Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
gnupg 'signing server'? Looking for advice on key management/security
jsbiff at weldingengineering
Nov 12, 2023, 6:50 AM
Post #1 of 13 (377 views)
Permalink
Hi,

   So, I want to start using Gnupg more to sign things. Right now, in
addition to GnuPG having access to my private key, to use
signing/encryption in my email client, requires allowing the openpgp
implementation in the email client to access my private key. Which, I
think I'm OK with as it's a local client, but, I got to thinking about
the problem of access to the private key.

Of course, the whole premise of public key encryption is that your
private key is a closely guarded secret. Which raises the question, how
does one USE the private key, without risking exposing it.

There are multiple problems, it seems to me, and I'm sure as I'm about
20 years late to the party, that others have identified these and more,
so I wonder if I can get recommendations to articles/blog posts online,
or books, or any wisdom the subscribers of this list can impart.

But, the problems that have occurred to me:

* Even if one only uses the key locally on one or two 'trusted' devices,
there is still the problem of multiplying how many different apps might
have access to your private key - and the more apps, the more points of
potential failure/leakage of your key. Any app that has been maliciously
trojaned by some bad actor, could steal your private key, and transmit
it to some third party, or even allow a third party to simply sign or
encrypt data using the local app, that isn't yours, as if it came from you.

* The problem gets worse when you think about things like online
services - if you are using an online email or messaging provider, or
photo sharing service, document/file sharing service, online social
media service, it seems like it would be a really bad idea to upload
your private key to those services and trust them with that. Now, maybe
you might use subkeys are a sort of partial solution to that -
generating service-specific and revocable subkeys for each specific
service, and never providing the master private key, but that still
presents a risk that any of those subkeys might be stolen.

* Using a strong password to encrypt and protect the private key, while
a good idea, doesn't really solve the problem, because at some point, to
use the private key, you have to provide the password so it can be
decrypted to be used, and every time you provide the password, it
presents an opportunity for the key to be stolen.

It seems to me that maybe the best way to resolve many of these risks,
at least, to reduce the 'surface area' of the risk, is to only have ONE
app (ideally, gnupg) that EVER accesses the private key, and that ALL
other requests to encrypt or sign data be brokered through a 'gnupg
server' running on my trusted device, where connections to the server
are encrypted, and when I want data to be signed or encrypted with my
private key, whatever app I'm using to originate the data connects to
gnupg and requests signing or encryption as a service from the server.
Then, gnupg could present the data to me for verification that no
man-in-the-middle or malicious app has altered the data before
submitting it for signing/encryption, then I provide my password just to
gnupg, which would sign or encrypt the payload and pass it back to the
original app or web service.

Is there an easy way to use gnupg like this? It would be lovely if, for
example, when I'm posting on a social media platform, if I could
configure the social media app to connect to my local 'gnupg server' and
have all my posts and shared photos/videos signed. Of course, this would
require support in those third party apps to have the necessary code to
make that connection to gnupg, but, as a starting point, I'm not clear
if there is even any standard protocol for such a service, or if gnupg
implements it?

Attached Files:

Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 12, 2023, 11:21 AM
Post #2 of 13 (377 views)
Permalink
Jeff Schmidt <jsbiff@weldingengineering.com> writes:

> Hi,
>
>    So, I want to start using Gnupg more to sign things. Right now, in
> addition to GnuPG having access to my private key, to use
> signing/encryption in my email client, requires allowing the openpgp
> implementation in the email client to access my private key. Which, I
> think I'm OK with as it's a local client, but, I got to thinking about
> the problem of access to the private key.
>
> Of course, the whole premise of public key encryption is that your
> private key is a closely guarded secret. Which raises the question,
> how does one USE the private key, without risking exposing it.
>
> There are multiple problems, it seems to me, and I'm sure as I'm about
> 20 years late to the party, that others have identified these and
> more, so I wonder if I can get recommendations to articles/blog posts
> online, or books, or any wisdom the subscribers of this list can
> impart.
>
> But, the problems that have occurred to me:
>
> * Even if one only uses the key locally on one or two 'trusted'
> devices, there is still the problem of multiplying how many
> different apps might have access to your private key - and the more
> apps, the more points of potential failure/leakage of your key. Any
> app that has been maliciously trojaned by some bad actor, could
> steal your private key, and transmit it to some third party, or even
> allow a third party to simply sign or encrypt data using the local
> app, that isn't yours, as if it came from you.
>
> * The problem gets worse when you think about things like online
> services - if you are using an online email or messaging provider,
> or photo sharing service, document/file sharing service, online
> social media service, it seems like it would be a really bad idea to
> upload your private key to those services and trust them with that.
> Now, maybe you might use subkeys are a sort of partial solution to
> that - generating service-specific and revocable subkeys for each
> specific service, and never providing the master private key, but
> that still presents a risk that any of those subkeys might be
> stolen.
>
> * Using a strong password to encrypt and protect the private key,
> while a good idea, doesn't really solve the problem, because at some
> point, to use the private key, you have to provide the password so
> it can be decrypted to be used, and every time you provide the
> password, it presents an opportunity for the key to be stolen.
>
> It seems to me that maybe the best way to resolve many of these risks,
> at least, to reduce the 'surface area' of the risk, is to only have
> ONE app (ideally, gnupg) that EVER accesses the private key, and that
> ALL other requests to encrypt or sign data be brokered through a
> 'gnupg server' running on my trusted device, where connections to the
> server are encrypted, and when I want data to be signed or encrypted
> with my private key, whatever app I'm using to originate the data
> connects to gnupg and requests signing or encryption as a service from
> the server. Then, gnupg could present the data to me for verification
> that no man-in-the-middle or malicious app has altered the data before
> submitting it for signing/encryption, then I provide my password just
> to gnupg, which would sign or encrypt the payload and pass it back to
> the original app or web service.
>
> Is there an easy way to use gnupg like this? It would be lovely if,
> for example, when I'm posting on a social media platform, if I could
> configure the social media app to connect to my local 'gnupg server'
> and have all my posts and shared photos/videos signed. Of course, this
> would require support in those third party apps to have the necessary
> code to make that connection to gnupg, but, as a starting point, I'm
> not clear if there is even any standard protocol for such a service,
> or if gnupg implements it?

You may want to consider using an OpenPGP smartcard (for example, a
Yubikey). Seems that you are a good fit.

Using a OpenPGP smartcard, the private key never leaves the smartcard.
The smartcard can also be used on a smartphone that has NFC support.

Cheers

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 12, 2023, 5:46 PM
Post #3 of 13 (377 views)
Permalink
Daniel Cerqueira via Gnupg-users wrote:
> Jeff Schmidt <jsbiff@weldingengineering.com> writes:
>
> [...]
> You may want to consider using an OpenPGP smartcard (for example, a
> Yubikey). Seems that you are a good fit.
>
> Using a OpenPGP smartcard, the private key never leaves the smartcard.
> The smartcard can also be used on a smartphone that has NFC support.
>

The problem here is that, while the key never leaves the smartcard, the
/entire/ device that accesses the smartcard must be trusted, as a
backdoor on the device could steal plaintext or submit extra items for
signing. A PIN does not solve the problem, since the PIN is entered on
the device, which could be backdoored to store the PIN and submit it
along with Mallory's messages for the smartcard to sign---and the card
will sign it, since the PIN checks out...

Smartcards make silently duplicating the key difficult (supposedly
infeasible) but do not solve the general problems with network-connected
devices.


-- Jacob


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 12, 2023, 10:09 PM
Post #4 of 13 (377 views)
Permalink
On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote:
> A PIN does not solve the problem, since the PIN is entered on
> the device, which could be backdoored to store the PIN

That's why card readers with pinpads were invented, and GnuPG also
supports that:
https://www.gnupg.org/howtos/card-howto/en/ch02s02.html

Other ideas to improve isolation:
* If you trust your Linux distribution in general but not every single
desktop app, you can use a separate Linux user for sensitive
activities.
* You can use GnuPG Agent Forwarding via SSH to sign a file on a less
trusted server from a more trusted client. This way your PIN is entered
on the more trusted client machine.

Regards
Stephan

Attached Files:

Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 13, 2023, 12:04 AM
Post #5 of 13 (377 views)
Permalink
Am 2023-11-13 07:09, schrieb Stephan Verbücheln via Gnupg-users:
> On Sun, 2023-11-12 at 19:46 -0600, Jacob Bachmeyer wrote:
>> A PIN does not solve the problem, since the PIN is entered on
>> the device, which could be backdoored to store the PIN
>
> That's why card readers with pinpads were invented, and GnuPG also
> supports that:
> https://www.gnupg.org/howtos/card-howto/en/ch02s02.html
>
> Other ideas to improve isolation:
> * If you trust your Linux distribution in general but not every single
> desktop app, you can use a separate Linux user for sensitive
> activities.
> * You can use GnuPG Agent Forwarding via SSH to sign a file on a less
> trusted server from a more trusted client. This way your PIN is entered
> on the more trusted client machine.

What can you sign?
Non-complete answer:
- git commits
- files
- emails

How can you sign emails?
Non-complete answer:
- webmail interface
- MUA with pgp support

From which systems can you use such email signatures?
Non-complete answer:
- Android
- iOS
- Windows
- MacOS
- Linux
- FreeBSD
- your TV (e.g. if it has a web browser)

Yubikey or similar and agent forwarding can't be used when I am not at
home and access my webmail interface (I want to have a big screen for
certain emails), typically this is not supported by a webmail interface.
Agent forwarding can't be used for this use case too.
I'm interested to hear about a Android App which supports yubikeys, but
this is curiosity, as it doesn't help with the above case of a webmail
interface.

Right now, there is no solution which allows an android app, a webmail
interface from the work-PC and a MUA or webmail interface on/from your
PC at home (no matter which OS) to use _1_ central location of your
private key (so far you may be able to have it stored in your webmail
solution, and on your yubikey for apps/git/files but the last part
depends on something which is able to forward it to remote locations,
which doesn't work if you need to use a web-interface based ssh gateway
solution instead of direct ssh access). Feel free to prove me wrong, I
would love to have a solution for this.

Note, while looking up something related, I found an old German overview
about the email-apps situation from the authors of GPG for the German
ministry of information security:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/OpenPGP/openpgpandroid.pdf?__blob=publicationFile&v=2
I have fast-read some parts and it looks like the situation hasn't
really changed in the last 8 years.

If you think about it (I just invested 1 minute), you would need:
- some server with your private key which is reachable from everywhere
- a safe authentication possibility to it
- a remote signing protocol
- support in all apps/MUAs/...

One could argue, that you put OIDC in front of gnupg-agent on a network
socket and you have covered the 3 first items (but I would bet it is not
as simple as that). Then it would be simply support in all the
apps/MUAs/... (webmail interfaces which use gnupg-agent already, would
be simple to convert if gnupg-agent would have a proxy feature which
would connect to the remote agent).

Bye,
Alexander.

--
http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF

Attached Files:

Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 13, 2023, 1:29 AM
Post #6 of 13 (377 views)
Permalink
His original post was about signing files, not reading encrypted mails.
Of course, everything gets complicated when you want to read the same
mails from many devices.

What would be the point of such a server? Having a server like that
appears dangerous to me. How is it protecting the key better than a
smartcard?
The smartcard is convenient for precisely that scenario, you can carry
it in your pocket and use it on any device. And the Agent Forwarding
allows you to use the key on servers without physical access.

On Mon, 2023-11-13 at 09:04 +0100, Alexander Leidinger wrote:
> I'm interested to hear about a Android App which supports yubikeys

I rarely read (encrypted) mails on my phone. However, K-9 Mail plus
OpenKeychain (each available in Google Play and F-Droid) support
Yubikey (and probably any other OpenPGP smartcard) via both USB and NFC
on my Samsung phone.

https://docs.k9mail.app/en/6.400/security/pgp/

I do not like webmail, but as far as I know there are various browser
addons for PGP in webmail.

https://mailvelope.com/

Regards
Stephan

Attached Files:

Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 13, 2023, 2:40 AM
Post #7 of 13 (377 views)
Permalink
Hello Alexander,

Am 13.11.23 um 09:04 schrieb Alexander Leidinger via Gnupg-users:
> I'm interested to hear about a Android App which supports yubikeys, but
> this is curiosity, as it doesn't help with the above case of a webmail
> interface.

As far I know 'Openkeychain' supports OpenPGP smartcards (Yubikey and
Nitrokey) via USB and NFC.

best regards
Juergen

--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

Attached Files:

Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 13, 2023, 3:46 AM
Post #8 of 13 (377 views)
Permalink
Jacob Bachmeyer <jcb62281@gmail.com> writes:

> The problem here is that, while the key never leaves the smartcard,
> the /entire/ device that accesses the smartcard must be trusted, as a
> backdoor on the device could steal plaintext or submit extra items for
> signing. A PIN does not solve the problem, since the PIN is entered
> on the device, which could be backdoored to store the PIN and submit
> it along with Mallory's messages for the smartcard to sign---and the
> card will sign it, since the PIN checks out...
>
> Smartcards make silently duplicating the key difficult (supposedly
> infeasible) but do not solve the general problems with
> network-connected devices.

If you don't trust pinentry, maybe you should also not trust gnupg. They
are from the same project (gnupg.org).

I believe is best for you not to use gnupg and pinentry, until you
review it.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 13, 2023, 8:23 PM
Post #9 of 13 (377 views)
Permalink
Daniel Cerqueira wrote:
> Jacob Bachmeyer <jcb62281@gmail.com> writes:
>
>
>> The problem here is that, while the key never leaves the smartcard,
>> the /entire/ device that accesses the smartcard must be trusted, as a
>> backdoor on the device could steal plaintext or submit extra items for
>> signing. A PIN does not solve the problem, since the PIN is entered
>> on the device, which could be backdoored to store the PIN and submit
>> it along with Mallory's messages for the smartcard to sign---and the
>> card will sign it, since the PIN checks out...
>>
>> Smartcards make silently duplicating the key difficult (supposedly
>> infeasible) but do not solve the general problems with
>> network-connected devices.
>>
>
> If you don't trust pinentry, maybe you should also not trust gnupg. They
> are from the same project (gnupg.org).
>
> I believe is best for you not to use gnupg and pinentry, until you
> review it.

My point is that smartcards do not magically increase security beyond
the private key wrapping encryption built in to GPG, and provide little
actual security benefit unless less-common steps (such as using a card
reader with its own PIN pad) are taken. (The convenience of being able
to simply move the card between devices may be useful for some users.)

The issue here is not GPG or its associated pinentry program or any
question of their integrity. The issue is the possibility of the
computer being tampered while I am away from it, or potentially, via the
network, right under my nose. (Consider the overall security of the
typical Android device.) So far, smartcards do not seem to provide any
better protection in this case than GPG's own security features. Such
tampering would enable the theft of the GPG key passphrase or card PIN
in either case. In other words, the same attacks that can effectively
break GPG's built in security also effectively break a smartcard by
enabling the unauthorized use of the key on the card.

That is ignoring the additional risk that few if any smartcards use Free
firmware, and are, by design, nearly impossible to verify. A secret
backdoor on the smartcard cannot be categorically ruled out, although
such a violation of trust would be expected to effectively remove the
card's manufacturer from the market should it come to light.


-- Jacob


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
hfollmann at itcfollmann
Nov 13, 2023, 10:12 PM
Post #10 of 13 (377 views)
Permalink
On Mon, Nov 13, 2023 at 10:23:16PM -0600, Jacob Bachmeyer via Gnupg-users wrote:
> Daniel Cerqueira wrote:
> > Jacob Bachmeyer <jcb62281@gmail.com> writes:
> >
>
[...]

> My point is that smartcards do not magically increase security beyond the
> private key wrapping encryption built in to GPG, and provide little actual
> security benefit unless less-common steps (such as using a card reader with
> its own PIN pad) are taken. (The convenience of being able to simply move
> the card between devices may be useful for some users.)
>
> The issue here is not GPG or its associated pinentry program or any question
> of their integrity. The issue is the possibility of the computer being
> tampered while I am away from it, or potentially, via the network, right
> under my nose. (Consider the overall security of the typical Android
> device.) So far, smartcards do not seem to provide any better protection in
> this case than GPG's own security features. Such tampering would enable the

Yes it does. The key can't be copied and taken away from the device. This
is an advantage.


> theft of the GPG key passphrase or card PIN in either case. In other words,
> the same attacks that can effectively break GPG's built in security also
> effectively break a smartcard by enabling the unauthorized use of the key on
> the card.
>
> That is ignoring the additional risk that few if any smartcards use Free
> firmware, and are, by design, nearly impossible to verify. A secret
> backdoor on the smartcard cannot be categorically ruled out, although such a
> violation of trust would be expected to effectively remove the card's
> manufacturer from the market should it come to light.

nitrokey publishes its card firmware and it can be updated and
independently audited.
There is also the OpenPGP card. IIRC the firmware is also available.

Yubikey does not publish the key firmware but they have an independent
auditing process in place IIRC.

-H

--
Henning Follmann | hfollmann@itcfollmann.com


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 14, 2023, 6:52 PM
Post #11 of 13 (377 views)
Permalink
Henning Follmann wrote:
> On Mon, Nov 13, 2023 at 10:23:16PM -0600, Jacob Bachmeyer via Gnupg-users wrote:
>
>> Daniel Cerqueira wrote:
>>
>>> Jacob Bachmeyer <jcb62281@gmail.com> writes:
>>>
> [...]
>
>
> Yes it does. The key can't be copied and taken away from the device. This
> is an advantage.
>

It is an advantage that is not relevant to network-connected
general-purpose computing devices.

In both cases, the key is secure when not in use. An encrypted private
key is useless without the passphrase and a card is useless without the
PIN. In both cases the key can be further secured by physical
isolation, storing the encrypted key on removable media or keeping the
card out of the reader when not in use. In both cases a "smash and
grab" attack yields nothing of value, either an encrypted key or nothing
at all (smartcard or removable media). That means an intelligent
attacker will attempt to place persistent malware to backdoor the
device. While the theft of both encrypted key and passphrase enables
Mallory to forge signatures at his leisure, persistent malware could
just as easily submit Mallory's messages to the smartcard for signing
after locally stealing the PIN and simply waiting for the unsuspecting
user to insert the card (or bring the token into NFC range... how many
people would put phone and token into the same pocket without a second
thought?).

Once the conditions necessary for an attacker to break GPG's built in
private key security are met, the use of a smartcard is merely an
inconvenience to an attacker. In both cases, the attacker must wait for
the key to be unlocked to produce a legitimate signature and can then,
having stolen the authentication token (passphrase or PIN) used to
unlock the key, produce additional (illegitimate) signatures. The
smartcard adds the minor inconvenience of having to wait for the user to
insert the card, but this does not actually raise the bar for a
successful attack, which is the forging of at least one signature, after
which the key must be revoked.

Note that assuring the integrity of the device at all times that the
card is connected generalizes to "at all times the key is used" for the
GPG built in security case. (If the integrity of the device is assured,
then there can be no malware waiting to steal the passphrase and store
it for later.) If this condition is met, no attack can succeed in
either case. If this condition is not met, Mallory will eventually be
able to forge a signature. Therefore, smartcards do not actually
provide additional security in the typical PGP usage.

Where smartcards are useful is protocols that require an untrusted or
marginally trusted device that does not belong to the user to be able to
produce a signature with the user's key for a short period of time but
not afterwards. Modern payment card systems supposedly are an example
of this, but the EMV protocol has several less-secure legacy modes that
may or may not still be in use. (I do not know if the magstripe
emulation mode has actually been phased out, for example.)


>> [...]
>>
>> That is ignoring the additional risk that few if any smartcards use Free
>> firmware, and are, by design, nearly impossible to verify. A secret
>> backdoor on the smartcard cannot be categorically ruled out, although such a
>> violation of trust would be expected to effectively remove the card's
>> manufacturer from the market should it come to light.
>>
>
> nitrokey publishes its card firmware and it can be updated and
> independently audited.
> There is also the OpenPGP card. IIRC the firmware is also available.
>
> Yubikey does not publish the key firmware but they have an independent
> auditing process in place IIRC.
>

Those are improvements in the field since I had last checked, although
those are still two suppliers out of an entire industry. Thank you for
that information.


-- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 15, 2023, 2:03 AM
Post #12 of 13 (377 views)
Permalink
On Tue, 14 Nov 2023 20:52, Jacob Bachmeyer said:

> succeed in either case. If this condition is not met, Mallory will
> eventually be able to forge a signature. Therefore, smartcards do not
> actually provide additional security in the typical PGP usage.

In all environments you have the advantage that you don't need to
re-deploy your public keys after a compromise of your signing box.
Sure, there are signatures on software/data out there which are not
legitimate but this is not different from the easier attack of modifying
the software/data before doing the signature.

Further, by inserting the smartcard only when required you limit the
exposure time of the key and hinder attackers to do a lot of
illegitimate signatures or decryption.

The OpenPGP cards feature a signature counter which can give you a hint
on whether it was used by something else than you. It is not a perfect
solution but raises the hurdle for the attacker. By using the smartcard
on different machines you can even avoid malware which fakes the
displaying of the signature counter.

For a policy POV having the key material securely locked away is also an
advantage - even if the data can be decrypted/signed using a smartcard
by malware. The security of the key material and the ability to use the
key material are different topics in a security policy.


Salam-Shalom,

Werner


--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Attached Files:

Re: gnupg 'signing server'? Looking for advice on key management/security [ In reply to ]
gnupg-users at gnupg
Nov 15, 2023, 9:18 PM
Post #13 of 13 (375 views)
Permalink
Werner Koch wrote:
> On Tue, 14 Nov 2023 20:52, Jacob Bachmeyer said:
>
>> succeed in either case. If this condition is not met, Mallory will
>> eventually be able to forge a signature. Therefore, smartcards do not
>> actually provide additional security in the typical PGP usage.
>>
>
> In all environments you have the advantage that you don't need to
> re-deploy your public keys after a compromise of your signing box.
> Sure, there are signatures on software/data out there which are not
> legitimate but this is not different from the easier attack of modifying
> the software/data before doing the signature.
>

This can vary with policy; I consider the known existence of an
illegitimate signature to require the revocation of the signing key.

The easier attack you mention requires the same condition as breaking
GPG's built in security or abusing the user's smartcard: Mallory must
plant persistent malware on the device that would have an opportunity to
modify the item to be signed before GPG reads it and builds the signature.

> Further, by inserting the smartcard only when required you limit the
> exposure time of the key and hinder attackers to do a lot of
> illegitimate signatures or decryption.
>

Yes; that is the "physical isolation" I mentioned as a further layer of
security.

> The OpenPGP cards feature a signature counter which can give you a hint
> on whether it was used by something else than you. It is not a perfect
> solution but raises the hurdle for the attacker. By using the smartcard
> on different machines you can even avoid malware which fakes the
> displaying of the signature counter.
>

The convenience of easily using multiple machines is one of the use
cases for smartcards. While I do not believe that it further
/increases/ security, using a smartcard if keys are used on multiple
machines certainly /preserves/ security while increasing convenience.

On a related note, the easier attack you mention of modifying the item
to be signed would evade checks of the signature counter, since only the
authorized signing event occurred, but the item signed had been tampered
and was not the item the user intended to sign.

> For a policy POV having the key material securely locked away is also an
> advantage - even if the data can be decrypted/signed using a smartcard
> by malware. The security of the key material and the ability to use the
> key material are different topics in a security policy.

Fair enough, although in my security model, the ability for an attacker
to use the key material is the critical failure; insecurity of the key
material implies that failure but the illegitimate use is the problem.


-- Jacob


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal