Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Supported NFC/USB Security Tokens
|Fidesmo Card||✔||✔||❌||?||fork of ykneo-openpgp|
|Gnuk||✔ (key gen only on >= 1.2.5)||❌||OTG||RSA <= 4096, EdDSA, ECDSA (NIST P256, secp256k1), ECDH (X25519, NIST P256, secp256k1)||gnuk|
|Ledger Nano S||✔ (no key gen)||❌||OTG||blue-app-openpgp-card|
|Nitrokey Start||✔ (key gen only on >= 1.2.5)||❌||OTG||same as Gnuk||fork of gnuk|
|Nitrokey Pro||✔||❌||OTG||?||nitrokey-pro-firmware CcidLocalAccess.c|
|Nitrokey Storage||✔||❌||OTG||?||nitrokey-storage-firmware OpenPGP_V20.c|
|YubiKey NEO||✔||✔||OTG||RSA <= 2048, no ECC||ykneo-openpgp|
|YubiKey 4 Nano||✔||❌||OTG||?||closed|
|YubiKey 4C Nano||✔||❌||USB-C||?||closed|
|TREZOR 2||NO||❌||OTG||Not OpenPGP Card Spec compatible|
NFC on-card key-gen
Roughly every third key generation on card fails with all tested smart cards and YubiKey NEO. For more details see our research paper. OpenKeychain currently generates keys on the smartphones and then moves them to the card.
Can I use my OpenPGP smartcard that has no NFC?
You can try a USB smartcard reader as described below.
Are external USB Smartcard Reader supported?
Not officially. However, you can turn on "Allow untested USB Devices", under experimental settings and try your reader.
- It must have a CCID interface and you should insert the OpenPGP card before plugging in the reader.
- We found that Nexus 5X reboots, but Nexus 6P works.
- Readers on this page will work with higher probability but we cannot provide any recommendations.
- Some discussions about this is in #1912
- One user reported that it works fine with "ACS ACR39U-NF PocketMate II Smart Card Reader (USB Type-C)"
No OpenPGP support
These security tokens do not support OpenPGP:
- Yubico FIDO U2F Security Keys
- YubiKey Edge (discontinued)
- Other U2F tokens
How to import an existing key onto a security token?
How to use two different apps with a USB Security Token (Yubico Authenticator and OpenKeychain)?
Never set one app as the default in Android's selection dialog! Only the app selected in this dialog gets the permission to communicate with the USB device! To reset the default open the app details page and clear the default associations with the button at the bottom.
OpenPGP Card Specification
OpenPGP applets for Java Cards
- https://github.com/ANSSI-FR/SmartPGP (OpenPGP card spec v3)
- https://github.com/Yubico/ykneo-openpgp (OpenPGP card spec v2)
- https://github.com/FluffyKaon/OpenPGP-Card (not completely following spec)
- https://github.com/jderuiter/javacard-openpgpcard , previously http://sourceforge.net/p/javacardopenpgp/
Installing applets on javacards is only for people who know what they are doing. Here, we document some known quirks.
|Javacardos.com A22CR||see https://www.javacardos.com/javacardforum/viewforum.php?f=36 , uses stripped down version: https://github.com/JavaCardOS/OpenPGPApplet/compare/master...Yubico:master|
|ACS ACOSJ||installs, but reset (?) destroys cards sometimes over NFC?|
|NXP JCOP J2A040||https://github.com/Yubico/ykneo-openpgp/issues/51|
|NXP J3D081||✔||only javacard-3.0.1 branch|
|NXP J3H081 SCP02 and SCP03 from motechno.com||?||MUST USE v3.0.1 branch.
other helpful resources:
- SmartPGP diff between 3.0.1 branch and master https://github.com/ANSSI-FR/SmartPGP/compare/javacard-3.0.1
Problems with Smartphones and NFC
- HTC One M7
- Samsung Galaxy S3
- Samsung Galaxy S5 Mini (APDU chaining, i.e., decryption does not work, probably because NFC stack crashes)
- Samsung Note 3 LTE (SM-N900W8) running Android 4.3 stock ROM
- Hold the NEO between your forefinger and thumb with the NEO's "button" facing away from your palm
- Make sure that the NEO is slightly inset between your thumb and finger - by about 1/4"
- Place your thumb and forefinger against the back of the HTC One with the NEO parallel to the phone and the NEO's "button" directly over the camera lens.
- When you do this the NEO will not be touching the phone - but be about 1/4" away from the phone.
Just placing the NEO directly against the back of the phone over the camera lens area mostly led to failed NFC communication attempts and sometimes nothing happening at all. Having the NEO further than about a 1/4" away also resulted in failures.
from Yubico forum