The answer? EviKey’s groundbreaking NFC HSM USB technology. Throughout this guide, we’ll uncover how EviKey stands out, ensuring robust security without forsaking user convenience. So, whether you’re a seasoned tech expert or just beginning your cybersecurity journey, dive in. You’re about to discover the next big thing in digital key storage.

2024 Digital Security

Europol Data Breach: A Detailed Analysis

2024 Cyberculture Digital Security News Training

Andorra National Cyberattack Simulation: A Global First in Cyber Defense

2024 Digital Security

Apple M chip vulnerability: A Breach in Data Security

2024 Digital Security

Cybersecurity Breach at IMF: A Detailed Investigation

2024 DataShielder Digital Security PassCypher Phishing

Midnight Blizzard Cyberattack Against Microsoft and HPE: What are the consequences?

2024 Digital Security

PrintListener: How to Betray Fingerprints

How to create and protect your SSH key with NFC HSM USB drive

The NFC HSM USB drive is a device that allows you to create and store your SSH key securely with EviKey technology. EviKey is a patented technology that encrypts your SSH key with a secret code that only you know and that is stored in a NFC tag embedded in the device. You will need to scan the NFC tag with your smartphone or another NFC reader to unlock your SSH key and use it for SSH sessions. You will also learn how to customize the security settings of your device and how to backup and restore your SSH key.

SSH: A secure protocol for remote communication

SSH, or Secure Shell, is a cryptographic protocol that allows you to establish a secure communication between a client and a server. SSH is often used to remotely administer servers, execute commands or transfer files. To connect to a server via SSH, there are two authentication methods: password or public key.

Password authentication: simple but insecure

Password authentication is the simplest method, but also the least secure. Passwords can be easily guessed, stolen or intercepted by attackers. Moreover, you have to remember your password and enter it every time you connect.

Public key authentication: advanced and secure

Setting up public key authentication for SSH

Public key authentication is a more secure and convenient way to access remote servers than using passwords. To set it up, you will need to generate a pair of keys, one public and one private, and copy the public key to the server you want to connect to. The private key will stay on your local machine and will be used to authenticate yourself when you initiate an SSH session. You will also learn how to use a passphrase to protect your private key from unauthorized access.

Advantages and constraints of public key authentication

Public key authentication: benefits and challenges

Using public key authentication for SSH has many benefits and challenges. Some of the benefits are: increased security, reduced risk of brute force attacks, and a streamlined login process. Some of the challenges are: managing multiple keys, ensuring the integrity of the public key, and recovering from lost or stolen private key. You’ll also learn some best practices for overcoming these challenges and protecting your SSH keys.

Public key authentication has several advantages:

  • Compared to password authentication, public key authentication offers a higher level of security. It also avoids typing your password every time you connect. In addition, it allows you to automate processes that require an SSH connection; such as scripts or orchestration tools.

However, public key authentication also involves certain constraints:

  • You have to deal with some constraints when you use public key authentication. For each client and each server, you have to generate a pair of keys; copy the public key on the server in a special file called ~/.ssh/authorized_keys; and protect the private key against any loss or compromise.

EviKey NFC HSM USB drive: A solution to store your SSH key securely

To overcome these constraints, there is a solution: using an EviKey NFC HSM technology to store your private SSH key physically externalized. EviKey NFC HSM USB drive is a hardware device that allows you to store sensitive data in a secure flash memory, which can only be unlocked with a contactless authentication via a smartphone compatible with NFC (Near Field Communication). It offers several advantages:

  • The EviKey NFC HSM USB drive allows you to keep your private SSH key outside of the hard disk of the client. This reduces the risks of theft or unauthorized access. You can also unlock your private SSH key without typing a password or a passphrase; you just have to approach your smartphone to the NFC HSM USB drive. Moreover, the device offers an industrial level of security equivalent to SL4 according to the standard IEC 62443-3-3.

EviKey NFC HSM: A technology developed by Freemindtronic SL

There are several models and brands of NFC HSM USB drives on the market, but in this tutorial, we will focus on the EviKey NFC HSM technology, developed by Freemindtronic SL, an Andorran company specialized in cybersecurity. EviKey NFC HSM is compatible with all operating systems (Linux, Windows, macOS, Android) and can be used with three free Android applications: Evikey & EviDisk, Fullkey Plus and Freemindtronic (FMT). These applications allow you to manag the NFC HSM USB drives, to create and restore backups, to encrypt and decrypt files, and to authenticate via SSH.

How to create an SSH key and use it with a NFC HSM USB drive

In this tutorial, we will show you how to create an SSH key under different operating systems, how to use a NFC HSM USB drive to store your private SSH key physically externalized, and how to use the public SSH key to authenticate locally, on a computer or on a server.

Prerequisites

The following are required to follow this tutorial:

  • A computer or a smartphone with an operating system among Linux, Windows, macOS or Android.
  • An internet connection.
  • A NFC HSM USB drive.
  • One of the three Android applications mentioned above installed on your smartphone.
  • A remote server that you want to connect to via SSH.

Creating an SSH key

The first step to use public key authentication is to generate a pair of SSH keys (private and public) on your computer or smartphone. To do this, you can use a special utility called ssh-keygen, which is included with the standard OpenSSH suite. By default, this utility will create a pair of RSA keys of 3072 bits.

The procedure to create an SSH key varies depending on the operating system that you use. Here is how to do it for each case:

  • Linux

    • Open a terminal and type the following command: ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
    • This command will create a new pair of SSH keys using your email as a label.
    • You can choose the location and name of the file where to save your private key, as well as a passphrase to protect it.
    • By default, the files are named id_rsa and id_rsa.pub and are stored in the ~/.ssh directory.
  • Windows

    • Download and install the PuTTYgen software from the official website [2].
    • Launch PuTTYgen and click on the Generate button.
    • You will have to move the mouse over the blank area to create some entropy.
    • Once the key is generated, you can enter a comment (for example your email) and a passphrase to secure it.
    • Then, you will have to save your public key and your private key in separate files by clicking on the Save public key and Save private key buttons.
  • macOS

    • The procedure is similar to Linux.
    • Open a terminal and type the following command: ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
    • SSH keygen will create a new pair of SSH keys using your email as a label.
    • You can choose the location and name of the file where to save your private key, as well as a passphrase to protect it.
    • By default, the files are named id_rsa and id_rsa.pub and are stored in the ~/.ssh directory.
  • Android

    • Download and install the ConnectBot application from the Play Store [5].
    • Open ConnectBot and press the Menu button.
    • Select Manage Pubkeys.
    • Press the Menu button again and select Generate.
    • Choose the type of key (RSA or DSA) and the size of the key (2048 bits or more).
    • Enter a nickname for your key and press Generate.

Using a NFC HSM USB drive

Once you have created your pair of SSH keys, you have to move the private SSH key into the flash memory of the NFC HSM USB drive. To do this, you have to plug the NFC HSM USB drive into the USB port of your computer or smartphone, and use the following command:

sudo mv ssh_private_key /usb_directory

This command will move the file containing your private SSH key (for example id_rsa or private.ppk) to the directory corresponding to the NFC HSM USB drive (for example /media/evikey or /storage/evikey). You have to replace ssh_private_key and /usb_directory with the appropriate names according to your case.

Once you have moved your private SSH key into the NFC HSM USB drive, you can lock it contactlessly with your smartphone. To do this, you have to use one of the three Android applications that embed the EviKey NFC HSM technology: Evikey & EviDisk, Fullkey Plus or Freemindtronic (FMT). Here is how to do it for each application:

With Evikey & EviDisk or Fullkey Plus or Freemindtronic (FMT) Android NFC app

  • Open the application on your smartphone.
  • Select the NFC HSM USB drive that you want to lock.
  • Press the Lock button.
  • Approach your smartphone to the NFC HSM USB drive to lock the access to the flash memory.

Authentication via SSH with a NFC HSM USB drive

You have prepared your NFC HSM USB drive and copied your public SSH key on the computer or remote server that you want to connect to via SSH. Now you can authenticate via SSH with the NFC HSM USB drive. Here are the steps to follow:

  • Plug the NFC HSM USB drive into the USB port of the smartphone
  • Open the Android application of your choice
  • Select the option “SSH Authentication”
  • Enter the information of the computer or remote server (IP address, port, username)
  • Select the private SSH key stored in the NFC HSM USB drive
  • Approach your smartphone to the NFC HSM USB drive to unlock the access to the flash memory
  • Validate the SSH connection
  • Access the terminal of the computer or remote server

The method allows you to authenticate locally, on a computer or on a server. Here are some examples of use cases:

Local authentication

You can use the NFC HSM USB drive to authenticate locally on your own computer or smartphone. That can be useful if you want to execute commands as another user, for example root or sudo. To do that, you have to enter the information of your computer or smartphone as IP address, port and username. For example:

ssh -p 22 root@127.0.0.1

It command will connect you via SSH to your local computer as root, using port 22 and IP address 127.0.0.1. It is a special address that always designates the local host. You will have to approach your smartphone to the NFC HSM USB cdrive to unlock your private SSH key and validate the connection.

Computer authentication

With the NFC HSM USB drive, you can authenticate on another computer that you have access to on the network. Such can be useful if you want to access files or programs that are stored on that computer, or if you want to perform maintenance or troubleshooting operations remotely. To do such, you have to enter the information of the computer that you want to connect to as IP address, port and username. For example:

ssh -p 22 alice@192.168.1.10

Local SSH will connect you via SSH to the computer whose IP address is 192.168.1.10, using port 22 and username alice. You will have to approach your smartphone to the NFC HSM USB drive to unlock your private SSH key and validate the connection.

Server authentication

The EviKey NFC HSM USB drive lets you authenticate on a remote server that you have access to via the internet. This can be useful if you want to administer a website, a database, a cloud service or any other type of server. To do this, you have to enter the information of the server that you want to connect to as IP address, port and username. For example:

ssh -p 22 bob@54.123.456.78

That command will connect you via SSH to the server whose IP address is 54.123.456.78, using port 22 and username bob. You will have to approach your smartphone to the NFC HSM USB drive to unlock your private SSH key and validate the connection.

Comparison of Secure Storage Solutions for SSH Keys

EviKey NFC HSM USB Drive: Redefining the Paradigm

The search for dependable, efficient, and secure storage for SSH private keys has evolved from a mere task to a pivotal mission. In a digital landscape riddled with threats, the EviKey NFC HSM USB drive emerges, not merely as a product but as a groundbreaking shift towards cybersecurity, regulatory compliance, and user-friendliness.

Cybersecurity and Safety: A Synergy

Combining cybersecurity (safeguarding digital assets) and safety (protecting the device itself) is a hallmark of the EviKey NFC HSM USB drive. The drive’s construction inherently merges these two dimensions. With electrical and thermal safeguards, ESD protection, and an integrated self-diagnostic system, it’s evident that the EviKey drive is designed not just to store but to fortify.

Simplicity Meets Security: Seamless SSH Key Storage

EviKey has revolutionized the SSH key storage process, doing away with complicated software or intricate steps. Upon unlocking the USB NFC HSM through a contactless mechanism, it presents itself as a standard medium on various operating systems. Users can then smoothly transfer SSH keys to this space. In its locked state, the drive becomes virtually undetectable to both computing and mobile platforms, ensuring unparalleled security. Furthermore, the option to fortify security with an additional password layer is available to users.

Normative Compliance: Setting the Gold Standard

EviKey’s technological prowess is evident in features such as NFC signal energy harvesting. This includes a state-of-the-art black box monitoring system. Additionally, there’s an assurance of data persistence for an astounding 40 years without needing an external power source.

Technological Advancements: Beyond the Ordinary

EviKey’s technological prowess is evident in features such as NFC signal energy harvesting, a state-of-the-art black box monitoring system, and an assurance of data persistence for an astounding 40 years without needing an external power source.

At a Glance: EviKey Versus the Rest


Criteria EviKey NFC HSM Nitrokey Yubikey SoloKeys OnlyKey Trezor
Storage Capacity 8GB-128GB 32KB 32KB 32KB 32KB Limited by key size
SSH Key Capacity Over 4 billion About 24 About 24 Up to 24 Up to 24 Several
Contactless Authentication Yes, via NFC No Yes, NFC or USB Yes, NFC or USB Yes, NFC or USB Yes, via USB
Physical Device Security Enhanced with attack detection & self-destruct Standard with PIN lock Standard with PIN lock Standard with PIN lock Standard with PIN lock Standard with PIN lock
OS Compatibility All OS All OS All OS All OS All OS All OS
SSH & OpenSSH Protocol Compatibility Yes, via OpenSSH Yes, via PKCS#11 Yes, via PKCS#11 Yes, via PKCS#11 Yes, via PKCS#11 Yes, via GPG
SSH & OpenSSH Authentication Modes Five-factor (MFA) Two-factor (2FA) Two-factor (2FA) Two-factor (2FA) Two-factor (2FA) One-factor (1FA)
Users for Contactless SSH & OpenSSH Unlocking Six different users None One user One user One user One user
Patents Three international patents None None None None None
Electrical Protection Integrated with intelligent regulator No No No No No
Thermal Safeguards Functional & thermal sensors with breaker No No No No No
ESD Protection 27kv on data channel No No No No No
Physical Robustness Military-grade resin; Waterproof & Tamperproof No No No No No
Security from Attacks Inclusive of invasive & non-invasive threats No No No No No
Limit on Auth. Attempts 13 (modifiable by admin) No No No No No
USB Port Protection Fully independent security system No No No No No
Contactless Security Energy Harvests energy from NFC signals No No No No No
Black Box Monitoring Comprehensive event tracking No No No No No
Fault Detection In-built self-diagnostics No No No No No
Memory Write Count Monitors flash memory health No No No No No
Data Persistence 40 years without external power No No No No No
Temperature Guard Ensures optimal performance No No No No No
Auto-lock Duration Admin-defined (seconds to minutes) No No No No No

Unveiling the NFC HSM USB Drive EviKey’s Innovations

Deep Dive: Why EviKey is the Leading Choice

With standout features like the swift auto-lock function, EviKey solidifies its position as a market leader. Its rapid automatic re-locking capability, combined with easy NFC unlocking, minimizes vulnerability windows, ensuring top-notch security. The EviKey NFC HSM USB drive signifies not just storage but an investment in unparalleled SSH key protection.

Physical Robustness: Beyond Conventional Protection

Designed with precision, the EviKey NFC HSM USB drive is adept at handling adverse conditions. Enclosed in a military-grade resin, its robustness parallels that of steel. Its unique construction ensures the EviKey drive’s resilience to damage, and its waterproof quality even allows it to operate underwater. Beyond the physical, the drive also provides countermeasures against invasive and non-invasive brute force intrusions.

Independence from Encryption Systems: Freedom of Choice

EviKey NFC HSM USB drive’s design is devoid of a pre-set encryption system, a strategic move to offer users flexibility and security. This choice ensures evasion from issues tied to outdated or flawed cryptographic elements, which may require user updates. This architecture offers users the autonomy to choose their preferred encryption method for data storage on the EviKey drive. Furthermore, the option for drive segmentation allows users to create specific encrypted sections, such as a BitLocker space, diversifying its applications.

Versatility: A Universal Key

EviKey NFC HSM’s adaptability is not limited to SSH key storage. Its versatile nature allows integration with various security ecosystems. The drive can serve as a decryption key for encrypted SSDs, HDs and SDs TPM2.0. Moreover, its compatibility extends to password management, functioning as a password manager or a token, harmonizing with other advanced technologies from Freemindtronic such as EviCode HSM OpenPGP and EviPass HSM OpenPGP.

Conclusion

You now know how to create an SSH key under different operating systems, how to use a NFC HSM USB drive to store your physically externalized private SSH key, and how to use the public SSH key to authenticate locally, on a computer or on a server. You can thus enjoy a secure and convenient authentication method, without needing a password or additional software, while benefiting from an industrial level of security equivalent to SL4 according to the standard IEC 62443-3-3.

If you have any questions or comments, feel free to contact Freemindtronic SL, designer, developer, manufacturer and publisher of applications embedding the EviKey NFC HSM technology. You can also buy the products integrating this technology from Freemindtronic’s partners.