github trustcrypto/OnlyKey-Firmware v0.2-beta.6
OnlyKey Firmware Beta 6

latest releases: v3.0.4-prod, v3.0.3-prod, v3.0.2-prod...
6 years ago

Beta 6 "OnlyKey Quantum" Release Notes

This release of OnlyKey firmware adds many new features, some of which are the first of their kind anywhere.

In order to update OnlyKey follow the instructions in the User's Guide here

New Major Features

OpenPGP Everywhere

First, we implemented a communication channel over U2F to support OpenPGP in any browser that supports U2F. This means no drivers or software are needed -- it works directly in Google Chrome and Firefox Quantum. Second, we integrated with Keybase.io to manage public keys. This means that to send a secure message, all that is required is the Keybase, Facebook, or Twitter ID of the recipient and your private key never leaves your OnlyKey. We have documented the details of this open source implementation and it is ready for integration into other OpenPGP compatible projects.

Our New Open Source Apps

WebCrypt - This is a great on-the-go OpenPGP option. If you need to send a secure message, just browse to https://apps.crp.to/encrypt-test and compose a message. Your private key always stays safe on OnlyKey, and, since WebCrypt is a static webpage, all of the work is done in your browser through JavaScript. This means that the message you compose is never sent out over the internet. Once your message is encrypted, you can paste it into an email, IM, or whatever. To decrypt, browse to https://apps.crp.to/decrypt-test. Currently this app is available for testing and a production app will be ready soon.

BrowserCrypt - This is a good everyday-use OpenPGP option. If you need to send a secure message, just add the BrowserCrypt Chrome extension and your Keybase friends one time. Then, whenever you want to send secure messages, just right click and select who you are sending the message to. Currently this app is available for testing and a production app will be ready soon.

Easy SSH Authentication

In this release, we have streamlined SSH authentication. Now, a unique key is generated automatically on OnlyKey for every username@hostname combination. It's super easy to set up, and then OnlyKey can log you in automatically:

  1. Generate a public key using onlykey-agent
    $ onlykey-agent user@example.com
  2. Log into your server as usual and add the row containing the output from the previous step into ~/.ssh/authorized_keys file on your server.

e.g.,

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFwsFGFI7px8toa38FVeBIKcYdBvWzYXAiVcbB2d1o3zEsRB6Lm/ZuCzQjaLwQdcpT1aF8tycqt4K6AGI1o+qFk= user@example.com

  1. From now on you can log in to your server using OnlyKey using the following command:
    $ onlykey-agent -c user@example.com

Other Features

On-The-Go slot labels

Hold down the #2 button for 5 seconds to type out the SLOT labels. This means if you're not sure what account is stored in an OnlyKey slot, and you don't have the OnlyKey app or the provided card handy, you can still easily find out.

On-The-Go Google Authenticator (TOTP)

One thing that users may notice is that if you don't have the OnlyKey App installed, instead of typing out the 6 digit OTP code, OnlyKey types out "NOTSET". This is because the OnlyKey App sends the current time to OnlyKey when it is first plugged in. (TOTP stands for Time-based One-time Password and the current time is required for it to work.) A device like OnlyKey that has no battery is unable to keep the current time. With the introduction of WebCrypt, this is no longer an issue. If you don't have the OnlyKey App installed, you can still use Google Authenticator codes on-the-go by browsing to https://apps.crp.to/encrypt-test before you try to log in. WebCrypt automatically sets the time on OnlyKey.

U2F backup/restore

U2F uses a counter that increments every time a user authenticates. This is good for security, but is a problem for backup and restore of a U2F profile. With this release, the counter is automatically incremented (using current time as counter). This means that U2F may now be backed up and restored seamlessly. You can even have two OnlyKeys (primary and backup) that are registered as the same U2F security key and both will work to login.

Yubico OTP backup/restore

The same counter issue applies to Yubico's Open Source OTP implementation. With this release, the counter is automatically incremented when a restore occurs to enable seamless backup and restore. You can still only have one Yubico OTP device active at any time, now when you restore the new OnlyKey becomes the active device.

OnlyKey input delay

Now after unlock and after entering a challenge code, there is an input delay of a few seconds to mitigate accidental button press.

SSH now supports P256 and Curve25519 keys.

TweetNaCl used for end-to-end encryption between WebCrypt/BrowserCrypt and OnlyKey.

On-device key generation for ECC keys (Curve25519, NIST P256, secp256k1)

The public key is returned to the app. Support for this feature in the app will be added in a future release.

On-device backup key generation for ECC keys (Curve25519, NIST P256, secp256k1).

The private key is returned to the app. Support for this feature in the app will be added in a future release.

On-The-Go key labels

Just as with slot labels, the key labels can be typed out. Holding down the #3 button for 5 seconds will type out the key labels. Key labels permit setting a name for keys (i.e., My email key) and will be used by future app releases.

Linux Typing Issue Fix

With a recent Linux release capital letters were not working correctly. Thanks to user Alexey for reporting this issue and identifying a fix. The fix has been implemented in this release. More details here.

Additional Character Fields

Some web pages do not automatically highlight username and OTP fields. This requires setting a delay so that there is time to manually click in the field. With this release we are adding an option to enter a tab before the username and OTP entry to add wider support for web pages that do this. More details here. Support for this feature in the app will be added in a future release.

SHA 256 checksums

OnlyKey_Beta6_STD_Color.cpp.hex
68f2ba7a23e6d4983cb47d4318e8eedbb86ecdf094feaf4928383ade88eb9150

OnlyKey_Beta6_STD_Original.cpp.hex
309da576981b0f9cf811f577467c8e214ce761bc543f7a469eed25e43c0dd811

OnlyKey_Beta6_IN-TRVL_Original.cpp.hex
018c2f3fda8f958653e9e3f0c686ca1b9f84c2d5f1dab182b6efa8d2428234e8

OnlyKey_Beta6_IN-TRVL_Color.cpp.hex
d50ffa47c1e201fea4f77cddc3ad49e3afeb5873c537281569df65d12e27749d

Don't miss a new OnlyKey-Firmware release

NewReleases is sending notifications on new releases.