Mailing List Archive

Hi Christoph,

There is one feature of smartcards that's hard to reproduce otherwise:
once you pull the smartcard out of the port the attacker can't use it.
If they steal your private keys they can do as they please with it
(until you revoke keys and users refresh your key... that can take some
time). For example if they steal your private encryption subkey they'll
be able to decrypt future communications with you. When you pull out the
smartcard that's where the attack ends.

(One way or another someone having code execution privileges on your
computer is bad.)

Additionally smartcards require PINs and lock the card after several
tries. This is not possible with keys on USB drives.

These two things are really useful when using the same token on multiple
devices (e.g. I use the same card on my laptop and phone).

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

On 07/01/2020 13:09, Wiktor Kwapisiewicz via Gnupg-users wrote:
> These two things are really useful when using the same token on multiple
> devices (e.g. I use the same card on my laptop and phone).

This is also a very good argument for smartcards - transferring a
private key between devices is error-prone and potentially catastrophic.
Yes, it can be done securely but for non-experts (and even experts!)
having a physical "key" is much more intuitive. How often have we heard
of people accidentally distributing their private key instead of their
public one? Few of them will have a 128-bit secure passphrase like RJH. :-)

--
Andrew Gallagher

On 2020-01-06 18:26, Christoph Groth wrote:
> Robert J. Hansen justifies [4] his use of a smartcard as follows:
>
>> Why don't I want to store the private key on multiple computers?
>> Because a good rule of thumb in a forensics lab is "store the minimum
>> personal data possible on your systems".
>
> But then he also mentions his 128-bit passphrase and that he would be
> OK
> to publish his (passphrase-protected) private key in a newspaper. Why
> then not store it on the disks of multiple computers?

Hint: because the phrase "forensics lab" is extremely important in what
I wrote.

I used to (don't any more) work in a forensics lab doing R&D into
recovering data from memory, SSD, and spinning-platter media. While I
was doing this my colleagues were reverse-engineering malware. Our
network was airgapped from the rest of the network, but we were still
paranoid about data getting out -- including information about our
identities. When you're doing reverse engineering on a botnet belonging
to an organized crime syndicate, you really don't want the organized
crime syndicate to discover your name.

I was also using OpenPGP to help move data into and out of our airgapped
network. When a CD came into our lab containing data to be loaded onto
machines, we used OpenPGP to verify its provenance. When we burned a CD
containing data to be removed from the lab, we'd put a signature on it
so the system administrators in the lab outside could be certain that a
specific human being was taking responsibility for the contents of that
CD.

Problem: I didn't want there to be any certificate stored on the lab
machines... because any user ID that identified me would be personal
information of the kind I didn't want to be stored.

Solution: use a smartcard. A smartcard allowed me to make these
signatures while leaving minimal forensic traces.

But, outside of that laboratory environment, I didn't -- still don't --
need to use a smartcard. Usually I just keep the key on the hard drive
of whatever machine I'm using.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

> Few of them will have a 128-bit secure passphrase like RJH. :-)

Dude, the lab I worked in *required* me to use 128-bit secure
passphrases. It was *awful*. And a 180-day change policy. But the
good news is that once you prove to yourself you can do that, the idea
of keeping a 128-bit passphrase on your certificate no longer seems so
crazy.

To quote the movie _Men in Black_, "Give it a few months. You'll get
used to it, or you'll have a psychotic episode."


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Wiktor Kwapisiewicz wrote:

> There is one feature of smartcards that's hard to reproduce otherwise:
> once you pull the smartcard out of the port the attacker can't use it.
>
> (...)

Thanks, that’s a good point! So if one’s concern is signing or
authentication, this is indeed useful. However, if one’s concern is
protecting encrypted secrets that are regularly accessed (like
passwords) and can be thus stolen, there seems to be less of a gain.

Robert J. Hansen wrote:
> On 2020-01-06 18:26, Christoph Groth wrote:
> >
> > But then he also mentions his 128-bit passphrase and that he would
> > be OK to publish his (passphrase-protected) private key in
> > a newspaper. Why then not store it on the disks of multiple
> > computers?
>
> Hint: because the phrase "forensics lab" is extremely important in
> what I wrote.
>
> (...)

Thanks a lot for the explaination, Rob. Now I understand what you
meant.

> But, outside of that laboratory environment, I didn't -- still
> don't -- need to use a smartcard. Usually I just keep the key on the
> hard drive of whatever machine I'm using.

How about the alternative of keeping small USB keycards (like a Yubikey
nano) permanently plugged into the machines that you are using?
Assuming that you trust the keycards to keep their secrets, wouldn’t
that provide at least the advantage of a much shorter passphrase? Are
there any security disadvantages of such a scheme?

By the way, I would be still interested in expert opinion about the last
paragraph of my original mail, in case someone could spare the time.

On Tue, Jan 07, 2020 at 14:09:50 +0100, Wiktor Kwapisiewicz via Gnupg-users wrote:
> Additionally smartcards require PINs and lock the card after several
> tries. This is not possible with keys on USB drives.

PINs can also be changed confidently.

The passphrase of the _copy_ of a key on disk can be changed, but you
can't necessarily be confident that it's the only copy. It could have
been copied with or without your knowledge, by you or an adversary.

If you enter your passphrase somewhere and realize after the fact that
someone may have been standing over your shoulder, or there's a security
camera in the distance, an audio recording of your keypresses, or
_anything_ that reduces the keyspace of your passphrase, then an
attacker can brute force the rest offline forever using an old copy of
your key, and there's nothing you can do about it.

--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

On Tue, Jan 07, 2020 at 00:26:14 +0100, Christoph Groth wrote:
> Through an article [1] in LWN, I stumbled across a thread [2] on this
> list that dealt with the usefulness of smartcards for storing
> OpenPGP keys.

I don't have time to read what I already wrote in that thread, so I'm
sorry if I repeated myself here.

> I understand that OpenPGP smartcards do not protect from a compromise
> of the computer system that they are used with. As Peter Lebbing puts
> it [3]:
>
>> You don't even have to decrypt the document they're interested in
>> yourself, and no external push button will save you. Just decrypt
>> a document twice, and the second time, the attacker can use your
>> smartcard for their own good while providing the session key they
>> logged the first time for your decryption.
>
> But then, what are threats against which smartcards *are* useful?

That's too coarse of a conclusion.

Let's say I decided to plug my Nitrokey into some adversary's computer,
willingly, and enter my PIN. The attacker can make use of the card
while it's plugged in. But operations using the card are very slow, and
I'll notice the light going on more than once. I'll unplug it. Attack
mitigated. The only thing lost is whatever the attacker managed to do
within that time period---decrypt files, sign documents, SSH into remote
machines, etc. (Don't get me wrong: all those are really bad.)

Then I go to a safe location and change my PIN.

Or maybe I'm punched out and my smartcard stolen. I go home, revoke my
subkeys, and have to pay for a new smartcard. And let some people know
that I was beat up and you shouldn't trust anything that was signed in
that time period.

But consider the alternative: if you weren't using a smartcard, and your
key were on disk, all of that still would have happened. But in
addition, your private key has been compromised. You now have to revoke
your entire key. If you've built a web of trust, you have to start
again.

Smart cards _are_ useful even if your system is compromised, because it
still protects your key from offline use. It gives me peace of mind
when it's capped and stored in a safe location.

If you just leave your smart card plugged into your computer 24/7 and
leave your computer on while you're sleeping, that's a problem. It
won't protect you from bad practices.

You can get some of those benefits by e.g. using a laptop as a thin
client and forwarding the GPG agent to a remote box over SSH, and store
the private key on the laptop. The risk is still higher than a
smartcard though.

It all depends on your threat model.

> I got a smartcard to ssh from computers that I trust reasonably but
> where I am not (the only) root to other (more trusted) machines that
> I control exclusively and that hold data that I would not store on the
> less-trusted machines. From a fundamental point of view a smartcard
> does not provide any additional security here, but I have the
> imporession that in practice it does, because gaining access to the
> remote machines becomes more difficult for an attacker (without
> a smartcard, installing a simple keylogger is enough). This is the same
> kind of imperfect security we rely on in real life, for example with
> door locks. Would you agree with me?

I use my Nitrokey for SSH as well. Prior to having it, I would store an
SSH key to personal accounts on e.g. my work computer. I cannot fully
trust that system. But today I don't need to do that: I insert the
Nitrokey only when prompted by GPG, immediately remove it, and change my
PIN when I get home. While there's still the risk that the card may be
used for other things by a malicious process, it's pretty well
mitigated. I know how long the light on the smartcard should be on for
and watch it the entire time. I never allow the card to be out of my
view when connected to a system.

Of course, there's also the risk that someone has physically tampered
with the smartcard to suppress the LED under certain
circumstances. This isn't foolproof. But it's better than SSH keys on
my work system.

--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

On 07/01/2020 22:58, Christoph Groth wrote:
> How about the alternative of keeping small USB keycards (like a Yubikey
> nano) permanently plugged into the machines that you are using?
> Assuming that you trust the keycards to keep their secrets, wouldn’t
> that provide at least the advantage of a much shorter passphrase? Are
> there any security disadvantages of such a scheme?

That effectively uses the smartcard as a hardware security module, which
does have some advantages. The disadvantages are that if an attacker has
code execution access to your machine they still have full access to use
the key material. However, they cannot exfiltrate that key material, so
any malfeasance must be performed on your machine directly, which makes
it noisy. That may or may not be a deterrent, depending on your threat
model. It is more secure than having your private keys on disk, it just
may not be sufficiently secure.

--
Andrew Gallagher

Notice that some features, like the metal contact toggle on some yubikey can mitigate the problem of having an attacker with full local access. You then have to touch the key each time you want to use it, so illegitimate access would be noticed.

Le 8 janvier 2020 13:51:58 GMT+01:00, Andrew Gallagher <andrewg@andrewg.com> a écrit :
>On 07/01/2020 22:58, Christoph Groth wrote:
>> How about the alternative of keeping small USB keycards (like a
>Yubikey
>> nano) permanently plugged into the machines that you are using?
>> Assuming that you trust the keycards to keep their secrets, wouldn’t
>> that provide at least the advantage of a much shorter passphrase?
>Are
>> there any security disadvantages of such a scheme?
>
>That effectively uses the smartcard as a hardware security module,
>which
>does have some advantages. The disadvantages are that if an attacker
>has
>code execution access to your machine they still have full access to
>use
>the key material. However, they cannot exfiltrate that key material, so
>any malfeasance must be performed on your machine directly, which makes
>it noisy. That may or may not be a deterrent, depending on your threat
>model. It is more secure than having your private keys on disk, it just
>may not be sufficiently secure.
>
>--
>Andrew Gallagher

-- Envoyé de /e/ Mail.

On 2020/01/08 17:29, Franck Routier (perso) wrote:
> Notice that some features, like the metal contact toggle on some yubikey
> can mitigate the problem of having an attacker with full local access.
> You then have to touch the key each time you want to use it, so
> illegitimate access would be noticed.

On my yubikey at least, the touch contact is only used for the FIDO 2FA
- the PGP smartcard feature is secured by PIN as per any other smartcard.

--
Andrew Gallagher

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

I think this can be configured:

ykman openpgp touch enc on
ykman openpgp touch sig on

Franck

Le 8 janvier 2020 18:35:20 GMT+01:00, Andrew Gallagher <andrewg@andrewg.com> a écrit :
>On 2020/01/08 17:29, Franck Routier (perso) wrote:
>> Notice that some features, like the metal contact toggle on some
>yubikey
>> can mitigate the problem of having an attacker with full local
>access.
>> You then have to touch the key each time you want to use it, so
>> illegitimate access would be noticed.
>
>On my yubikey at least, the touch contact is only used for the FIDO 2FA
>- the PGP smartcard feature is secured by PIN as per any other
>smartcard.
>
>--
>Andrew Gallagher

-- Envoyé de /e/ Mail.