Why Kryptonite?

Kryptonite

Kryptonite combines the secure key storage of a USB smart card with a familiar mobile phone interface. The Kryptonite app performs SSH signatures without revealing the private key to a paired computer. A Kryptonite SSH key can be used without modifying any servers, allowing users to secure their GitHub, AWS, and Google Cloud SSH authentication without any changes to their infrastructure. Communication with Kryptonite occurs over encrypted and signed push notifications and Bluetooth, ensuring high availability and low latency. Kryptonite also verifies and displays exactly which server is being logged in to, unlike USB solutions that do not have a user interface.


What's wrong with other solutions?

Password-based authentication

It is well known that users reuse passwords or small variations on passwords for different services, allowing a compromise of one to cause the compromise of many. Requiring users to remember highly random passwords for every different service is unreasonable, and many passwords are brute-forceable. Finally, passswords are annoying to type every time code is pushed or you login to a server.

Public-key authentication

Public key authentication requires storage of a private key, and generally this key is stored in plaintext in users’ home directories (~/.ssh). Any user-level process or malware can read, use, and exfiltrate the private key without the knowledge of the user. A passphrase-encrypted key is decrypted upon entry of the password and given to a running SSH agent. A user-level process or malware can use a decrypted key stored in an agent without knowledge of the user. Furthermore, the same malware can pose as an SSH agent and direct SSH to use it using the SSH_AUTH_SOCK environment variable, receiving the key in plaintext the first time it is used.

Two-factor authentication

Adding two-factor authentication to either password or public key authentication requires changes to every SSH server. In some cases, such as third-party hosted services (GitHub, Bitbucket, etc.), integrating third-party two-factor is impossible. Many solutions require users to type a 6-digit passcode for every login, and others rely on a centralized server to perform the two-factor verification.

Smart Cards

With a smart cards you can generate and store SSH keys in a separate piece of hardware connected via USB. While the private key might not be extractable from the device, users now have to purchase and carry around another piece of hardware that takes up a USB port. Configuration of the smart card occurs on the workstation itself, which may be compromised. When you approve a signature, the only information conveyed to you is a blinking light, meaning you don't know what you're actually signing.


Read more on our blog

Say hello! hello@krypt.co