Security Tokens

Dominik Schürmann edited this page Oct 12, 2018 · 110 revisions

Supported NFC/USB Security Tokens

Token Supported? NFC USB supported algos Implementation
Fidesmo Card ? fork of ykneo-openpgp
Gnuk ✔ (key gen only on >= 1.2.5) OTG RSA <= 4096, EdDSA, ECDSA (NIST P256, secp256k1), ECDH (X25519, NIST P256, secp256k1) gnuk
Ledger Nano S ✔ (no key gen) OTG blue-app-openpgp-card
Nitrokey Start ✔ (key gen only on >= 1.2.5) OTG same as Gnuk fork of gnuk
Nitrokey Pro OTG ? nitrokey-pro-firmware CcidLocalAccess.c
Nitrokey Storage OTG ? nitrokey-storage-firmware OpenPGP_V20.c
YubiKey NEO OTG RSA <= 2048, no ECC ykneo-openpgp
YubiKey 4 OTG ? closed
YubiKey 4 Nano OTG ? closed
YubiKey 4C USB-C ? closed
YubiKey 4C Nano USB-C ? closed

NOT supported

Token Supported? NFC USB Implementation
TREZOR 2 NO OTG Not OpenPGP Card Spec compatible

NFC on-card key-gen

Roughly every third key generation on card fails with all tested smart cards and YubiKey NEO. For more details see our research paper. OpenKeychain currently generates keys on the smartphones and then moves them to the card.

Can I use my OpenPGP smartcard that has no NFC?

You can try a USB smartcard reader as described below.

Are external USB Smartcard Reader supported?

Not officially. However, you can turn on "Allow untested USB Devices", under experimental settings and try your reader.

  • It must have a CCID interface and you should insert the OpenPGP card before plugging in the reader.
  • We found that Nexus 5X reboots, but Nexus 6P works.
  • Readers on this page will work with higher probability but we cannot provide any recommendations.
  • Some discussions about this is in #1912
  • One user reported that it works fine with "ACS ACR39U-NF PocketMate II Smart Card Reader (USB Type-C)"

No OpenPGP support

These security tokens do not support OpenPGP:

  • Yubico FIDO U2F Security Keys
  • YubiKey Edge (discontinued)
  • Other U2F tokens

How to import an existing key onto a security token?


How to use two different apps with a USB Security Token (Yubico Authenticator and OpenKeychain)?

Never set one app as the default in Android's selection dialog! Only the app selected in this dialog gets the permission to communicate with the USB device! To reset the default open the app details page and clear the default associations with the button at the bottom.

OpenPGP Applets

OpenPGP Card Specification

OpenPGP applets for Java Cards

Other Implementations

Java cards

Installing applets on javacards is only for people who know what they are doing. Here, we document some known quirks.

Card ykneo-openpgp SmartPGP
Fidesmo A22CR see , uses stripped down version:
ACS ACOSJ installs, but reset (?) destroys cards sometimes over NFC?
NXP J3D081 only javacard-3.0.1 branch
NXP J3H081 SCP02 and SCP03 from ? MUST USE v3.0.1 branch.
java -jar gp.jar -install SmartPGP-master.cap file from master branch fails with INSTALL [for install and make selectable] failed: 0x6F00.
java -jar gp.jar -install SmartPGP-master.cap -default destroys card.

other helpful resources:

Problems with Smartphones and NFC

Try out

  1. Hold the NEO between your forefinger and thumb with the NEO's "button" facing away from your palm
  2. Make sure that the NEO is slightly inset between your thumb and finger - by about 1/4"
  3. Place your thumb and forefinger against the back of the HTC One with the NEO parallel to the phone and the NEO's "button" directly over the camera lens.
  4. When you do this the NEO will not be touching the phone - but be about 1/4" away from the phone.

Just placing the NEO directly against the back of the phone over the camera lens area mostly led to failed NFC communication attempts and sometimes nothing happening at all. Having the NEO further than about a 1/4" away also resulted in failures.

from Yubico forum

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.