Re: What are some threats against which OpenPGP smartcards are useful?

2020-01-07 Thread Mike Gerwitz
On Tue, Jan 07, 2020 at 00:26:14 +0100, Christoph Groth wrote:
> Through an article [1] in LWN, I stumbled across a thread [2] on this
> list that dealt with the usefulness of smartcards for storing
> OpenPGP keys.

I don't have time to read what I already wrote in that thread, so I'm
sorry if I repeated myself here.

> I understand that OpenPGP smartcards do not protect from a compromise
> of the computer system that they are used with.  As Peter Lebbing puts
> it [3]:
>
>> You don't even have to decrypt the document they're interested in
>> yourself, and no external push button will save you. Just decrypt
>> a document twice, and the second time, the attacker can use your
>> smartcard for their own good while providing the session key they
>> logged the first time for your decryption.
>
> But then, what are threats against which smartcards *are* useful?

That's too coarse of a conclusion.

Let's say I decided to plug my Nitrokey into some adversary's computer,
willingly, and enter my PIN.  The attacker can make use of the card
while it's plugged in.  But operations using the card are very slow, and
I'll notice the light going on more than once.  I'll unplug it.  Attack
mitigated.  The only thing lost is whatever the attacker managed to do
within that time period---decrypt files, sign documents, SSH into remote
machines, etc.  (Don't get me wrong: all those are really bad.)

Then I go to a safe location and change my PIN.

Or maybe I'm punched out and my smartcard stolen.  I go home, revoke my
subkeys, and have to pay for a new smartcard.  And let some people know
that I was beat up and you shouldn't trust anything that was signed in
that time period.

But consider the alternative: if you weren't using a smartcard, and your
key were on disk, all of that still would have happened.  But in
addition, your private key has been compromised.  You now have to revoke
your entire key.  If you've built a web of trust, you have to start
again.

Smart cards _are_ useful even if your system is compromised, because it
still protects your key from offline use.  It gives me peace of mind
when it's capped and stored in a safe location.

If you just leave your smart card plugged into your computer 24/7 and
leave your computer on while you're sleeping, that's a problem.  It
won't protect you from bad practices.

You can get some of those benefits by e.g. using a laptop as a thin
client and forwarding the GPG agent to a remote box over SSH, and store
the private key on the laptop.  The risk is still higher than a
smartcard though.

It all depends on your threat model.

> I got a smartcard to ssh from computers that I trust reasonably but
> where I am not (the only) root to other (more trusted) machines that
> I control exclusively and that hold data that I would not store on the
> less-trusted machines.  From a fundamental point of view a smartcard
> does not provide any additional security here, but I have the
> imporession that in practice it does, because gaining access to the
> remote machines becomes more difficult for an attacker (without
> a smartcard, installing a simple keylogger is enough).  This is the same
> kind of imperfect security we rely on in real life, for example with
> door locks.  Would you agree with me?

I use my Nitrokey for SSH as well.  Prior to having it, I would store an
SSH key to personal accounts on e.g. my work computer.  I cannot fully
trust that system.  But today I don't need to do that: I insert the
Nitrokey only when prompted by GPG, immediately remove it, and change my
PIN when I get home.  While there's still the risk that the card may be
used for other things by a malicious process, it's pretty well
mitigated.  I know how long the light on the smartcard should be on for
and watch it the entire time.  I never allow the card to be out of my
view when connected to a system.

Of course, there's also the risk that someone has physically tampered
with the smartcard to suppress the LED under certain
circumstances.  This isn't foolproof.  But it's better than SSH keys on
my work system.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are some threats against which OpenPGP smartcards are useful?

2020-01-07 Thread Mike Gerwitz
On Tue, Jan 07, 2020 at 14:09:50 +0100, Wiktor Kwapisiewicz via Gnupg-users 
wrote:
> Additionally smartcards require PINs and lock the card after several
> tries. This is not possible with keys on USB drives.

PINs can also be changed confidently.

The passphrase of the _copy_ of a key on disk can be changed, but you
can't necessarily be confident that it's the only copy.  It could have
been copied with or without your knowledge, by you or an adversary.

If you enter your passphrase somewhere and realize after the fact that
someone may have been standing over your shoulder, or there's a security
camera in the distance, an audio recording of your keypresses, or
_anything_ that reduces the keyspace of your passphrase, then an
attacker can brute force the rest offline forever using an old copy of
your key, and there's nothing you can do about it.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are some threats against which OpenPGP smartcards are useful?

2020-01-07 Thread Robert J. Hansen

Few of them will have a 128-bit secure passphrase like RJH. :-)


Dude, the lab I worked in *required* me to use 128-bit secure 
passphrases.  It was *awful*.  And a 180-day change policy.  But the 
good news is that once you prove to yourself you can do that, the idea 
of keeping a 128-bit passphrase on your certificate no longer seems so 
crazy.


To quote the movie _Men in Black_, "Give it a few months.  You'll get 
used to it, or you'll have a psychotic episode."



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Re: What are some threats against which OpenPGP smartcards are useful?

2020-01-07 Thread Robert J. Hansen

On 2020-01-06 18:26, Christoph Groth wrote:

Robert J. Hansen justifies [4] his use of a smartcard as follows:


Why don't I want to store the private key on multiple computers?
Because a good rule of thumb in a forensics lab is "store the minimum
personal data possible on your systems".


But then he also mentions his 128-bit passphrase and that he would be 
OK

to publish his (passphrase-protected) private key in a newspaper.  Why
then not store it on the disks of multiple computers?


Hint: because the phrase "forensics lab" is extremely important in what 
I wrote.


I used to (don't any more) work in a forensics lab doing R&D into 
recovering data from memory, SSD, and spinning-platter media.  While I 
was doing this my colleagues were reverse-engineering malware.  Our 
network was airgapped from the rest of the network, but we were still 
paranoid about data getting out -- including information about our 
identities.  When you're doing reverse engineering on a botnet belonging 
to an organized crime syndicate, you really don't want the organized 
crime syndicate to discover your name.


I was also using OpenPGP to help move data into and out of our airgapped 
network.  When a CD came into our lab containing data to be loaded onto 
machines, we used OpenPGP to verify its provenance.  When we burned a CD 
containing data to be removed from the lab, we'd put a signature on it 
so the system administrators in the lab outside could be certain that a 
specific human being was taking responsibility for the contents of that 
CD.


Problem: I didn't want there to be any certificate stored on the lab 
machines... because any user ID that identified me would be personal 
information of the kind I didn't want to be stored.


Solution: use a smartcard.  A smartcard allowed me to make these 
signatures while leaving minimal forensic traces.


But, outside of that laboratory environment, I didn't -- still don't -- 
need to use a smartcard.  Usually I just keep the key on the hard drive 
of whatever machine I'm using.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


Fwd: Re: What are some threats against which OpenPGP smartcards are useful? [ ref:_00D58dJQM._5004Iy476n:ref ]

2020-01-07 Thread Andrew Gallagher
Could one of the admins please twit this subscriber? Their autoreply has
been firing since November.

A
--- Begin Message ---
Exmos. Senhores,

Recebemos a informação que tiveram hoje a amabilidade de nos transmitir e que 
muito agradecemos.

Vamos imediatamente analisar o caso e responderemos com a máxima brevidade 
possível ao vosso pedido. Assim que for possível, o Serviço de Apoio ao Cliente 
entrará em contacto convosco.

No entanto, caso o vosso contacto esteja relacionado com a necessidade de 
atualizar os dados da vossa empresa na nossa base de dados, notem que poderão 
fazê-lo diretamente e sem demoras.

De facto, as entidades empresariais cujos dados constem da nossa base de dados 
podem consultar, acrescentar e modificar on-line as informações que lhes digam 
respeito, sendo para tal apenas necessário que disponham de uma senha de acesso 
exclusivo a uma zona reservada do nosso site.

Sublinhamos que este acesso para atualização on-line é totalmente gratuito e 
muito fácil, bastando entrar em www.informadb.pt e selecionar, em Feed´Back , " 
Para consultar atualizar os dados de uma empresa diretamente na nossa base de 
dados".

Se necessitarem de mais esclarecimentos sobre o Feed’Back – Serviço de 
Atualização de Dados, estaremos inteiramente disponíveis para os prestar.

Atenciosamente,

Serviço de Apoio ao Cliente

(+351) 213 500 389 - Fax: (+351) 213 151 658
vipclien...@informadb.pt
www.informadb.pt

CONFIDENCIAL. Esta mensagem destina-se a uso exclusivo do(s) destinatário(s) e 
poderá conter informação privada ou confidencial. A leitura, retenção, 
divulgação, cópia, distribuição ou reencaminhamento são proíbidas. Caso a 
receba por engano, solicitamos que nos comunique por e-mail e elimine a 
mensagem do seu sistema sem a reproduzir. Os dados pessoais constantes do 
presente e-mail estão ou serão adicionados à lista de contactos da INFORMA D&B, 
responsável pelo tratamento de dados, para o podermos contactar sempre que 
necessário . O direito de acesso, retificação, oposição e apagamento, deverá 
ser exercido através do e-mail: protecaodeda...@informadb.pt. Consulte o nosso 
compromisso de privacidade em www.informadb.pt.

CONFIDENTIAL. This message is intended for the exclusive use of the named 
addressee(s) and it may contain private or confidential information. Any 
reading, retention, disclosure, copying, distribution or redirection is 
prohibited. If you are not the intended recipient, please notify us by e-mail 
and delete this message from your system without retaining a copy. The personal 
data included in this e-mail is or will be added to the contact list of INFORMA 
D&B, acting as data controller, to contact you whenever necessary. You have the 
right of access and the rights to rectification, to object and to erasure 
through the e-mail: protecaodeda...@informadb.pt--- End Message ---


signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are some threats against which OpenPGP smartcards are useful?

2020-01-07 Thread Andrew Gallagher
On 07/01/2020 13:09, Wiktor Kwapisiewicz via Gnupg-users wrote:
> These two things are really useful when using the same token on multiple
> devices (e.g. I use the same card on my laptop and phone).

This is also a very good argument for smartcards - transferring a
private key between devices is error-prone and potentially catastrophic.
Yes, it can be done securely but for non-experts (and even experts!)
having a physical "key" is much more intuitive. How often have we heard
of people accidentally distributing their private key instead of their
public one? Few of them will have a 128-bit secure passphrase like RJH. :-)

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What are some threats against which OpenPGP smartcards are useful?

2020-01-07 Thread Wiktor Kwapisiewicz via Gnupg-users

Hi Christoph,

There is one feature of smartcards that's hard to reproduce otherwise: 
once you pull the smartcard out of the port the attacker can't use it. 
If they steal your private keys they can do as they please with it 
(until you revoke keys and users refresh your key... that can take some 
time). For example if they steal your private encryption subkey they'll 
be able to decrypt future communications with you. When you pull out the 
smartcard that's where the attack ends.


(One way or another someone having code execution privileges on your 
computer is bad.)


Additionally smartcards require PINs and lock the card after several 
tries. This is not possible with keys on USB drives.


These two things are really useful when using the same token on multiple 
devices (e.g. I use the same card on my laptop and phone).


Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users


What are some threats against which OpenPGP smartcards are useful?

2020-01-07 Thread Christoph Groth
Hello,

Through an article [1] in LWN, I stumbled across a thread [2] on this
list that dealt with the usefulness of smartcards for storing
OpenPGP keys.

I understand that OpenPGP smartcards do not protect from a compromise
of the computer system that they are used with.  As Peter Lebbing puts
it [3]:

> You don't even have to decrypt the document they're interested in
> yourself, and no external push button will save you. Just decrypt
> a document twice, and the second time, the attacker can use your
> smartcard for their own good while providing the session key they
> logged the first time for your decryption.

But then, what are threats against which smartcards *are* useful?

Robert J. Hansen justifies [4] his use of a smartcard as follows:

> Why don't I want to store the private key on multiple computers?
> Because a good rule of thumb in a forensics lab is "store the minimum
> personal data possible on your systems".

But then he also mentions his 128-bit passphrase and that he would be OK
to publish his (passphrase-protected) private key in a newspaper.  Why
then not store it on the disks of multiple computers?  Because the
decrypted private key could be stolen from RAM by an attacker?  But then
Robert also says that the computer being compromised is a game-over
condition anyway.

I got a smartcard to ssh from computers that I trust reasonably but
where I am not (the only) root to other (more trusted) machines that
I control exclusively and that hold data that I would not store on the
less-trusted machines.  From a fundamental point of view a smartcard
does not provide any additional security here, but I have the
imporession that in practice it does, because gaining access to the
remote machines becomes more difficult for an attacker (without
a smartcard, installing a simple keylogger is enough).  This is the same
kind of imperfect security we rely on in real life, for example with
door locks.  Would you agree with me?

Thanks
Christoph

[1] https://lwn.net/Articles/734767/
[2] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/057995.html
[3] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058136.html
[4] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058050.html


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users