Werner Koch wrote:
On Tue, 14 Nov 2023 20:52, Jacob Bachmeyer said:
succeed in either case. If this condition is not met, Mallory will
eventually be able to forge a signature. Therefore, smartcards do not
actually provide additional security in the typical PGP usage.
In all environments you have the advantage that you don't need to
re-deploy your public keys after a compromise of your signing box.
Sure, there are signatures on software/data out there which are not
legitimate but this is not different from the easier attack of modifying
the software/data before doing the signature.
This can vary with policy; I consider the known existence of an
illegitimate signature to require the revocation of the signing key.
The easier attack you mention requires the same condition as breaking
GPG's built in security or abusing the user's smartcard: Mallory must
plant persistent malware on the device that would have an opportunity to
modify the item to be signed before GPG reads it and builds the signature.
Further, by inserting the smartcard only when required you limit the
exposure time of the key and hinder attackers to do a lot of
illegitimate signatures or decryption.
Yes; that is the "physical isolation" I mentioned as a further layer of
security.
The OpenPGP cards feature a signature counter which can give you a hint
on whether it was used by something else than you. It is not a perfect
solution but raises the hurdle for the attacker. By using the smartcard
on different machines you can even avoid malware which fakes the
displaying of the signature counter.
The convenience of easily using multiple machines is one of the use
cases for smartcards. While I do not believe that it further
/increases/ security, using a smartcard if keys are used on multiple
machines certainly /preserves/ security while increasing convenience.
On a related note, the easier attack you mention of modifying the item
to be signed would evade checks of the signature counter, since only the
authorized signing event occurred, but the item signed had been tampered
and was not the item the user intended to sign.
For a policy POV having the key material securely locked away is also an
advantage - even if the data can be decrypted/signed using a smartcard
by malware. The security of the key material and the ability to use the
key material are different topics in a security policy.
Fair enough, although in my security model, the ability for an attacker
to use the key material is the critical failure; insecurity of the key
material implies that failure but the illegitimate use is the problem.
-- Jacob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
