Re: What are some threats against which OpenPGP smartcards are useful?
On Tue, Jan 07, 2020 at 00:26:14 +0100, Christoph Groth wrote: > Through an article [1] in LWN, I stumbled across a thread [2] on this > list that dealt with the usefulness of smartcards for storing > OpenPGP keys. I don't have time to read what I already wrote in that thread, so I'm sorry if I repeated myself here. > I understand that OpenPGP smartcards do not protect from a compromise > of the computer system that they are used with. As Peter Lebbing puts > it [3]: > >> You don't even have to decrypt the document they're interested in >> yourself, and no external push button will save you. Just decrypt >> a document twice, and the second time, the attacker can use your >> smartcard for their own good while providing the session key they >> logged the first time for your decryption. > > But then, what are threats against which smartcards *are* useful? That's too coarse of a conclusion. Let's say I decided to plug my Nitrokey into some adversary's computer, willingly, and enter my PIN. The attacker can make use of the card while it's plugged in. But operations using the card are very slow, and I'll notice the light going on more than once. I'll unplug it. Attack mitigated. The only thing lost is whatever the attacker managed to do within that time period---decrypt files, sign documents, SSH into remote machines, etc. (Don't get me wrong: all those are really bad.) Then I go to a safe location and change my PIN. Or maybe I'm punched out and my smartcard stolen. I go home, revoke my subkeys, and have to pay for a new smartcard. And let some people know that I was beat up and you shouldn't trust anything that was signed in that time period. But consider the alternative: if you weren't using a smartcard, and your key were on disk, all of that still would have happened. But in addition, your private key has been compromised. You now have to revoke your entire key. If you've built a web of trust, you have to start again. Smart cards _are_ useful even if your system is compromised, because it still protects your key from offline use. It gives me peace of mind when it's capped and stored in a safe location. If you just leave your smart card plugged into your computer 24/7 and leave your computer on while you're sleeping, that's a problem. It won't protect you from bad practices. You can get some of those benefits by e.g. using a laptop as a thin client and forwarding the GPG agent to a remote box over SSH, and store the private key on the laptop. The risk is still higher than a smartcard though. It all depends on your threat model. > I got a smartcard to ssh from computers that I trust reasonably but > where I am not (the only) root to other (more trusted) machines that > I control exclusively and that hold data that I would not store on the > less-trusted machines. From a fundamental point of view a smartcard > does not provide any additional security here, but I have the > imporession that in practice it does, because gaining access to the > remote machines becomes more difficult for an attacker (without > a smartcard, installing a simple keylogger is enough). This is the same > kind of imperfect security we rely on in real life, for example with > door locks. Would you agree with me? I use my Nitrokey for SSH as well. Prior to having it, I would store an SSH key to personal accounts on e.g. my work computer. I cannot fully trust that system. But today I don't need to do that: I insert the Nitrokey only when prompted by GPG, immediately remove it, and change my PIN when I get home. While there's still the risk that the card may be used for other things by a malicious process, it's pretty well mitigated. I know how long the light on the smartcard should be on for and watch it the entire time. I never allow the card to be out of my view when connected to a system. Of course, there's also the risk that someone has physically tampered with the smartcard to suppress the LED under certain circumstances. This isn't foolproof. But it's better than SSH keys on my work system. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
On Tue, Jan 07, 2020 at 14:09:50 +0100, Wiktor Kwapisiewicz via Gnupg-users wrote: > Additionally smartcards require PINs and lock the card after several > tries. This is not possible with keys on USB drives. PINs can also be changed confidently. The passphrase of the _copy_ of a key on disk can be changed, but you can't necessarily be confident that it's the only copy. It could have been copied with or without your knowledge, by you or an adversary. If you enter your passphrase somewhere and realize after the fact that someone may have been standing over your shoulder, or there's a security camera in the distance, an audio recording of your keypresses, or _anything_ that reduces the keyspace of your passphrase, then an attacker can brute force the rest offline forever using an old copy of your key, and there's nothing you can do about it. -- Mike Gerwitz Free Software Hacker+Activist | GNU Maintainer & Volunteer GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05 https://mikegerwitz.com signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
Few of them will have a 128-bit secure passphrase like RJH. :-) Dude, the lab I worked in *required* me to use 128-bit secure passphrases. It was *awful*. And a 180-day change policy. But the good news is that once you prove to yourself you can do that, the idea of keeping a 128-bit passphrase on your certificate no longer seems so crazy. To quote the movie _Men in Black_, "Give it a few months. You'll get used to it, or you'll have a psychotic episode." ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
On 2020-01-06 18:26, Christoph Groth wrote: Robert J. Hansen justifies [4] his use of a smartcard as follows: Why don't I want to store the private key on multiple computers? Because a good rule of thumb in a forensics lab is "store the minimum personal data possible on your systems". But then he also mentions his 128-bit passphrase and that he would be OK to publish his (passphrase-protected) private key in a newspaper. Why then not store it on the disks of multiple computers? Hint: because the phrase "forensics lab" is extremely important in what I wrote. I used to (don't any more) work in a forensics lab doing R&D into recovering data from memory, SSD, and spinning-platter media. While I was doing this my colleagues were reverse-engineering malware. Our network was airgapped from the rest of the network, but we were still paranoid about data getting out -- including information about our identities. When you're doing reverse engineering on a botnet belonging to an organized crime syndicate, you really don't want the organized crime syndicate to discover your name. I was also using OpenPGP to help move data into and out of our airgapped network. When a CD came into our lab containing data to be loaded onto machines, we used OpenPGP to verify its provenance. When we burned a CD containing data to be removed from the lab, we'd put a signature on it so the system administrators in the lab outside could be certain that a specific human being was taking responsibility for the contents of that CD. Problem: I didn't want there to be any certificate stored on the lab machines... because any user ID that identified me would be personal information of the kind I didn't want to be stored. Solution: use a smartcard. A smartcard allowed me to make these signatures while leaving minimal forensic traces. But, outside of that laboratory environment, I didn't -- still don't -- need to use a smartcard. Usually I just keep the key on the hard drive of whatever machine I'm using. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Fwd: Re: What are some threats against which OpenPGP smartcards are useful? [ ref:_00D58dJQM._5004Iy476n:ref ]
Could one of the admins please twit this subscriber? Their autoreply has been firing since November. A --- Begin Message --- Exmos. Senhores, Recebemos a informação que tiveram hoje a amabilidade de nos transmitir e que muito agradecemos. Vamos imediatamente analisar o caso e responderemos com a máxima brevidade possível ao vosso pedido. Assim que for possível, o Serviço de Apoio ao Cliente entrará em contacto convosco. No entanto, caso o vosso contacto esteja relacionado com a necessidade de atualizar os dados da vossa empresa na nossa base de dados, notem que poderão fazê-lo diretamente e sem demoras. De facto, as entidades empresariais cujos dados constem da nossa base de dados podem consultar, acrescentar e modificar on-line as informações que lhes digam respeito, sendo para tal apenas necessário que disponham de uma senha de acesso exclusivo a uma zona reservada do nosso site. Sublinhamos que este acesso para atualização on-line é totalmente gratuito e muito fácil, bastando entrar em www.informadb.pt e selecionar, em Feed´Back , " Para consultar atualizar os dados de uma empresa diretamente na nossa base de dados". Se necessitarem de mais esclarecimentos sobre o FeedBack Serviço de Atualização de Dados, estaremos inteiramente disponíveis para os prestar. Atenciosamente, Serviço de Apoio ao Cliente (+351) 213 500 389 - Fax: (+351) 213 151 658 vipclien...@informadb.pt www.informadb.pt CONFIDENCIAL. Esta mensagem destina-se a uso exclusivo do(s) destinatário(s) e poderá conter informação privada ou confidencial. A leitura, retenção, divulgação, cópia, distribuição ou reencaminhamento são proíbidas. Caso a receba por engano, solicitamos que nos comunique por e-mail e elimine a mensagem do seu sistema sem a reproduzir. Os dados pessoais constantes do presente e-mail estão ou serão adicionados à lista de contactos da INFORMA D&B, responsável pelo tratamento de dados, para o podermos contactar sempre que necessário . O direito de acesso, retificação, oposição e apagamento, deverá ser exercido através do e-mail: protecaodeda...@informadb.pt. Consulte o nosso compromisso de privacidade em www.informadb.pt. CONFIDENTIAL. This message is intended for the exclusive use of the named addressee(s) and it may contain private or confidential information. Any reading, retention, disclosure, copying, distribution or redirection is prohibited. If you are not the intended recipient, please notify us by e-mail and delete this message from your system without retaining a copy. The personal data included in this e-mail is or will be added to the contact list of INFORMA D&B, acting as data controller, to contact you whenever necessary. You have the right of access and the rights to rectification, to object and to erasure through the e-mail: protecaodeda...@informadb.pt--- End Message --- signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
On 07/01/2020 13:09, Wiktor Kwapisiewicz via Gnupg-users wrote: > These two things are really useful when using the same token on multiple > devices (e.g. I use the same card on my laptop and phone). This is also a very good argument for smartcards - transferring a private key between devices is error-prone and potentially catastrophic. Yes, it can be done securely but for non-experts (and even experts!) having a physical "key" is much more intuitive. How often have we heard of people accidentally distributing their private key instead of their public one? Few of them will have a 128-bit secure passphrase like RJH. :-) -- Andrew Gallagher signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: What are some threats against which OpenPGP smartcards are useful?
Hi Christoph, There is one feature of smartcards that's hard to reproduce otherwise: once you pull the smartcard out of the port the attacker can't use it. If they steal your private keys they can do as they please with it (until you revoke keys and users refresh your key... that can take some time). For example if they steal your private encryption subkey they'll be able to decrypt future communications with you. When you pull out the smartcard that's where the attack ends. (One way or another someone having code execution privileges on your computer is bad.) Additionally smartcards require PINs and lock the card after several tries. This is not possible with keys on USB drives. These two things are really useful when using the same token on multiple devices (e.g. I use the same card on my laptop and phone). Kind regards, Wiktor -- https://metacode.biz/@wiktor ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
What are some threats against which OpenPGP smartcards are useful?
Hello, Through an article [1] in LWN, I stumbled across a thread [2] on this list that dealt with the usefulness of smartcards for storing OpenPGP keys. I understand that OpenPGP smartcards do not protect from a compromise of the computer system that they are used with. As Peter Lebbing puts it [3]: > You don't even have to decrypt the document they're interested in > yourself, and no external push button will save you. Just decrypt > a document twice, and the second time, the attacker can use your > smartcard for their own good while providing the session key they > logged the first time for your decryption. But then, what are threats against which smartcards *are* useful? Robert J. Hansen justifies [4] his use of a smartcard as follows: > Why don't I want to store the private key on multiple computers? > Because a good rule of thumb in a forensics lab is "store the minimum > personal data possible on your systems". But then he also mentions his 128-bit passphrase and that he would be OK to publish his (passphrase-protected) private key in a newspaper. Why then not store it on the disks of multiple computers? Because the decrypted private key could be stolen from RAM by an attacker? But then Robert also says that the computer being compromised is a game-over condition anyway. I got a smartcard to ssh from computers that I trust reasonably but where I am not (the only) root to other (more trusted) machines that I control exclusively and that hold data that I would not store on the less-trusted machines. From a fundamental point of view a smartcard does not provide any additional security here, but I have the imporession that in practice it does, because gaining access to the remote machines becomes more difficult for an attacker (without a smartcard, installing a simple keylogger is enough). This is the same kind of imperfect security we rely on in real life, for example with door locks. Would you agree with me? Thanks Christoph [1] https://lwn.net/Articles/734767/ [2] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/057995.html [3] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058136.html [4] https://lists.gnupg.org/pipermail/gnupg-users/2017-April/058050.html signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
