Releases: Nitrokey/nitrokey-3-firmware
v1.7.0-rc.1
robin-nitrokey
Robin Krahl
107971a
robin-nitrokey
Robin Krahl
v1.6.0-test.20231218
This update requires pynitrokey v0.4.35 or newer. You can install it with:
$ nitropy nk3 update --version v1.6.0-test.20231218
Changes
(since v1.6.0-test.20231206)
Opcard (OpenPGP): Add experimental configuration option to enable the SE050 secure element backend. This can be done, with pynitrokey v0.4.44: nitropy nk3 set-config opcard.use_se050_backend true.
This will cause a factory-reset of opcard data. On older versions of nitropy, the command may work but will require a power cycle of the device before opcard is functional.
This new backend will increase the security of PIN protected operations. It will also improve the performance of cryptographic operation, especially RSA. This means that when the secure element backend is enabled, RSA 4096 bit keys can now be generated on-device.
Fixed
- Piv: Fixed generation of RSA keys.
Functions
Stable
- admin-app v0.1.0-nitrokey.9
- fido-authenticator v0.1.1-nitrokey.10 (FIDO2)
- secrets v0.13.0-rc2 (OTP and Passwords)
- opcard v1.3.0 (OpenPGP)
Unstable
- piv-authenticator v0.3.3
- websmartcard v0.8.0-rc5
v1.6.0-test.20231206
6c45a90
robin-nitrokey
Robin Krahl
This update requires pynitrokey v0.4.35 or newer. You can install it with:
$ nitropy nk3 update --version v1.6.0-test.20231206
Changes
(since v1.6.0)
Changed
- FIDO: add support for large-blobs (#385)
Fixed
- Reduced binary size (#397)
Functions
Stable
- admin-app v0.1.0-nitrokey.9
- fido-authenticator v0.1.1-nitrokey.10 (FIDO2)
- secrets v0.13.0-rc2 (OTP and Passwords)
- opcard v1.3.0 (OpenPGP)
Unstable
- piv-authenticator v0.3.2
- websmartcard v0.8.0-rc3
v1.6.0
Changes
Features
Changed
- secrets-app: Update to v0.13.0-rc.2
- Confirm credential removal with a touch (trussed-secrets-app#92)
- Allow to update credential (trussed-secrets-app#65)
- Improve stack usage of several components (#353)
- Reject APDU commands from multiple transports (apdu-dispatch#19)
Fixed
- fido-authenticator: Reduce the maximum credential ID length for improved compatibility (fido-authenticator#37)
- fido-authenticator: Multiple changes to improve compliance with the specification (overview: fido-authenticator#6)
- Upgrade opcard to v1.2.0, fixing memory issues when using multiple RSA keys, potential data corruption, correct handling of non canonical curve25519 public keys and properly rejecting NFC requests (#376)
- Correct maximum binary size for LPC55 and only enable PRINCE for the subregions used for the filesystem (#355)
- lpc55: Move USB initialization to the end of the boot process to make sure that the device can respond to all requests, fixing a potential delay when connecting the device under Linux (#302)
Functions
- admin-app v0.1.0-nitrokey.8
- fido-authenticator v0.1.1-nitrokey.9 (FIDO2)
- secrets v0.13.0-rc2 (OTP and Passwords)
- opcard v1.2.1 (OpenPGP)
v1.6.0-rc.1
Features
- Add an SE050 driver and its tests (#335)
- usbip: Add user presence check (#314, #321)
- admin-app: Add config mechanism (#344)
Changed
- Use SE050 entropy to bootstrap the random number generator (#335)
- secrets-app: Update to v0.13.0-rc.1
- Confirm credential removal with a touch (trussed-secrets-app#92)
- Allow to update credential (trussed-secrets-app#65)
- Improve stack usage of several components (#353)
- Reject APDU commands from multiple transports (apdu-dispatch#19)
Fixed
- fido-authenticator: Reduce the maximum credential ID length for improved compatibility (fido-authenticator#37)
- fido-authenticator: Multiple changes to improve compliance with the specification (overview: fido-authenticator#6)
- Upgrade opcard to v1.2.0, fixing memory issues when using multiple RSA keys, potential data corruption, correct handling of non canonical curve25519 public keys and properly rejecting NFC requests (#376)
- Correct maximum binary size for LPC55 and only enable PRINCE for the subregions used for the filesystem (#355)
- lpc55: Move USB initialization to the end of the boot process to make sure that the device can respond to all requests, fixing a potential delay when connecting the device under Linux (#302)
v1.5.0-test.20231030
robin-nitrokey
Robin Krahl
ba8dbeb
robin-nitrokey
Robin Krahl
This update requires pynitrokey v0.4.35 or newer. You can install it with:
$ nitropy nk3 update --version v1.5.0-test.20231030
Changes
(since v1.5.0-test.20230704)
Features
- Add an SE050 driver and its tests (#335)
- usbip: Add user presence check (#314, #321)
- admin-app: Add config mechanism (#344)
Changed
- Use SE050 entropy to bootstrap the random number generator (#335)
- secrets-app: Update to v0.13.0-rc.1
- Allow to update credential (trussed-secrets-app#65)
- Remove challenge response authentication method (trussed-secrets-app#44)
- Improve stack usage of several components (#353)
Fixed
- fido-authenticator: Reduce the maximum credential ID length for improved compatibility (fido-authenticator#37)
- fido-authenticator: Multiple changes to improve compliance with the specification (overview: fido-authenticator#6)
- Correct maximum binary size for LPC55 and only enable PRINCE for the subregions used for the filesystem (#355)
Functions
Stable
- admin-app v0.1.0-nitrokey.5
- fido-authenticator v0.1.1-nitrokey.7 (FIDO2)
- secrets v0.13.0-rc1 (OTP and Passwords)
- opcard v1.1.1 (OpenPGP)
Unstable
- piv-authenticator v0.3.2
- websmartcard v0.8.0-rc3
v1.5.0-test.20230704
szszszsz
Szczepan Zalega
This update requires pynitrokey v0.4.35 or newer. Once binaries are available you can install it with:
$ nitropy nk3 update --version v1.5.0-test.20230704
Fixed:
- Luks with systemd-cryptenroll now does not panic after a reboot #286
- All secrets within the Secrets App can now be listed #300
- Secrets App entries can not be removed without touch button press now
- NFC interface is completely blocked now for applications not supporting it #301
This release adds a new application, Nitrokey Webcrypt, which is aimed at integrating hardware security key features into web applications. Check it out at:
Nitrokey is an open source hardware USB key for data encryption and two-factor authentication with FIDO. While FIDO is supported by web browsers, using Nitrokey as a secure key store for email and (arbitrary) data encryption requires native software. Therefore email encryption in webmail has not been possible with the Nitrokey until now. At the same time strong end-to-end encryption in web applications all share the same challenge: To store users’ private keys securely and conveniently. Therefore secure end-to-end encryption usually requires native software as well (e.g. instant messenger app) or – less secure – store the user keys password-encrypted on servers. Nitrokey aims to solve these issues by developing a way to use Nitrokey with web applications. To avoid the necessity of device drivers, browser add-on or separate software this project is going to utilize the FIDO (CTAP) protocol. As a result the solution will work with any modern browser (which all support WebAuthn), on any operating system even on Android. This will give any web application the option to store a users’ private keys locally on a Nitrokey they control.
Note: Nitrokey WebCrypt is under process of renaming to Nitrokey WebSmartCard.
Functions
Stable
- admin-app v0.1.0-nitrokey.2
- fido-authenticator v0.1.1-nitrokey.4 (FIDO2)
- secrets v0.12.0 (OTP and Passwords)
- opcard v1.1.1 (OpenPGP)
Unstable
v1.5.0-test.20230613
This update requires pynitrokey v0.4.35 or newer. You can install it with:
$ nitropy nk3 update --version v1.5.0-test.20230613
This release contains a bug fix in the unstable PIV application regarding P-256 signatures.
Functions
Stable
- admin-app v0.1.0-nitrokey.2
- fido-authenticator v0.1.1-nitrokey.4 (FIDO2)
- secrets v0.11.0 (OTP and Passwords)
- opcard v1.1.0 (OpenPGP)
Unstable
- piv-authenticator v0.3.2
v1.5.0-test.20230605
This update requires pynitrokey v0.4.35 or newer. You can install it with:
$ nitropy nk3 update --version v1.5.0-test.20230605
Functions
Stable
- admin-app v0.1.0-nitrokey.2
- fido-authenticator v0.1.1-nitrokey.4 (FIDO2)
- secrets v0.11.0 (OTP and Passwords)
- opcard v1.1.0 (OpenPGP)
Unstable
- piv-authenticator v0.3.1
v1.5.0
This update requires pynitrokey v0.4.35 or newer. You can install it with:
$ nitropy nk3 update --version v1.5.0
Functions
- admin-app v0.1.0-nitrokey.2
- fido-authenticator v0.1.1-nitrokey.4 (FIDO2)
- secrets v0.11.0 (OTP and Passwords)
- opcard v1.1.0 (OpenPGP)
Changes
Features
- Upgrade the secrets function to version 0.11.0, adding support for static passwords, and KeepassXC integration (#278)
Changed
- Upgrade the OpenPGP function to version 1.1.0, fixing minor specification compliance issues and an unlikely data corruption scenario
Fixed
- Upgrade ctaphid-dispatch, fixing panics after cancelled operations