Re: Seeking Assurance on Security and Memory Leaks in SuSE GnuPG
Very interesting question indeed, Tony! On 8/27/22 15:17, Tony Lee via Gnupg-users wrote: > I have recently been seeking assurances on protection of sensitive > data on my SuSE Leap 15.4 system, and protection of passwords. > > Issues discussed concern gpg2 2.2.27-150300.3.5.1, and keepassxc > 2.7.1-bp154.3.3.1; together with hypothetical queries on Youbikey as > libykpers-1-1 1.19.0-4.19. > > > Protection of Symmetric passwords (or passphrases) usually involves a > Key Distribution Function (KDF) which "mangles" the User password to > produce the "master key" which is actually used to encrypt sensitive > material. The KDF is deliberately designed to be slow (eg thousands to > millions of AES-256 rounds) and, more recently, also designed to > require substantial memory (eg Argon2). This is to slow brute-force > attack on passphrases (which may have limited entropy to permit > memorability), and (more recently) to limit the use of GPU and/or > ASIC-based brute-force attack. > > The KeePass password safe > (https://keepass.info/help/base/security.html) helpfully describes its > security features, such as encryption of whole database, random-salted > adjustable KDF (multiple AES-256, or Argon2; together with timing of > KDF function --- eg 1 second). When running: sensitive data stored > encrypted in secure process memory, and over-writing such memory > before release. Internal viewer/edit available, which avoids putting > data onto disk. Anti-keylogger facilities --- although additional > hardware may be needed to protect against hardware-based keyloggers > located between keyboard and computer. > > Uncertainty: Does a Yubikey make a KeePass pasword available through > secure process memory? Can anyone point me to a description? > > Having discovered encrypted PDFs are essentially broken > (https://www.kaspersky.com/blog/36c3-pdf-encryption/33827/), I have > been looking more carefully at encrypted archive formats, both for > communication and storage (eg of PDF files), and both during User use > and for 'data at rest' --- which may be vulnerable to hacking. > > As a long-time user of GnuPG, with hindsight I am now concerned at > having failed to find any description of GnuPG security aspects > similar to that above for KeePass. Perhaps these security requirements > are so obvious they do not need describing explicitly, but the cynic > in me would like to see something more concrete. > > Worryingly, the Enigmail Handbook > (https://www.enigmail.net/documentation/Enigmail_Handbook_1.8_en.pdf > Section 8.2) merely notes `You should be aware ... that your encrypted > mails are as safe as allowed by the computer you use Enigmail on. ... > If your computer is infected with a key logger and a malware that > grants an intruder remote access on your files, all the cryptographic > robustness of OpenPGP and the strongest passphrase won't protect your > messages from being snooped or falsified'. This sounds like a 'Counsel > of Perfection' which is not particularly helpful. > > Does anyone know of a clear description of security aspects in GnuPG, > comparable to that above for KeePass? > > On 29 Nov 2021, Spectra Secure noted > (https://www.youtube.com/watch?v=j-qBChKG15Y , starting 2:00) that > although gpg has '--s2k' settings that are supposed to change the weak > default (cipher, digest hash, and digest-hash rounds-count) algorithms > from AES-128, SHA-1 and a low count --- for key export --- it will > ignore these setting without even giving a warning. A bug-report has > been in place since 2017, although this has never been fixed. However, > a subsequent comment (from skeeto on reddit) suggested that the > 'export' gpg protection differed from that of the keyring, so you > cannot infer a problem with conventional use of the keyring. > > OK, so I have been doing a little experimentation. Using the KeePass > KDF timing of AES-KDF, my 2011 12-thread processor i7-3930K CPU at 3.2 > GHz (CPUMark 8,247) performs a KDF of 23,400,000 AES-KDF rounds in > 1.0~s (and time was proportional to the number of rounds). This is a > highly serial process, so must be performed on a single thread. In > principle, this processor could achieve (say) 12 X 23,400,000 = > 280,800,000 AES-256 rounds in 1~s while brute-forcing 12 potential > passwords. The 2021 i7-12700K (CPUMark 34,460: 4.2-fold faster), > costing less than GBP 400, could in principle achieve one billion (one > thousand million) AES-256 rounds per second --- and faster speeds > would be available from multiple processors, GPUs, or ASIC-based > devices. > > We now time the encryption of a 28 Byte or 565 kByte plaintext file, > with various 'count' values via: > > time gpg2 -c --s2k-cipher-algo AES256 --s2k-digest-algo SHA256 \ > --s2k-count 2097152 cleartext_file > > with a short 11-character password. In practice, although we are > timing an encryption, for high 'count' values the KDF process will > dominate timing, and the known password details will be irrelevant.
Question about redundant smartcard setup
Hi, Recently I have been working with GPG and 2 smartcards (Yubikey). Despite some information here an there on internet, some things are still not clear to me. My setup has 1 master key with 6 subkeys, twice 3 keys for different purposes(A,E,S). So each smartcard will receive 3 keys. It works fine with Thunderbird and also with other tools: passwordstore (unix pass). Here some questions about particular situations: 1. In the passwordstore, I encrypted a few passwords, which are in fact just GPG files that store the passwords. When I want to decrypt them with the Yubikey, I receive the message: Please insert card with serial number. But what if I don't have that smartcard2 at hand? And how do I know that smartcard1 then really works , if it is never asked to insert smartcard1? I found a way to encrypt with smartcard1 via the option: -r ! . Smartcard1 seems to work fine. But then the question remains, suppose GPG asks for smartcard2 and smartcard2 is stolen. I can only provide smartcard1 and GPG asks for smartcard2. What to do? 2. Then some people suggest to use a different master key, but the goal was that both smartcards back each other up, in case one is broke. So that idea is not going to work, correct? 3. Also with different master keys, if I have sent a bunch of e-mails with smartcard1 and smartcard2. When one of the smartcards is broke , I will not be able to open those e-mails with the working smartcard? 4. Another approach is that I could for example have created just 3 subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2. I thought that having those subkeys separately is ideal, specially in a occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys and keep on using the smartcard1 until I have ordered a new backup smartcard. Because some e-mails are sent encrypted (not so many), am I sure then when I revoke the subkey of smartcard2 that all e-mail will open with smartcard1? 5. What is at the end the best way to setup 2 smartcards that can be used in encryption, signing and decryption? And additionally both smartscard should work, I have 2 smartcards for redundancy. On internet there are many blogs etc, but they never deal with the complete picture. Thanks in advance for your help. All the best! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about redundant smartcard setup
Yes, will do that. And the full chain from start to finish with a test key. Deal. On 8/19/22 16:25, Andrew Gallagher wrote: > On 19 Aug 2022, at 17:17, kho wrote: >> >> Thanks for this fast, complete and clear answer. >> >> I am going to see if I can still pick up somewhere or just remove all I >> did and start all over by following your steps. > > Just a note of caution: since it is quite an involved process I would > recommend keeping it as simple as possible at first, and trying it out > with a test key before doing it in production. So long as you have a > (tested!) offline backup you should be safe. > > A > ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about redundant smartcard setup
Thanks for this fast, complete and clear answer. I am going to see if I can still pick up somewhere or just remove all I did and start all over by following your steps. This is the confirmation I needed! Thanks! On 8/19/22 15:25, Andrew Gallagher wrote: > On 19 Aug 2022, at 13:48, kho via Gnupg-users wrote: >> 5. What is at the end the best way to setup 2 smartcards that can be >> used in encryption, signing and decryption? And additionally both >> smartscard should work, I have 2 smartcards for redundancy. > If you want the two smartcards to be redundant copies of each other, then > they MUST contain exactly the same key material. It is possible to generate > multiple signing/authentication subkeys that will be treated the same for > practical purposes, since most software will try each valid sig/auth-capable > (sub)key in turn during verification. There is no equivalent ability for > encryption subkeys, as clients will encrypt to only the most recent valid > encryption subkey. If you lose/break the smartcard with the only copy of an > encryption subkey then there is no way to recover. > > You can save the same key material to multiple smartcards using the gnupg > command line interface: > > 1. Run gnupg and follow the usual process for generating (sub)keys, but > “save” to save and exit before transferring subkeys to the smartcard. This > ensures that you have a copy on disk before continuing. > > 2. Run gnupg again and copy the subkey(s) to the card, but afterwards you > should say “quit” to exit *without* saving (not “save”). That way the subkeys > will not be deleted from disk and you can use them again. > > 3. Repeat step 2 for the second (third, fourth,…) smartcard. Only choose > “save” to save-and-exit after copying to the last smartcard, however be aware > that “last” in this context really means “last”. No take-backs. > > If you have to generate a new subkey for whatever reason (say you had to > revoke the previous one) you must follow a similar save/quit sequence, > remembering the order “run, generate, save, run, copy, quit, run, copy, quit, > … run, copy, save" > > To keep open the possibility of provisioning extra cards in the future, you > could back up your entire .gnupg directory to a secure offline storage medium > (such as an encrypted thumb drive) after generating the keys but before > transferring to smartcard(s). Or you could perform the whole process of > generating and managing your keys using a secure live system such as Tails > with an encrypted persistent partition (remembering to “quit” after copying > even the last time so that there is always a copy on disk). If you do either > of these you only need one smartcard, so long as you don’t mind waiting for a > replacement smartcard to arrive in the post if your original breaks. > > On any given machine, gnupg will only ask for one smartcard. You should > therefore consider one smartcard your working copy and one your emergency > backup (if you have multiple machines, you could assign different primary > cards to each machine). To force gnupg to ask for the other smartcard, you > can delete the stub `.key` files under ~/.gnupg/private-keys-v1.d (on > Linux/Mac, I forget the Windows equivalent). To work out which files to > delete, incant `gpg -K --with-keygrip` and note the “Keygrip” lines under the > three subkeys. Delete the corresponding `.key` files only, then plug in the > replacement smartcard and incant `killall gpg-agent; gpg --card-status` > (again Linux/Mac only). gnupg should now recognise the replacement card as > the primary, and will ask consistently for that one until you repeat the > process. > > A > ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Question about redundant smartcard setup
Of course, you are right. I could store it digitally on a encrypted disk and even on paper. And like you say they are not really gone. Thanks for the tip. On 8/19/22 15:21, Werner Koch wrote: > On Fri, 19 Aug 2022 14:48, kho said: > >> 4. Another approach is that I could for example have created just 3 >> subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2. >> I thought that having those subkeys separately is ideal, specially in a >> occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys > No need to. Save a paper copy of the keys before you remove them from > the disk. If both cards are broken you can still type the keys in and > create a new smartcard. Exact procedures depend on your threat model. > > > Salam-Shalom, > >Werner > ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
Question about redundant smartcard setup
Hi, Recently I have been working with GPG and 2 smartcards (Yubikey). Despite some information here an there on internet, some things are still not clear to me. My setup has 1 master key with 6 subkeys, twice 3 keys for different purposes(A,E,S). So each smartcard will receive 3 keys. It works fine with Thunderbird and also with other tools: passwordstore (unix pass). Here some questions about particular situations: 1. In the passwordstore, I encrypted a few passwords, which are in fact just GPG files that store the passwords. When I want to decrypt them with the Yubikey, I receive the message: Please insert card with serial number. But what if I don't have that smartcard2 at hand? And how do I know that smartcard1 then really works , if it is never asked to insert smartcard1? I found a way to encrypt with smartcard1 via the option: -r ! . Smartcard1 seems to work fine. But then the question remains, suppose GPG asks for smartcard2 and smartcard2 is stolen. I can only provide smartcard1 and GPG asks for smartcard2. What to do? 2. Then some people suggest to use a different master key, but the goal was that both smartcards back each other up, in case one is broke. So that idea is not going to work, correct? 3. Also with different master keys, if I have sent a bunch of e-mails with smartcard1 and smartcard2. When one of the smartcards is broke , I will not be able to open those e-mails with the working smartcard? 4. Another approach is that I could for example have created just 3 subkeys (not 6) and copied all 3 to smartcard1 and again to smartcard2. I thought that having those subkeys separately is ideal, specially in a occasion were smartcard2 is stolen. Then I revoke the smartcard2 subkeys and keep on using the smartcard1 until I have ordered a new backup smartcard. Because some e-mails are sent encrypted (not so many), am I sure then when I revoke the subkey of smartcard2 that all e-mail will open with smartcard1? 5. What is at the end the best way to setup 2 smartcards that can be used in encryption, signing and decryption? And additionally both smartscard should work, I have 2 smartcards for redundancy. On internet there are many blogs etc, but they rarely deal with the complete picture. Thanks in advance for your help. All the best! ___ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users
