Re: GPG, subkeys smartcard and computer

[Andrew Gallagher]

On 21/02/17 15:23, Peter Lebbing wrote:
> On 21/02/17 16:19, Andrew Gallagher wrote:
>> And this is the main reason I started running my own keyserver - by
>> refreshing your monkeysphere-host keyring, you are leaking to the
>> keyserver which user credentials have login access to your system. :-)
> 
> But if an attacker can cut off your SSH servers from the keyserver, and
> your SSH servers fail open, meaning that they conclude the old data is
> still valid when it can't get new data, an attacker can keep using a
> compromised and revoked subkey without the server noticing the
> revocation in time.

Using your own keyserver(s) also helps with this, because you're not
relying on external internet connectivity to get your revocations. Now,
if your keyserver loses gossip with the pool you still may not get
revocations, but only if your users push them to the pool and not to
your keyserver, which is a question of defaults.

> It all depends on your threat model.

Absolutely! :-)

A



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

On 21/02/17 16:19, Andrew Gallagher wrote:
> And this is the main reason I started running my own keyserver - by
> refreshing your monkeysphere-host keyring, you are leaking to the
> keyserver which user credentials have login access to your system. :-)

But if an attacker can cut off your SSH servers from the keyserver, and
your SSH servers fail open, meaning that they conclude the old data is
still valid when it can't get new data, an attacker can keep using a
compromised and revoked subkey without the server noticing the
revocation in time.

It all depends on your threat model.

My 2 cents,

Peter.

PS: Actually, on reflection, not /my/ 2 cents. I'm just repeating what
Kristian said earlier with some more words attached.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

On 21/02/17 15:58, Kristian Fiskerstrand wrote:
> Keep in mind, the keyring in the scope of monkeysphere is normally one
> keyblock :) But yeah, the crontab frequency will depend a bit on system.

Not for multi-user systems with many accounts; it would only be the case
for personal servers. Is a personal server really "normally" the place
monkeysphere is deployed?

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Andrew Gallagher]

On 21/02/17 15:17, Peter Lebbing wrote:
> On 21/02/17 15:58, Kristian Fiskerstrand wrote:
>> Keep in mind, the keyring in the scope of monkeysphere is normally one
>> keyblock :) But yeah, the crontab frequency will depend a bit on system.
> 
> Not for multi-user systems with many accounts; it would only be the case
> for personal servers. Is a personal server really "normally" the place
> monkeysphere is deployed?

And this is the main reason I started running my own keyserver - by
refreshing your monkeysphere-host keyring, you are leaking to the
keyserver which user credentials have login access to your system. :-)

Andrew.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Kristian Fiskerstrand]

On 02/21/2017 03:15 PM, Peter Lebbing wrote:
> If Kristian Fiskerstrand says it's okay for SSH servers to refresh their
> keyring every 20 or 30 minutes from the public keyserver netowrk, then I
> guess it really is :-). I had estimated it as inappropriate.

Keep in mind, the keyring in the scope of monkeysphere is normally one
keyblock :) But yeah, the crontab frequency will depend a bit on system.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Andrew Gallagher]

On 21 Feb 2017, at 13:37, Kristian Fiskerstrand 
 wrote:

>> On 02/21/2017 02:21 PM, Peter Lebbing wrote:
>> Revoking the old A key and creating a new one needs to happen on the
>> system you have the primary key on, so you need to subsequently roll out
> 
> Who said anything about creating a new one in this part of the process?

I did. In my original scenario, since you have to load up your primary key in 
order to revoke the compromised subkey, there's little extra effort involved in 
creating a new subkey while you're at it. (Yes, you could have prepared offline 
subkey revocations, but as you say this is very poorly supported and I wouldn't 
recommend it to anyone)

I'm not convinced having different A subkeys for each client device is useful. 
If one of your A subkeys gets compromised, all your servers are vulnerable 
until such point as your revocation gets pushed, and after which point any new 
subkeys will also have been pushed. So rolling A subkeys is an atomic operation 
on the server no matter what way you go about it or whether you have subkeys 
created in advance. On the other hand, if you have separate A subkeys for each 
*server*, then why not make life easy for yourself and just use separate 
primaries? 

Distributing revocations is the Achilles heel of every PKI. I don't know of any 
that has definitively solved it. 

A

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

On 21/02/17 14:37, Kristian Fiskerstrand wrote:
> Who said anything about creating a new one in this part of the process?

Since I assumed you were siting behind a trusted machine with your
primary key installed when you revoke, it made no sense to me to just
revoke the key and not create a new one, as you are sitting there in
"gpg --edit-key" with your primary unlocked anyway.

But the rest of the mail makes clear this was not your assumption.

> (this step is actually the most tricky, as
> revocation certificates can't be generated for subkeys - so you need to
> have pre-generated versions of pubkey with it revoked created carefully
> manually beforehand).

Yes, I had kinda assumed that this was not the level of trickery we were
willing to go to when suggesting people to use multiple A subkeys. It's
not even a feature of GnuPG, it's just being clever.

>> certificate would have to be revoked. I don't see much extra effort in
>> rolling it out to the few other systems you use as a client as well.
> 
> not following, you don't have access to the primary key at this point
> (say you're travelling and the primary is on smartcard in a vault)

I did assume that you need the primary to do the revocations, as GnuPG
does not support revocation certificates for subkeys. So I assumed you
could only mitigate the compromise when seated behind your most trusted
system, or something to that effect.

> Whether need for "right now" depends on severity, the compromise is in
> most cases a lost device

I suppose we were working with different definitions of "compromise".
Yours makes more sense. Mine was too narrow.

> so a 20-30 min
> timeframe is likely sufficient in most cases anyways e.g from a regular
> crontab run of monkeysphere, this also should fit with most key
> propagation across network as using a single keyserver can create a SPOF
> and DoS the update

If Kristian Fiskerstrand says it's okay for SSH servers to refresh their
keyring every 20 or 30 minutes from the public keyserver netowrk, then I
guess it really is :-). I had estimated it as inappropriate.

Okay, you have convinced me. To deal with the pyhsical loss of a device
or the medium holding the private key, it makes sense to create an
OpenPGP auth-capable subkey per device. However, the revocation trickery
limits its user-friendliness in a big way.

Thanks for expanding my understanding of this area.

It's still not for me though. I often need to be able to grant access on
a per-client basis. I try to limit access to accounts to client devices
where I actually need it, to somewhat limit the consequences of a single
client machine being compromised. It's not a panacea, more of a defense
in depth thing.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Kristian Fiskerstrand]

On 02/21/2017 02:21 PM, Peter Lebbing wrote:
> Revoking the old A key and creating a new one needs to happen on the
> system you have the primary key on, so you need to subsequently roll out

Who said anything about creating a new one in this part of the process?
each device has separate A subkeys already, you lost your device, you
revoke the A subkey for it (this step is actually the most tricky, as
revocation certificates can't be generated for subkeys - so you need to
have pre-generated versions of pubkey with it revoked created carefully
manually beforehand).

> the new A key to the compromised device. Obviously I assume the primary
> key was not available on the compromised device, because then the whole

obviously

> certificate would have to be revoked. I don't see much extra effort in
> rolling it out to the few other systems you use as a client as well.

not following, you don't have access to the primary key at this point
(say you're travelling and the primary is on smartcard in a vault)

> 
> Also, I think you need to have a way to notify servers that they need to
> get an updated certificate including the revoked old key *right* *now*.
> We're talking about a compromised A key! The attacker has full access to
> your login account for the time that the servers haven't checked for a

Whether need for "right now" depends on severity, the compromise is in
most cases a lost device, not an active attacker, so a 20-30 min
timeframe is likely sufficient in most cases anyways e.g from a regular
crontab run of monkeysphere, this also should fit with most key
propagation across network as using a single keyserver can create a SPOF
and DoS the update

> new key yet! Regular intervals just won't do. This looks to be the
> painful step in the process.

... it depends...

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

On 20/02/17 22:51, Kristian Fiskerstrand wrote:
> Revocation of the specific subkey is automatically picked up by all
> systems due to automatic refresh of the public key on regular intervals,
> without losing access to the system from non-compromised devices.

Revoking the old A key and creating a new one needs to happen on the
system you have the primary key on, so you need to subsequently roll out
the new A key to the compromised device. Obviously I assume the primary
key was not available on the compromised device, because then the whole
certificate would have to be revoked. I don't see much extra effort in
rolling it out to the few other systems you use as a client as well.

Also, I think you need to have a way to notify servers that they need to
get an updated certificate including the revoked old key *right* *now*.
We're talking about a compromised A key! The attacker has full access to
your login account for the time that the servers haven't checked for a
new key yet! Regular intervals just won't do. This looks to be the
painful step in the process.

The exception might be a private keyserver that gets hammered by all the
SSH servers every 10 minutes to check whether any updated keys were
uploaded. I don't think it'd be kind to do that to a public keyserver.

I'm not saying an A key per device is bad. Or even that it is not as
good as one A key. I'm just saying that, given you need to transfer
private keys anyway I don't think there's a significant difference in
practice. You can't generate these new A subkeys on the client device
itself, because it will not have the primary key of the OpenPGP
certificate. This is where the difference with plain old OpenSSH private
keys pops up: those you just generate on the client device itself and
you never have to worry about exporting and importing private keys at
all. In addition, it means you can then say "I'd never login to this
server from this client, so it needs not be in the authorized_keys
file". This kind of discrimination that provides defence in depth is not
possible with A subkeys on an OpenPGP certificate that get automatically
picked up by the servers, since they will always accept all A subkeys on
the certificate. So you lose that etra possibility you had with plain
SSH keys per client device.

Cheers,

Peter.

PS: I realised that you can't even generate the A key on the previously
compromised system only after I'd written my previous mail. So the two
stepwise processes should have been:

With A per system:

1) Create new key
2) Roll out new key to compromised system
3) Roll out new key to all server systems
4) Revoke old key on all server systems

With just one A:

1) Create new key
2) Roll out new key to all client systems
3) Roll out new key to all server systems
4) Revoke old key on all server systems

However, since Kristian is placing it in the context of servers
automatically fetching keys, it could be:

With A per system:

1) Create new key, revoke old
2) Roll out new key to compromised system
3) Poke every server system that they need to refresh *now*

With just one A:

1) Create new key, revoke old
2) Roll out new key to all client systems
3) Poke every server system that they need to refresh *now*

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Kristian Fiskerstrand]

On 02/20/2017 05:49 PM, Peter Lebbing wrote:
> So perhaps one key per device is superior, also for detecting which client
> system was compromised by looking at the SSH auth logs on the server 
> (supposing
> the attacker didn't gain root privileges and wiped his traces immediately). 
> But
> I think it's not a very significant difference, or did I miss a scenario?

Revocation of the specific subkey is automatically picked up by all
systems due to automatic refresh of the public key on regular intervals,
without losing access to the system from non-compromised devices.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

On 20/02/17 16:25, Kristian Fiskerstrand wrote:
> Wouldn't consider this accurate, the typical use case for multiple A
> subkeys is per-device usage, explicitly to avoid having to revoke all if
> one is compromised.

Well, if you use only one, "revoke all" is still "revoke one" ;). It's not the
revocation step that gets any bigger, it's just that you need to roll out the
new key to all your client systems instead of just the server systems.
Personally, the number of server systems I use is way larger than the number of
client systems. Over all, I don't think it's that much more work, given it's a
rare occurence anyway (I hope).

With A per system:

1) Create new key on compromised system
2) Roll out new key to all server systems
3) Revoke old key on all server systems

With just one A:

1) Create new key
2) Roll out new key to all client systems
3) Roll out new key to all server systems
4) Revoke old key on all server systems

Steps 3 and 4 are more work than step 2. I have login credentials for at least
11 systems off the top of my head, yet only 3 client devices I regularly use 
[1].

When all your server systems automatically pick up on OpenPGP auth subkeys from
a keyserver, or when you use OpenSSH's CA mechanism, steps 3) and 4) are pretty
much automatic, in which case indeed step 2) would dominate and one key per
device once again wins.

So perhaps one key per device is superior, also for detecting which client
system was compromised by looking at the SSH auth logs on the server (supposing
the attacker didn't gain root privileges and wiped his traces immediately). But
I think it's not a very significant difference, or did I miss a scenario?

My 2 cents,

Peter.

[1] However, I have four different auth keys on those clients, three on-disk,
one per system and one smartcard I only use on a single one of those systems. I
actually use one key per client, but note that I don't have multiple A-capable
OpenPGP subkeys. All my on-disk keys are just regular ol' OpenSSH keys, and I
think then one key per device is a much cleaner setup indeed.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Personal (open)]

 

On 20.02.2017 15:25, Kristian Fiskerstrand wrote: 

> On 02/19/2017 01:45 PM, Andrew Gallagher wrote:
> 
>> And in the case of A and S, there next to no benefit - if one of your 
>> subkeys is lost you should revoke it immediately anyway
> 
> Wouldn't consider this accurate, the typical use case for multiple A
> subkeys is per-device usage, explicitly to avoid having to revoke all if
> one is compromised.
> 
> -- 
> 
> Kristian Fiskerstrand
> Blog: https://blog.sumptuouscapital.com [1]
> Twitter: @krifisk
> 
> Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
> fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
> 
> Qui audet vincit
> Who dares wins
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users [2]

Another use-case would be using rsa and ecc ( ecc on the laptop/desktop
and rsa subs on the smartcard) 
sent via webmail, pardon lack of a gpg signature. 
-- 

Corey W Sheldon
ph: +1 (310).909.7672
0x8B4E89435A88E539 0x59276298D2264944

Freelance IT Consultant, Multi-Discipline Tutor
Fedora AmbaNA (linuxmodder)
Ameridea LLC Founder, President

Find me elsewhere:
https://gist.github.com/linux-modder/ac5dc6fa211315c633c9

"One must never underestimate the power of boredom...from which
creativity and laziness are borne, which can spark great works of chaos
and genius." --Anonymous

"Any man willing to retreat freedom for security is deserving of
neither." (Pp) -- Benjamin Franklin. 

This document, including attachments, is intended for the person or
company named and contains confidential and/or legally privileged
information. Unauthorized disclosure, copying or use of this information
may be unlawful and is prohibited. If you are not the intended
recipient, please destroy this message and notify the sender.
 

Links:
--
[1] https://blog.sumptuouscapital.com
[2] http://lists.gnupg.org/mailman/listinfo/gnupg-users
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Kristian Fiskerstrand]

On 02/19/2017 01:45 PM, Andrew Gallagher wrote:
> And in the case of A and S, there next to no benefit - if one of your
> subkeys is lost you should revoke it immediately anyway

Wouldn't consider this accurate, the typical use case for multiple A
subkeys is per-device usage, explicitly to avoid having to revoke all if
one is compromised.

-- 

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk

Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Qui audet vincit
Who dares wins



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Stefano Tranquillini]

Hi,
Things are getting clearer now, the fact is: subkeys are not related and
basically only the last generated is used. I missunderstood this step.
I need a Auth subkey on the smartcard becuase I've setup the server to
access ssh only via a key. If I'm not at my pc I can't access the server,
and this may be a problem. However, with a smartcard I may overcome the
problem by using any pc.
Probably is the same as having a ssh key stored on a usb and use it when
I'm not on my laptop (and throw it away afterward, just in case). but this
is outside the gpg list ;)

On Mon, Feb 20, 2017 at 1:14 AM, MFPA <2014-667rhzu3dc-lists-groups@
riseup.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Hi
>
>
> On Sunday 19 February 2017 at 2:58:56 PM, in
> , Damien
> Goutte-Gattat wrote:-
>
>
> > Disclaimer: I am not advocating such a setup, that I
> > don't even actually use.
>
> I use that setup. Last I heard, message recipients who use
> Enigmail/Thunderbird only see the verification result of one of the
> signatures. Which one they see depends on the order of the two
> local-user lines in my gpg.conf file, so if I have them in the "wrong"
> order an Enigmail/Thunderbird user whose GnuPG is not version 2.1.x
> will not see report of a valid signature.
>
>
> - --
> Best regards
>
> MFPA  
>
> The trouble with words is that you never know whose mouths they've been in.
> -BEGIN PGP SIGNATURE-
>
> iL4EARYKAGYFAliqNQRfFIAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
> bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
> MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOQu3AEAhk6IddWOiFov15Ha5QhKe9C8
> Xh3WMI8mt2H4h0hdp5IA/jGhW01UYCHDhVG4ddY2fwjjsIekcxOyE+rUcmTwueMK
> iQF8BAEBCgBmBQJYqjUEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
> ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
> QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbjYH/jUKUaX3GcfFcTpz3nsyuVqh
> VPwpd0WVu9Fd4s/Nbt8MOFn++mwR2J7wh3nv44QJgk5MJVFUkCpgIuavm+L8DxG1
> aQ14c0bBNw+IcTLhTF8q5fvWzPsluHex6YoNpzQLXSU3bJgMogm8IT+HCQAc7ee3
> pIwaFuxdW4H/p7E0OIDrJkQywcF7sXBSbr2aAtJZUWFUzeosfrxgVNE8q800elF3
> 8nPtlhNZJ8MGcbOohstocWEv1GCGwzT8RyEGmnGduYYG25hg33zz8mLn210E/nn0
> AOZIjUd8hyxBfLZLRjufbZAHkG+/EQVQcBbk0TBmuZ80dpXFLRZ9TXA4O6OqPIA=
> =FW0d
> -END PGP SIGNATURE-
>
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Stefano
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Sunday 19 February 2017 at 2:58:56 PM, in
, Damien
Goutte-Gattat wrote:-


> Disclaimer: I am not advocating such a setup, that I
> don't even actually use.

I use that setup. Last I heard, message recipients who use
Enigmail/Thunderbird only see the verification result of one of the
signatures. Which one they see depends on the order of the two
local-user lines in my gpg.conf file, so if I have them in the "wrong"
order an Enigmail/Thunderbird user whose GnuPG is not version 2.1.x
will not see report of a valid signature.


- --
Best regards

MFPA  

The trouble with words is that you never know whose mouths they've been in.
-BEGIN PGP SIGNATURE-

iL4EARYKAGYFAliqNQRfFIAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3Bl
bnBncC5maWZ0aGhvcnNlbWFuLm5ldDMzQUNFRDRFRTkxMzRFRUJERTZBODUwNjE3
MTJCQzQ2MUFGNzc4RTQACgkQFxK8Rhr3eOQu3AEAhk6IddWOiFov15Ha5QhKe9C8
Xh3WMI8mt2H4h0hdp5IA/jGhW01UYCHDhVG4ddY2fwjjsIekcxOyE+rUcmTwueMK
iQF8BAEBCgBmBQJYqjUEXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwbjYH/jUKUaX3GcfFcTpz3nsyuVqh
VPwpd0WVu9Fd4s/Nbt8MOFn++mwR2J7wh3nv44QJgk5MJVFUkCpgIuavm+L8DxG1
aQ14c0bBNw+IcTLhTF8q5fvWzPsluHex6YoNpzQLXSU3bJgMogm8IT+HCQAc7ee3
pIwaFuxdW4H/p7E0OIDrJkQywcF7sXBSbr2aAtJZUWFUzeosfrxgVNE8q800elF3
8nPtlhNZJ8MGcbOohstocWEv1GCGwzT8RyEGmnGduYYG25hg33zz8mLn210E/nn0
AOZIjUd8hyxBfLZLRjufbZAHkG+/EQVQcBbk0TBmuZ80dpXFLRZ9TXA4O6OqPIA=
=FW0d
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Damien Goutte-Gattat]

On 02/19/2017 03:11 PM, Peter Lebbing wrote:

However, maybe someone has come across a reason to do it where it would
be worth the hassle. There certainly are people using multiple S subkeys.


Some time ago, I did some experiments with a RSA master key with two 
sets of subkeys: RSA subkeys and ECC-based subkeys (ECDSA for the 
signing subkey, ECDH for the encryption subkey).


The idea was to test whether such a setup could be used by someone 
wanting to use elliptic-curve cryptography, but at the same time not 
wanting to cut herself from people still using GnuPG 2.0.x (which has no 
support for ECC).


Let's say Alice and Bob both use GnuPG 2.1, but Charlie uses GnuPG 2.0. 
And Alice uses the setup described above, where the ECC-based subkeys 
were created *after* the RSA-based subkeys.


For encryption: When Bob wants to encrypt a message to Alice, his gpg 
program automatically selects the latest encryption subkey it can use, 
that is, the ECDH subkey. On the other hand, when Charlie wants to 
encrypt a message to Alice, his gpg program skips the unsupported ECDH 
subkey and automatically selects the remaining RSA subkey. So everything 
work, Alice and Bob can benefit from ECC support in GnuPG 2.1 while 
still allowing Charlie to use RSA.


For signing: Alice signs her messages with *both* her RSA subkey and her 
ECDSA subkey (using multiple --local-user options), allowing both Bob 
and Charlie to verify her messages even though Charlie is stuck with 
GnuPG 2.0 and RSA.


(Eventually, Charlie will upgrade to GnuPG 2.1, and Alice will then 
revoke her RSA subkeys.)


Disclaimer: I am not advocating such a setup, that I don't even actually 
use. I did those tests mostly out of curiosity (I stick to RSA keys even 
with GnuPG 2.1, so I have no need to worry about backward 
compatibility). But I guess it's a possible reason for wanting more than 
one set of subkeys.




signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

On 19/02/17 13:45, Andrew Gallagher wrote:
> In my personal experience, monkeysphere has correctly added all
> valid A subkeys.

Thanks for the clarification.

> But I have a niggling doubt that I once read complaints from somebody
> somewhere (not helpful, I know) that whatever system they were using
> had trouble with multiple valid A subkeys.

Only one way to get this knowledge to the surface: we obviously need to
advise everybody to generate multiple A subkeys so somebody will
complain it doesn't work! Just kidding :).

> And in the case of A and S, there next to no benefit

I agree. I can't think of a compelling reason to use multiple ones; all
things considered, the added hassle is the larger factor in every
scenario I could think of just now. If you can't duplicate your A or S
subkey when you want to, for instance because you have it on smartcard
only, it's just as easy to create a new key and overwrite the old one on
the smart card. Then you can just use your new subkey everywhere from
now on. Just watch out you do it in the right order with respect to A
keys: first roll out the new key on all systems you want to authenticate
to, and only then overwrite your old key on your smartcard :-).

However, maybe someone has come across a reason to do it where it would
be worth the hassle. There certainly are people using multiple S subkeys.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Andrew Gallagher]

> On 19 Feb 2017, at 11:19, Peter Lebbing  wrote:
> 
>> On 17/02/17 15:11, Andrew Gallagher wrote:
>> Some systems will only authenticate against the most recently created
>> A subkey.
> 
> I have no personal experience, but I think it's possible this relates to
> MonkeySphere handling the authorized keys on the server?

In my personal experience, monkeysphere has correctly added all valid A 
subkeys. But I have a niggling doubt that I once read complaints from somebody 
somewhere (not helpful, I know) that whatever system they were using had 
trouble with multiple valid A subkeys. 

The main reason I am wary of having multiple subkeys for the same usage is that 
it just adds more complexity to an already complex system. In the case of E, 
multiple subkeys cause utter chaos. And in the case of A and S, there next to 
no benefit - if one of your subkeys is lost you should revoke it immediately 
anyway, and you can generate a new subkey while you're at it. Having an extra 
subkey generated in advance only gives you a tiny window of extra utility. 

Andrew. 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Peter Lebbing]

Hi Stefano,

On 19/02/17 09:41, Stefano Tranquillini wrote:
> I think I can have multiple A subkeys, not like E keys that only the
> last is used, and use them to ssh servers if all these subkeys are
> added to the server

It depends on how the authorized authentication keys are added to the
server. If you just manually put them in ~/.ssh/authorized_keys, sure,
no problem. But Andrew did just write:

On 17/02/17 15:11, Andrew Gallagher wrote:
> Some systems will only authenticate against the most recently created
> A subkey.

I have no personal experience, but I think it's possible this relates to
MonkeySphere handling the authorized keys on the server?

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Andrew Gallagher]

> On 19 Feb 2017, at 08:41, Stefano Tranquillini 
>  wrote:
> 
> wait, If i've a subkey E (called E1) and I lose it (e.g. it was on the 
> smartcard). 
> Can't I create a new E (called E2) from my master and decrypt the data? Or  
> the data encrypted are decriptable only by the exact E (E1 in this case) that 
> was used to encrypt it?

You need the *exact* subkey. This is why I make such a big deal about backups! 
Subkeys are not "created from" the primary, but completely at random. If you 
create a new subkey it will be completely different from any previous ones. 
Attaching the subkey to a primary is just a statement saying "don't use the 
primary key, use this subkey instead". The keys are not mathematically related. 
This is a feature! ;-)

> ​Can't I export the subkeys to a file and backup that file​ and then move the 
> keys to the card? Will I be able to restore the keys if they get lost?

Easier to just back up the entire .gnupg directory. Why complicate the restore 
process?

A___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Stefano Tranquillini]

thanks,
Sorry for the double messages, I sent the first before subscribing to the
list and I tought it was not forwarded to the mailing list.

Briefly:
 - use tails to genereate master (default settings) and subkeys
 - export the public key and fingerprints
 - backup master to a cold storage
 - export the subkeys for later usage
 - move the subkeys into the laptop

I'll skip the smart card now, I'll only generate and add to it a A subkeys
for accessing ssh in case I'm away of the pc. I think I can have multiple A
subkeys, not like E keys that only the last is used, and use them to ssh
servers if all these subkeys are added to the server


Regarding the rest:

On Fri, Feb 17, 2017 at 3:11 PM, Andrew Gallagher 
wrote:

> ​... cut ...
>
> If you run "keytocard" and then save your changes, you will delete the
> on-disk copy of those subkeys. They will only then exist on the
> smartcard. I normally don't recommend this, as it means you have no way
> to back up your E subkey, and if your smartcard breaks you then lose
> access to all data encrypted to it. If you are keeping your master
> offline, there is IMO little extra risk in also keeping an offline
> copy of your E subkey. In order to do this, once you run "keytocard" on
> all three subkeys you should immediately quit gnupg *without saving*.
> This will ensure that the on-disk copy is not deleted.
>

​wait, If i've a subkey E (called E1) and I lose it (e.g. it was on the
smartcard).
Can't I create a new E (called E2) from my master and decrypt the data? Or
the data encrypted are decriptable only by the exact E (E1 in this case)
that was used to encrypt it?

​Can't I export the subkeys to a file and backup that file​ and then move
the keys to the card? Will I be able to restore the keys if they get lost?

​Sending you a sperarte email for the script (which seems the one you have
on the website)​

-- 
Stefano
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: GPG, subkeys smartcard and computer

[Andrew Gallagher]

Stefano,

I meant to reply last night, but didn't fancy writing this out on a
phone keyboard. No need to resend questions - this tends to be a
high-latency list for people in odd time zones, working from home, on
the move etc.

NB all the below is IMHO, YMMV etc. :-D

On 16/02/17 15:04, Stefano Tranquillini wrote:
> 
> I can't get my head around on how to use GPG in the "correct" way to
> guarantee the maximum result. That is: protect, at the best, my 
> privacy and also don't get the system too complicated.

Both of those are subjective criteria... ;-)

> My ideal setup is:
> 
> * Master generated on offline pc and stored in a cold storage * 
> subkeys for the pc (main pc, that I use everyday) - i need 
> (A)utenticate (E)encrypt (S)ign keys * subkeys for the smartcard - 
> if I use a pc of someone else, and as backup for what is worth. (In 
> the future I may switch to just the smartcard, removing the keys 
> from pc, but I would like to have the keys on the pc for time being)
> * I would like to avoid moving the master ouside the offline pc/cold
> storage

What you describe is a common scenario for those who want a little more
physical security than a standard online key. If you are not an
experienced gnupg user maybe you should try using the defaults for a
while until you are comfortable. If you make a mess of encryption you
run the risk of either a) losing access to your encrypted data or b)
leaving your encrypted data wide open. You can choose for yourself
which scenario is worse. ;-)

But if you know what you're doing, then:

Personally, if you have a smartcard I see no advantage in keeping the
subkeys on your laptop (so long as you have a backup). If you want to
take things one step at a time that's up to you - just understand that
keeping an online copy of your subkeys negates the security advantages
of having a smartcard, the point of which is that the key material
never gets stored in a format accessible by malware.

If you want to use your key on a friend's PC, just beware that if you
don't trust it enough to keep a copy of your actual key on, you may not
trust it enough to not alter your messages or keylog your PIN.
Compromising the key material is the sexy bit of cryptanalysis, but
it's usually much easier to work around security measures than break
through them.

> Create the master:
> 
> I should create the master on a device that is not my primary one 
> and that is not online. It seems kind of freak approach to me, but
> I can understand why. Once created, I backup it to a file which I 
> store on a usb key or somewhere outside of computers. With the 
> master I can create, later, subkeys for what I need and the revoke 
> certificate in case of compromised subkeys.  Other than the master 
> key, do I've to export anything else (not talking of subkeys yet, 
> that's next topic)?

Back up the entire .gnupg directory just to be sure. Technically, you
can make do with just a backup of the secret keyring, but it will make
your life a lot easier if you back up the public keyring and your
trustdb also.

> When creating the master, I've two possibility: (i) use the dafault
>  setting that results in a (SC) key or (ii) set it as only (C). The 
> best solution seems to be the second, right? 
> (http://security.stackexchange.com/questions/32386/why-do-pgp-master-keys-only-have-a-single-subkey-and-tie-certification-with-sig).
>
>
> 
Is it worth to use that approach or, as of today, the (i) is fine? I
> still don't get the full benefit of one or the other solution

The second is a "cleaner" solution, but makes no practical difference.
If you have S capability on your primary key but never use it, only
your subkey signatures will ever exist, and only the subkey will
therefore ever be checked. And if your primary is compromised you have
worse problems. ;-)

> Create the subkey
> 
> With the master key I can create subkeys. I should do it from the 
> offline pc in which I created the key, or import the master in a pc 
> and then create the subkeys (it doesn't sound so safe though). Now:

If you import your master to an online PC, you lose the advantages
of keeping it offline in the first place. See below.

> o  should each subkey be for only one scope (A) (S) (E) or is it 
> fine if one key does  two or three scopes (ASE) or (SE)?

If you are using a smartcard, it is normal practice to generate a
separate subkey for each usage. It is no harm, and has the advantage
that you can rotate them separately.

One thing that you should NEVER do is have E on a subkey that has any
other capability, as there are known methods of tricking a user into
decrypting data by getting them to sign a specially crafted plaintext.
This is difficult to achieve in PGP, but better to be safe than sorry.

> o once subkeys are creted I've to export them and also their revoke 
> certifications (do they have one)? correct?

You do not create a revocation for subkeys, only for the primary. If
you still have access to the primary you 

GPG, subkeys smartcard and computer

[Stefano Tranquillini]

Hi all,
I'm sort of new to GPG/PGP, I'm not new to the encryption/crypto world and
to computers, however, some concepts are yet not clear to me.

I can't get my head around on how to use GPG in the "correct" way to
guarantee the maximum result. That is: protect, at the best, my privacy and
also don't get the system too complicated.

The problems that I've are multiple, I'll try to summarize them here asking
for help. I've read the manual, but it's a bit outdated, and online I found
scattered information that does not always explain why some decision are
made.

My ideal setup is:

   - Master generated on offline pc and stored in a cold storage
   - subkeys for the pc (main pc, that I use everyday) - i need
   (A)utenticate (E)encrypt (S)ign keys
   - subkeys for the smartcard - if I use a pc of someone else, and as
   backup for what is worth. (In the future I may switch to just the
   smartcard, removing the keys from pc, but I would like to have the keys on
   the pc for time being)
   - I would like to avoid moving the master ouside the offline pc/cold
   storage

Create the master:

I should create the master on a device that is not my primary one and that
is not online. It seems kind of freak approach to me, but I can understand
why. Once created, I backup it to a file which I store on a usb key or
somewhere outside of computers. With the master I can create, later,
subkeys for what I need and the revoke certificate in case of compromised
subkeys.  Other than the master key, do I've to export anything else (not
talking of subkeys yet, that's next topic)?

When creating the master, I've two possibility: (i) use the dafault setting
that results in a (SC) key or (ii) set it as only (C). The best solution
seems to be the second, right? (http://security.stackexchange.com/questions/
32386/why-do-pgp-master-keys-only-have-a-single-subkey-and-
tie-certification-with-sig). Is it worth to use that approach or, as of
today, the (i) is fine? I still don't get the full benefit of one or the
other solution

Create the subkey

With the master key I can create subkeys. I should do it from the offline
pc in which I created the key, or import the master in a pc and then create
the subkeys (it doesn't sound so safe though). Now:

   -  should each subkey be for only one scope (A) (S) (E) or is it fine if
  one key does  two or three scopes (ASE) or (SE)?
  - once subkeys are creted I've to export them and also their revoke
  certifications (do they have one)? correct?
  - I've a smartcard, but I've also a pc, should I create 6 subkeys, 2
  for A, 2 for S and 2 for E and move the 3 A S E to the yubikey and the
  other 3 to the pc?.
  - moving the keys on the smartcard is done via "keytocard" but to
  move the keys on the pc I've to export subkeys, will this export also the
  keys on the smartcard and then I'll need the smartcard to access some of
  those? how can I decide what to import where?
  - Do I've to rexport my public key or anything else to let the world
  know my subkeys?
  - Do I've to export anything else to achieve my scenario's goal?

Am I missing anything? Or is there anything that can guide me to achieving
my goals?

PS: Sorry for the long questions, but I can't find online something that
explains my scenario. Solutions are for base cases or for smart-card only.
Well, probably there's a guide, but I can't find it out.

-- 
Stefano
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GPG, subkeys smartcard and computer

[Stefano Tranquillini]

Hi all,
I'm sort of new to GPG/PGP, I'm not new to the encryption/crypto world and
to computers, however, some concepts are yet not clear to me.

I can't get my head around on how to use GPG in the "correct" way to
guarantee the maximum result. That is: protect, at the best, my privacy and
also don't get the system too complicated.

The problems that I've are multiple, I'll try to summarize them here asking
for help. I've read the manual, but it's a bit outdated, and online I found
scattered information that does not always explain why some decision are
made.

My ideal setup is:

   - Master generated on offline pc and stored in a cold storage
   - subkeys for the pc (main pc, that I use everyday) - i need
   (A)utenticate (E)encrypt (S)ign keys
   - subkeys for the smartcard - if I use a pc of someone else, and as
   backup for what is worth. (In the future I may switch to just the
   smartcard, removing the keys from pc, but I would like to have the keys on
   the pc for time being)
   - I would like to avoid moving the master ouside the offline pc/cold
   storage

Create the master:

I should create the master on a device that is not my primary one and that
is not online. It seems kind of freak approach to me, but I can understand
why. Once created, I backup it to a file which I store on a usb key or
somewhere outside of computers. With the master I can create, later,
subkeys for what I need and the revoke certificate in case of compromised
subkeys.  Other than the master key, do I've to export anything else (not
talking of subkeys yet, that's next topic)?

When creating the master, I've two possibility: (i) use the dafault setting
that results in a (SC) key or (ii) set it as only (C). The best solution
seems to be the second, right? (
http://security.stackexchange.com/questions/32386/why-do-pgp-master-keys-only-have-a-single-subkey-and-tie-certification-with-sig).
Is it worth to use that approach or, as of today, the (i) is fine? I still
don't get the full benefit of one or the other solution

Create the subkey

With the master key I can create subkeys. I should do it from the offline
pc in which I created the key, or import the master in a pc and then create
the subkeys (it doesn't sound so safe though). Now:

   -  should each subkey be for only one scope (A) (S) (E) or is it fine if
  one key does  two or three scopes (ASE) or (SE)?
  - once subkeys are creted I've to export them and also their revoke
  certifications (do they have one)? correct?
  - I've a smartcard, but I've also a pc, should I create 6 subkeys, 2
  for A, 2 for S and 2 for E and move the 3 A S E to the yubikey and the
  other 3 to the pc?.
  - moving the keys on the smartcard is done via "keytocard" but to
  move the keys on the pc I've to export subkeys, will this export also the
  keys on the smartcard and then I'll need the smartcard to access some of
  those? how can I decide what to import where?
  - Do I've to rexport my public key or anything else to let the world
  know my subkeys?
  - Do I've to export anything else to achieve my scenario's goal?

Am I missing anything? Or is there anything that can guide me to achieving
my goals?

PS: Sorry for the long questions, but I can't find online something that
explains my scenario. Solutions are for base cases or for smart-card only.
Well, probably there's a guide, but I can't find it out.

-- 
Stefano
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users