2023, Articles, EviKey & EviDisk, EviKey NFC HSM, News, NFC HSM technology, Technical News
How to secure your SSH key with NFC HSM USB Drive EviKey
Sep
How to Create and Store Your SSH Key Securely with EviKey NFC HSM USB Drive
NFC HSM USB Drive EviKey revolutionizes SSH key storage in our digital era. In a world teeming with cyber threats, safeguarding SSH keys remains paramount. Yet, striking a balance between top-notch security and effortless access often poses challenges. The answer? EviKey’s groundbreaking NFC HSM USB technology. Throughout this guide, we’ll uncover how EviKey stands out, ensuring robust security without forsaking user convenience. So, whether you’re a seasoned tech expert or just beginning your cybersecurity journey, dive in. You’re about to discover the next big thing in digital key storage.
2024 Digital Security
Salt Typhoon: Protecting Government Communications from Cyber Threats
2024 Digital Security
Cyberattack Exploits Backdoors: What You Need to Know
2024 Digital Security
Google Sheets Malware: The Voldemort Threat
2024 Articles Digital Security News
Russian Espionage Hacking Tools Revealed
2024 Digital Security Spying Technical News
Side-Channel Attacks via HDMI and AI: An Emerging Threat
2024 Digital Security
OpenVPN Security Vulnerabilities Pose Global Security Risks
2024 Digital Security
Google Workspace Vulnerability Exposes User Accounts to Hackers
2024 Digital Security
Leidos Holdings Data Breach: A Significant Threat to National Security
How to create and protect your SSH key with NFC HSM USB drive
The NFC HSM USB drive is a device that allows you to create and store your SSH key securely with EviKey technology. EviKey is a patented technology that encrypts your SSH key with a secret code that only you know and that is stored in a NFC tag embedded in the device. You will need to scan the NFC tag with your smartphone or another NFC reader to unlock your SSH key and use it for SSH sessions. You will also learn how to customize the security settings of your device and how to backup and restore your SSH key.
SSH: A secure protocol for remote communication
SSH, or Secure Shell, is a cryptographic protocol that allows you to establish a secure communication between a client and a server. SSH is often used to remotely administer servers, execute commands or transfer files. To connect to a server via SSH, there are two authentication methods: password or public key.
Password authentication: simple but insecure
Password authentication is the simplest method, but also the least secure. Passwords can be easily guessed, stolen or intercepted by attackers. Moreover, you have to remember your password and enter it every time you connect.
Public key authentication: advanced and secure
Setting up public key authentication for SSH
Public key authentication is a more secure and convenient way to access remote servers than using passwords. To set it up, you will need to generate a pair of keys, one public and one private, and copy the public key to the server you want to connect to. The private key will stay on your local machine and will be used to authenticate yourself when you initiate an SSH session. You will also learn how to use a passphrase to protect your private key from unauthorized access.
Advantages and constraints of public key authentication
Public key authentication: benefits and challenges
Using public key authentication for SSH has many benefits and challenges. Some of the benefits are: increased security, reduced risk of brute force attacks, and a streamlined login process. Some of the challenges are: managing multiple keys, ensuring the integrity of the public key, and recovering from lost or stolen private key. You’ll also learn some best practices for overcoming these challenges and protecting your SSH keys.
Public key authentication has several advantages:
- Compared to password authentication, public key authentication offers a higher level of security. It also avoids typing your password every time you connect. In addition, it allows you to automate processes that require an SSH connection; such as scripts or orchestration tools.
However, public key authentication also involves certain constraints:
- You have to deal with some constraints when you use public key authentication. For each client and each server, you have to generate a pair of keys; copy the public key on the server in a special file called ~/.ssh/authorized_keys; and protect the private key against any loss or compromise.
EviKey NFC HSM USB drive: A solution to store your SSH key securely
To overcome these constraints, there is a solution: using an EviKey NFC HSM technology to store your private SSH key physically externalized. EviKey NFC HSM USB drive is a hardware device that allows you to store sensitive data in a secure flash memory, which can only be unlocked with a contactless authentication via a smartphone compatible with NFC (Near Field Communication). It offers several advantages:
- The EviKey NFC HSM USB drive allows you to keep your private SSH key outside of the hard disk of the client. This reduces the risks of theft or unauthorized access. You can also unlock your private SSH key without typing a password or a passphrase; you just have to approach your smartphone to the NFC HSM USB drive. Moreover, the device offers an industrial level of security equivalent to SL4 according to the standard IEC 62443-3-3.
EviKey NFC HSM: A technology developed by Freemindtronic SL
There are several models and brands of NFC HSM USB drives on the market, but in this tutorial, we will focus on the EviKey NFC HSM technology, developed by Freemindtronic SL, an Andorran company specialized in cybersecurity. EviKey NFC HSM is compatible with all operating systems (Linux, Windows, macOS, Android) and can be used with three free Android applications: Evikey & EviDisk, Fullkey Plus and Freemindtronic (FMT). These applications allow you to manag the NFC HSM USB drives, to create and restore backups, to encrypt and decrypt files, and to authenticate via SSH.
How to create an SSH key and use it with a NFC HSM USB drive
In this tutorial, we will show you how to create an SSH key under different operating systems, how to use a NFC HSM USB drive to store your private SSH key physically externalized, and how to use the public SSH key to authenticate locally, on a computer or on a server.
Prerequisites
The following are required to follow this tutorial:
- A computer or a smartphone with an operating system among Linux, Windows, macOS or Android.
- An internet connection.
- A NFC HSM USB drive.
- One of the three Android applications mentioned above installed on your smartphone.
- A remote server that you want to connect to via SSH.
Creating an SSH key
The first step to use public key authentication is to generate a pair of SSH keys (private and public) on your computer or smartphone. To do this, you can use a special utility called ssh-keygen, which is included with the standard OpenSSH suite. By default, this utility will create a pair of RSA keys of 3072 bits.
The procedure to create an SSH key varies depending on the operating system that you use. Here is how to do it for each case:
-
Linux
- Open a terminal and type the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" - This command will create a new pair of SSH keys using your email as a label.
- You can choose the location and name of the file where to save your private key, as well as a passphrase to protect it.
- By default, the files are named id_rsa and id_rsa.pub and are stored in the ~/.ssh directory.
- Open a terminal and type the following command:
-
Windows
- Download and install the PuTTYgen software from the official website [2].
- Launch PuTTYgen and click on the Generate button.
- You will have to move the mouse over the blank area to create some entropy.
- Once the key is generated, you can enter a comment (for example your email) and a passphrase to secure it.
- Then, you will have to save your public key and your private key in separate files by clicking on the Save public key and Save private key buttons.
-
macOS
- The procedure is similar to Linux.
- Open a terminal and type the following command:
ssh-keygen -t rsa -b 4096 -C "your_email@example.com" - SSH keygen will create a new pair of SSH keys using your email as a label.
- You can choose the location and name of the file where to save your private key, as well as a passphrase to protect it.
- By default, the files are named id_rsa and id_rsa.pub and are stored in the ~/.ssh directory.
-
Android
- Download and install the ConnectBot application from the Play Store [5].
- Open ConnectBot and press the Menu button.
- Select Manage Pubkeys.
- Press the Menu button again and select Generate.
- Choose the type of key (RSA or DSA) and the size of the key (2048 bits or more).
- Enter a nickname for your key and press Generate.
Using a NFC HSM USB drive
Once you have created your pair of SSH keys, you have to move the private SSH key into the flash memory of the NFC HSM USB drive. To do this, you have to plug the NFC HSM USB drive into the USB port of your computer or smartphone, and use the following command:
sudo mv ssh_private_key /usb_directoryThis command will move the file containing your private SSH key (for example id_rsa or private.ppk) to the directory corresponding to the NFC HSM USB drive (for example /media/evikey or /storage/evikey). You have to replace ssh_private_key and /usb_directory with the appropriate names according to your case.
Once you have moved your private SSH key into the NFC HSM USB drive, you can lock it contactlessly with your smartphone. To do this, you have to use one of the three Android applications that embed the EviKey NFC HSM technology: Evikey & EviDisk, Fullkey Plus or Freemindtronic (FMT). Here is how to do it for each application:
With Evikey & EviDisk or Fullkey Plus or Freemindtronic (FMT) Android NFC app
- Open the application on your smartphone.
- Select the NFC HSM USB drive that you want to lock.
- Press the Lock button.
- Approach your smartphone to the NFC HSM USB drive to lock the access to the flash memory.
Authentication via SSH with a NFC HSM USB drive
You have prepared your NFC HSM USB drive and copied your public SSH key on the computer or remote server that you want to connect to via SSH. Now you can authenticate via SSH with the NFC HSM USB drive. Here are the steps to follow:
- Plug the NFC HSM USB drive into the USB port of the smartphone
- Open the Android application of your choice
- Select the option “SSH Authentication”
- Enter the information of the computer or remote server (IP address, port, username)
- Select the private SSH key stored in the NFC HSM USB drive
- Approach your smartphone to the NFC HSM USB drive to unlock the access to the flash memory
- Validate the SSH connection
- Access the terminal of the computer or remote server
The method allows you to authenticate locally, on a computer or on a server. Here are some examples of use cases:
Local authentication
You can use the NFC HSM USB drive to authenticate locally on your own computer or smartphone. That can be useful if you want to execute commands as another user, for example root or sudo. To do that, you have to enter the information of your computer or smartphone as IP address, port and username. For example:
ssh -p 22 root@127.0.0.1
It command will connect you via SSH to your local computer as root, using port 22 and IP address 127.0.0.1. It is a special address that always designates the local host. You will have to approach your smartphone to the NFC HSM USB cdrive to unlock your private SSH key and validate the connection.
Computer authentication
With the NFC HSM USB drive, you can authenticate on another computer that you have access to on the network. Such can be useful if you want to access files or programs that are stored on that computer, or if you want to perform maintenance or troubleshooting operations remotely. To do such, you have to enter the information of the computer that you want to connect to as IP address, port and username. For example:
ssh -p 22 alice@192.168.1.10
Local SSH will connect you via SSH to the computer whose IP address is 192.168.1.10, using port 22 and username alice. You will have to approach your smartphone to the NFC HSM USB drive to unlock your private SSH key and validate the connection.
Server authentication
The EviKey NFC HSM USB drive lets you authenticate on a remote server that you have access to via the internet. This can be useful if you want to administer a website, a database, a cloud service or any other type of server. To do this, you have to enter the information of the server that you want to connect to as IP address, port and username. For example:
ssh -p 22 bob@54.123.456.78
That command will connect you via SSH to the server whose IP address is 54.123.456.78, using port 22 and username bob. You will have to approach your smartphone to the NFC HSM USB drive to unlock your private SSH key and validate the connection.
Comparison of Secure Storage Solutions for SSH Keys
EviKey NFC HSM USB Drive: Redefining the Paradigm
The search for dependable, efficient, and secure storage for SSH private keys has evolved from a mere task to a pivotal mission. In a digital landscape riddled with threats, the EviKey NFC HSM USB drive emerges, not merely as a product but as a groundbreaking shift towards cybersecurity, regulatory compliance, and user-friendliness.
Cybersecurity and Safety: A Synergy
Combining cybersecurity (safeguarding digital assets) and safety (protecting the device itself) is a hallmark of the EviKey NFC HSM USB drive. The drive’s construction inherently merges these two dimensions. With electrical and thermal safeguards, ESD protection, and an integrated self-diagnostic system, it’s evident that the EviKey drive is designed not just to store but to fortify.
Simplicity Meets Security: Seamless SSH Key Storage
EviKey has revolutionized the SSH key storage process, doing away with complicated software or intricate steps. Upon unlocking the USB NFC HSM through a contactless mechanism, it presents itself as a standard medium on various operating systems. Users can then smoothly transfer SSH keys to this space. In its locked state, the drive becomes virtually undetectable to both computing and mobile platforms, ensuring unparalleled security. Furthermore, the option to fortify security with an additional password layer is available to users.
Normative Compliance: Setting the Gold Standard
EviKey’s technological prowess is evident in features such as NFC signal energy harvesting. This includes a state-of-the-art black box monitoring system. Additionally, there’s an assurance of data persistence for an astounding 40 years without needing an external power source.
Technological Advancements: Beyond the Ordinary
EviKey’s technological prowess is evident in features such as NFC signal energy harvesting, a state-of-the-art black box monitoring system, and an assurance of data persistence for an astounding 40 years without needing an external power source.
At a Glance: EviKey Versus the Rest
| Criteria | EviKey NFC HSM | Nitrokey | Yubikey | SoloKeys | OnlyKey | Trezor |
|---|---|---|---|---|---|---|
| Storage Capacity | 8GB-128GB | 32KB | 32KB | 32KB | 32KB | Limited by key size |
| SSH Key Capacity | Over 4 billion | About 24 | About 24 | Up to 24 | Up to 24 | Several |
| Contactless Authentication | Yes, via NFC | No | Yes, NFC or USB | Yes, NFC or USB | Yes, NFC or USB | Yes, via USB |
| Physical Device Security | Enhanced with attack detection & self-destruct | Standard with PIN lock | Standard with PIN lock | Standard with PIN lock | Standard with PIN lock | Standard with PIN lock |
| OS Compatibility | All OS | All OS | All OS | All OS | All OS | All OS |
| SSH & OpenSSH Protocol Compatibility | Yes, via OpenSSH | Yes, via PKCS#11 | Yes, via PKCS#11 | Yes, via PKCS#11 | Yes, via PKCS#11 | Yes, via GPG |
| SSH & OpenSSH Authentication Modes | Five-factor (MFA) | Two-factor (2FA) | Two-factor (2FA) | Two-factor (2FA) | Two-factor (2FA) | One-factor (1FA) |
| Users for Contactless SSH & OpenSSH Unlocking | Six different users | None | One user | One user | One user | One user |
| Patents | Three international patents | None | None | None | None | None |
| Electrical Protection | Integrated with intelligent regulator | No | No | No | No | No |
| Thermal Safeguards | Functional & thermal sensors with breaker | No | No | No | No | No |
| ESD Protection | 27kv on data channel | No | No | No | No | No |
| Physical Robustness | Military-grade resin; Waterproof & Tamperproof | No | No | No | No | No |
| Security from Attacks | Inclusive of invasive & non-invasive threats | No | No | No | No | No |
| Limit on Auth. Attempts | 13 (modifiable by admin) | No | No | No | No | No |
| USB Port Protection | Fully independent security system | No | No | No | No | No |
| Contactless Security Energy | Harvests energy from NFC signals | No | No | No | No | No |
| Black Box Monitoring | Comprehensive event tracking | No | No | No | No | No |
| Fault Detection | In-built self-diagnostics | No | No | No | No | No |
| Memory Write Count | Monitors flash memory health | No | No | No | No | No |
| Data Persistence | 40 years without external power | No | No | No | No | No |
| Temperature Guard | Ensures optimal performance | No | No | No | No | No |
| Auto-lock Duration | Admin-defined (seconds to minutes) | No | No | No | No | No |
Unveiling the NFC HSM USB Drive EviKey’s Innovations
Deep Dive: Why EviKey is the Leading Choice
With standout features like the swift auto-lock function, EviKey solidifies its position as a market leader. Its rapid automatic re-locking capability, combined with easy NFC unlocking, minimizes vulnerability windows, ensuring top-notch security. The EviKey NFC HSM USB drive signifies not just storage but an investment in unparalleled SSH key protection.
Physical Robustness: Beyond Conventional Protection
Designed with precision, the EviKey NFC HSM USB drive is adept at handling adverse conditions. Enclosed in a military-grade resin, its robustness parallels that of steel. Its unique construction ensures the EviKey drive’s resilience to damage, and its waterproof quality even allows it to operate underwater. Beyond the physical, the drive also provides countermeasures against invasive and non-invasive brute force intrusions.
Independence from Encryption Systems: Freedom of Choice
EviKey NFC HSM USB drive’s design is devoid of a pre-set encryption system, a strategic move to offer users flexibility and security. This choice ensures evasion from issues tied to outdated or flawed cryptographic elements, which may require user updates. This architecture offers users the autonomy to choose their preferred encryption method for data storage on the EviKey drive. Furthermore, the option for drive segmentation allows users to create specific encrypted sections, such as a BitLocker space, diversifying its applications.
Versatility: A Universal Key
EviKey NFC HSM’s adaptability is not limited to SSH key storage. Its versatile nature allows integration with various security ecosystems. The drive can serve as a decryption key for encrypted SSDs, HDs and SDs TPM2.0. Moreover, its compatibility extends to password management, functioning as a password manager or a token, harmonizing with other advanced technologies from Freemindtronic such as EviCode HSM OpenPGP and EviPass HSM OpenPGP.
Conclusion
You now know how to create an SSH key under different operating systems, how to use a NFC HSM USB drive to store your physically externalized private SSH key, and how to use the public SSH key to authenticate locally, on a computer or on a server. You can thus enjoy a secure and convenient authentication method, without needing a password or additional software, while benefiting from an industrial level of security equivalent to SL4 according to the standard IEC 62443-3-3.
If you have any questions or comments, feel free to contact Freemindtronic SL, designer, developer, manufacturer and publisher of applications embedding the EviKey NFC HSM technology. You can also buy the products integrating this technology from Freemindtronic’s partners.
