Re: More secure than smartcard or cryptostick against remote attacks?
On 08/02/13 03:12, Josef Schneider wrote: With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached Just so you know, the OpenPGP card has a forcesig, force signature PIN, flag which you can set so you have to enter the PIN for every individual signature. Unfortunately (IMHO), there's no such flag for decryption and authentication, which can be done multiple times with one PIN entry. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 2013-02-08 10:48, Peter Lebbing wrote: On 08/02/13 03:12, Josef Schneider wrote: With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached Just so you know, the OpenPGP card has a forcesig, force signature PIN, flag which you can set so you have to enter the PIN for every individual signature. Unfortunately (IMHO), there's no such flag for decryption and authentication, which can be done multiple times with one PIN entry. I'm no expert, but isn't that only useful if you have a card-reader with pin-entry? If you use your compromised PC to enter your PIN, the malware can just replay that PIN to the card. Niels ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 08/02/13 10:55, Niels Laukens wrote: I'm no expert, but isn't that only useful if you have a card-reader with pin-entry? If you use your compromised PC to enter your PIN, the malware can just replay that PIN to the card. Yes, I agree. Not that I am an expert. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 08-02-2013 6:48, Peter Lebbing escribió: On 08/02/13 03:12, Josef Schneider wrote: With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached Just so you know, the OpenPGP card has a forcesig, force signature PIN, flag which you can set so you have to enter the PIN for every individual signature. Unfortunately (IMHO), there's no such flag for decryption and authentication, which can be done multiple times with one PIN entry. Maybe it would be interesting to add a big sign button to the pad. Probably you would not like to enter a PIN for each signature, but maybe 1 button to press for each signature (after the PIN has been entered for the first one) would be interesting. Of course, probably that would require to modify readers and cards, and maybe very few people would want it. Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRFWE6AAoJEMV4f6PvczxAZtMH/2oRg2tBUupSXsOfg9h0o/PK f704aBb3gMGMezVYI//MH7QQJIjVxGPDJbaK2vWGJTyEtLl2wh5+c82EnQEnpq19 wDMzK8FcDL5AzKdLltznLn/iIu+EygOUOMa9/tzD+vQ/9X4R+sJGpDw6rJD6ytku 8THUwPGBcVX4pnYdDBjGQYOxr94R8qGa4FaqRxW6iOWp9Nf63QKgTM6miV/Pf37Q 7Bf8SAQ8KSu0Sf9M9wCVv3T+Qsa+Pmk0LPOEizZ9Pt7UGguakwcce0KQxo4A0qf8 Tdylc35BwctW+8tpM1dRUzlrqvgdLklhguhA1YnFx0RxQBYHurF5T3PYg4fzycI= =FuKE -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
*Even if your dongle works exactly as intended*, I can -- by simulating a hardware failure -- drive you into a fallback where you use a compromised machine. It's a good attack. Thank you for sharing it. But to say it makes the device bogus is a way too easy dismissal. So if an attacker compromises the system and makes the user unable to use the device on that system, they will react by stopping using the device, but not by stopping using the PC? But at the same time you said earlier If you believe the PC is compromised, cut it out of your process completely. I would agree with the latter. The strength of the device is that it won't issue false signatures in the period that your PC *is* compromised but you haven't discovered it yet! If my crypto device suddenly stopped working, I'd investigate why and possibly re-install the system if I can't find the culprit. Your case of not using the smartcard isn't really completely comparable to me. You feel the fault lies with Fedora. Re-installing from scratch doesn't fix anything. If you thought it not unlikely that an attacker was controlling your system and blocking the smartcard, I really doubt you'd respond by putting your private key in your keyring on that system, right? Under the most generous assumption possible about your dongle (it works perfectly and exactly as intended), your dongle still doesn't work. And that, to me, is the definition of bogus. If under the most generous assumptions possible something still doesn't work, then that thing is bogus. [1] Nice rhetorics. In isolation, it sounds nice. In context, it is itself bogus. I'd really appreciate it if we discuss the technical merits, and not make a competition out of who can come up with the best rethorics. You will no doubt win. But this isn't about winning to me, it's about academical exploration of a topic. Your most generous assumptions are at first about your dongle. In the next sentence, those same assumptions are suddenly generalised, making the statement nice and catching. But as soon as we look at the bigger picture, your assumptions aren't that generous. The most important reason is that you took it as a fact that if an attacker compromised the PC, the user would react by rewarding him with a copy of the private key, exactly the opposite of your advice to cut the PC out of the process. I really wouldn't call that the most generous assumptions possible at all. Anyone who objects to this on the grounds of well, that's a human exploit, not a technological one! will get a cream pie thrown at them. Unfortunately no cake for me, because human exploits are obviously very real and need to be accounted for. This is a viable attack. It might work. Because of user misjudgement. That does not make the device useless. A properly cautious user should no longer trust the PC that is not accepting the device when seemingly rather identical systems do accept it. Caution is always required when working with cryptography you rely on, there's nothing new there. This device doesn't magically make all worries go away. Peter. [1] I split the quote to emphasize the last sentence -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On Thursday 07 of February 2013 14:14:44 Peter Lebbing wrote: *Even if your dongle works exactly as intended*, I can -- by simulating a hardware failure -- drive you into a fallback where you use a compromised machine. It's a good attack. Thank you for sharing it. But to say it makes the device bogus is a way too easy dismissal. So if an attacker compromises the system and makes the user unable to use the device on that system, they will react by stopping using the device, but not by stopping using the PC? But at the same time you said earlier If you believe the PC is compromised, cut it out of your process completely. I would agree with the latter. The strength of the device is that it won't issue false signatures in the period that your PC *is* compromised but you haven't discovered it yet! If my crypto device suddenly stopped working, I'd investigate why and possibly re-install the system if I can't find the culprit. Your case of not using the smartcard isn't really completely comparable to me. You feel the fault lies with Fedora. Re-installing from scratch doesn't fix anything. If you thought it not unlikely that an attacker was controlling your system and blocking the smartcard, I really doubt you'd respond by putting your private key in your keyring on that system, right? Under the most generous assumption possible about your dongle (it works perfectly and exactly as intended), your dongle still doesn't work. And that, to me, is the definition of bogus. If under the most generous assumptions possible something still doesn't work, then that thing is bogus. [1] Nice rhetorics. In isolation, it sounds nice. In context, it is itself bogus. I'd really appreciate it if we discuss the technical merits, and not make a competition out of who can come up with the best rethorics. You will no doubt win. But this isn't about winning to me, it's about academical exploration of a topic. Your most generous assumptions are at first about your dongle. In the next sentence, those same assumptions are suddenly generalised, making the statement nice and catching. But as soon as we look at the bigger picture, your assumptions aren't that generous. The most important reason is that you took it as a fact that if an attacker compromised the PC, the user would react by rewarding him with a copy of the private key, exactly the opposite of your advice to cut the PC out of the process. I really wouldn't call that the most generous assumptions possible at all. In a world where software and hardware usually *has* bugs it's more likely that the dongle stopped working because of bugs, not because I'm under attack. Especially if we're talking about the usual use case, I doubt even bigger companies that use GPG review all the patches and test them individially, let alone individuals. The usual response in this kind of situation is let me do my damn work already not hmm, interesting, let's diagnose the issue, other projects be damned. Honestly, I'd probably fall victim to such an attack, and IMNSHO I'm a bit more knowledgable about crypto and security that regular users of GPG. I'm afraid that this kind of attack would be only unsuccessful against GPG developers or developers close to the GPG project (basically only the people that would have the means, knowledge and time to bisect the issue). Regards, -- Hubert Kario QBS - Quality Business Software 02-656 Warszawa, ul. Ksawerów 30/85 tel. +48 (22) 646-61-51, 646-74-24 www.qbs.com.pl ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 02/07/2013 08:14 AM, Peter Lebbing wrote: So if an attacker compromises the system and makes the user unable to use the device on that system, they will react by stopping using the device, but not by stopping using the PC? But at the same time you said earlier... Yes, I did. A good compromise is one that leaves the victim unaware the machine has been compromised. If you-the-user see evidence that makes you think you've lost control, the compromise author has failed. (Note that this isn't true for a lot of malware nowadays, where the hijacker literally doesn't care if you notice and instead trusts in your inability to do anything about it: but that's not the kind of malware we're talking about here, where we're assuming someone who has compromised your system explicitly for purposes of hijacking your GnuPG system.) If my crypto device suddenly stopped working, I'd investigate why and possibly re-install the system if I can't find the culprit. Then I re-compromise your box and start over. I also plant a couple of messages on message boards you frequent talking about how my dongle, of the same model number as yours, doesn't work with my Linux distro, of the same kind as yours, since a recent kernel upgrade. Since I have your machine compromised I know what sources you check for these things, and the dark side of crowdsourcing is how easy it is to give strategic misinformation to people. At some point you're going to believe the problem is the device doesn't work. I might also deliver to you a high-priority message, something that needs a signed response urgently, in order to give you another reason to disregard the device for just this once. If you thought it not unlikely that an attacker was controlling your system and blocking the smartcard, I really doubt you'd respond by putting your private key in your keyring on that system, right? No, quite the opposite. Vint Cerf estimated a few years ago that one in five desktop PCs was rooted and the owners didn't know it. One in five. That's a really scary number. Anyone on this list who thinks they couldn't possibly be part of that one in five is living in a fantasy world. Any of us could be. Now, I haven't seen evidence to suggest that my machine is compromised. But that doesn't mean I have limitless confidence in my hardware. My desktop PC is trusted hardware in the most classic definition of trusted: I trust it because I have to, not because I believe it's deserving of trust. But this isn't about winning to me, it's about academical exploration of a topic. And that's the entire methodology I'd use to exploit your perfect dongle. Those who view things only academically tend to fall down and go boom when confronted with real-world attacks on the human side of the system. Those who view things only as human interactions tend to fall down and go boom when the math works against them. This is the sort of thing that must be looked at from both directions simultaneously. The most important reason is that you took it as a fact that if an attacker compromised the PC, the user would react by rewarding him with a copy of the private key, exactly the opposite of your advice to cut the PC out of the process. I really wouldn't call that the most generous assumptions possible at all. Sure. Because if I give you any clue that the machine is compromised, I've failed to write a good compromise. I'm assuming for sake of argument that I'm competent at skulduggery. A properly cautious user should no longer trust the PC that is not accepting the device when seemingly rather identical systems do accept it. Which is why I would seed the forums you use with reports of these devices not working. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 02/07/2013 09:26 AM, Hubert Kario wrote: Honestly, I'd probably fall victim to such an attack, and IMNSHO I'm a bit more knowledgable about crypto and security that regular users of GPG. Yes -- I'm a fair bit more knowledgeable about these things than most, and as my story of the smartcard reader shows, I may have *already fallen victim* to this sort of thing. (Or the reader could just be buggy. Or maybe I'm trying to exploit someone using an SCM card reader on a Fedora 18 box and I'm planting seeds to make them think their system is buggy and their reader won't work, so go ahead and fall back to cardless usage. Who knows? It could be any of those. I suspect it's just buggy.) Admittedly, in the case of a buggy-or-compromised smartcard reader the attacker isn't looking to compromise the private key on the smartcard: the attacker is trying to get me to fall back to my alternate keys which are on my desktop. The principle still stands, though. Cards and pinpads are great at protecting private keys from being exported off the smartcard, but that's not the same as preventing exploits. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 07/02/13 15:26, Hubert Kario wrote: The usual response in this kind of situation is let me do my damn work already not hmm, interesting, let's diagnose the issue, other projects be damned. Honestly, I'd probably fall victim to such an attack Every decision is a weighing of how important things are to you. For most people, it's a non-issue anyway. So yes, they will just get on with their work and do the signature in software. But then this device was probably also more of a gimmick to them. They bought it instead of a simple OpenPGP card, but can't be bothered to do some investigation when this not quite ordinary piece of cryptography equipment stops working? I really think their keys and signatures must not be worth a lot to them then. I'm not talking about myself. I would buy the device as a gimmick, actually. Or not at all. I feel perfectly fine with my OpenPGP cards. By the way, you talk about bisecting code changes and such. I would just grab one of my other PC's, or install a brand new one. In the end, yes, an attacker could thwart all my attempts. This isn't any different than for the products that are already here today, GnuPG itself, the OpenPGP smartcards. The device where you see your plaintext before you sign it is just an extension of the smartcard, not a panacea. The smartcard prevents leakage of the key, as long as you use the smartcard. The plaintext signature device prevents false signatures, as long as you use the device. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
This is silly. Yes, you can do social engineering. That's always possible. And yes, the attacker will win against me if he wants badly enough. I know that as well. These are all just generalities. You seem to be implying that unless something is perfect, something is bogus, and people should not bother. Well, the perfect is the enemy of the good, and apart from that, you seem to call not just the OpenPGP smartcard specifically but everything else as well bogus for being exploitable when enough effort is put into it. Why do you even have GnuPG if you feel that an attacker worth your time would have you in his pocket? Actually, you might want to rethink that whole Fedora thing, because I think someone has gone through quite some effort for your private key. He even pretended to be Werner Koch, and laughed himself silly when you gave him a bloody account to the machine he already owned more than you did. Better revoke now. I'm out. You're a smart guy. If you feel those generalities add anything to this discussion, I feel I'm completely done with it. I can't shake the feeling you're not in this discussion for the same reason as I. I just now read your other mail in this thread. In it you say: Cards and pinpads are great at protecting private keys from being exported off the smartcard, but that's not the same as preventing exploits. I'm slightly confused. Because everything you object to the device I have in mind is equally well deployed against the smartcard, yet the smartcard apparently is not bogus. The smartcard prevents leakage of key material, as long as you don't put your private key in your keyring as soon as an attacker disables access to your smart card reader. The plaintext signing device prevents false signatures, as long as you don't put your private key in your keyring as soon as an attacker disables access to the device. Yet only the latter is bogus, and you haven't made clear where the difference then lies. Whatever. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 06/02/13 11:37, Hauke Laging wrote: That seems easy to me: Except for small amounts (secure device's display capacity) of very simple data (plain text) [...] Seems to me to be enough to do what OP requested: signing e-mails he/she wrote. Yes. It indeed seems easy to me that this won't work for binary data, I left that implied. A solution that works for signing e-mails sounds like a viable solution. Just like the USB device the OP linked to only works for signing an electronic bank transfer. Yes. Obviously you shouldn't use the same signing key for other duties because those other duties open up different methods to get an e-mail falsely signed. Still, not a deal breaker. Yes. I'm not suggesting anybody build this solution. I'm arguing on the technical merits, not the economical ones. Robert suggested it is impossible or close to that. I don't see it that way, but maybe I'm missing some interesting attack vector. And that would be interesting to hear. How are you going to do that with a PDF? I didn't ask for. You're not going to achieve that. The only possibility I see is that the secure device shows you the hash of the data to be signed. I don't see how that would work. Or, put differently, how that would work any better than transferring the file to a secured system. Because I can't calculate the hash easily using pen and paper, I really need to be seeing something other than the hash before I can be sure it's the data I wanted to sign. Even if hashes could be calculated by pen and paper, it seems like it's an unworkable solution. You would also need to be able to interpret all the binary data you're calculating the hash over, or else you still don't know what you're signing. The PDF could contain a vector image that renders to text saying I owe you ⬠1000. I would need to be able to create that vector image in my head before I can interpret the binary data that represents it. This just gets more insane the more you think about it. But it is really /way/ out of the scope of signing your e-mails. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
Am Mi 06.02.2013, 10:28:13 schrieb Peter Lebbing: Can you explain (broadly) how one would compromise the signature/the device that you sign with? That seems easy to me: Except for small amounts (secure device's display capacity) of very simple data (plain text) you have the problem that the PC which you need to create (and view) the data to be signed sends a blob to the secure device which is opaque to you. The problem is not to forge a signature but the difficulty to force that only data with checked integrity gets signed. How are you going to do that with a PDF? Text only is all I need. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 02/05/2013 01:04 PM, Peter Lebbing wrote: While I agree with the broad sentiment, I'm not so sure a certain amount of damage control is impossible with what he/she proposes. If you have a device with small attack surface[1] that shows you the plaintext you're about to sign before signing it *with that device*, you can at least prevent making bogus signatures. That still means you're in trouble when your PC is under control of an attacker, but you can't be coerced to issue false signatures. That's certainly something. If you don't trust the PC that GnuPG is running on, don't run GnuPG on that system. (Or anything else that requires trust, for that matter.) I have no reason to believe my system is compromised. Taking security very serious. Otherwise I wouldn't bother posting here. :) That sounds like a oxymoron. How can I be REALLY sure my system isn't compromised? Mail clients and browsers are major attack surface and a device exposed to internet can not be as secure as a small single purposed device. It makes no sense to me to believe that it's somehow possible to have a dongle that you can plug into a compromised PC to make it safe (or safer) to sign with. I think if designed right it works. This implies the compromised machine can not attack the text reading and gpg signing device. If you believe the PC is compromised, cut it out of your process completely. There is no other realistic option here that I can see. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 06/02/13 11:37, Hauke Laging wrote: The device proposed by OP/by me seeks security in being restricted and simple. And also takes a whole lot less of effort to use ;). Yes. But let's stick to the e-mail signing in this thread, or the discussion will get very unfocused and hard to follow. If you want to continue anyway, could you please change the Subject: line? Yes. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 05/02/13 04:15, Robert J. Hansen wrote: No. There are none, nor will there be. You absolutely must retain control of the processing hardware GnuPG runs upon. If you don't have that control, there is literally no device -- hardware or software -- that can help you. While I agree with the broad sentiment, I'm not so sure a certain amount of damage control is impossible with what he/she proposes. If you have a device with small attack surface[1] that shows you the plaintext you're about to sign before signing it *with that device*, you can at least prevent making bogus signatures. That still means you're in trouble when your PC is under control of an attacker, but you can't be coerced to issue false signatures. That's certainly something. Obviously I'm assuming the private key is not on the compromised PC. I'm assuming a whole lot more that I'll leave implied. I'm just saying it doesn't sound over-and-shut end of the game to me when the PC is compromised. This doesn't make sense to me. You don't trust your PC running GnuPG, so you want to verify your mail on a PC running GnuPG, just one that happens to be 'trusted'? First of all, I think he/she meant verify that the text I'm about to sign is what I intended to sign, whereas you are probably thinking of verifying a cryptographic signature. And a dedicated, limited, well-designed single-purpose device is more trustworthy than an Internet-connected general-purpose PC under the right circumstances. (Also, you seem to be using the word 'trusted' in a way opposite from its real meaning. From the context it's perfectly obvious what he/she meant and makes sense in general English. Why argue semantics here? Just my 2 cents, Peter. [1] Read: not too much program code, well-defined limited communication interfaces. I'd prefer a serial port :). Certainly not a USB device, though it could contain a USB-to-serial chip, obviously. Exactly what I wanted to ask and what I think. Couldn't write better. Thanks! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 06/02/13 02:49, Robert J. Hansen wrote: It makes no sense to me to believe that it's somehow possible to have a dongle that you can plug into a compromised PC to make it safe (or safer) to sign with. Can you explain (broadly) how one would compromise the signature/the device that you sign with? I myself always say if you don't control your own PC, it's over. I don't see however how that compromised PC in this instance can force me to do false signatures, which is the context I'm placing it in. You're still majorly screwed, obviously. An attacker will easily come up with some other nasty thing to do to you. Just not issuing false signatures. Peter. Can't say better than that. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On Thu, Feb 07, 2013 at 10:03:30AM -, refresh...@tormail.org wrote: I have no reason to believe my system is compromised. Taking security very serious. Otherwise I wouldn't bother posting here. :) That sounds like a oxymoron. How can I be REALLY sure my system isn't compromised? Mail clients and browsers are major attack surface and a device exposed to internet can not be as secure as a small single purposed device. It makes no sense to me to believe that it's somehow possible to have a dongle that you can plug into a compromised PC to make it safe (or safer) to sign with. I think if designed right it works. This implies the compromised machine can not attack the text reading and gpg signing device. If designed right, your machine won't be compromised. But this is obviously a very hard problem. If your signing device interprets mail, doesn't it become part of this major attack surface? And if it only interprets ASCII, how does it differentiate between signing ASCII and signing Unicode, possibly including RLO chars? I'm not sure that such a signing device can be designed simple enough to be immune to advanced attacks and still be useful. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 02/07/2013 02:31 PM, Peter Lebbing wrote: You seem to be implying that unless something is perfect, something is bogus, and people should not bother. No. I am arguing that if you do not/cannot trust the machine you're running GnuPG on, *there is no dongle you can add to your system to restore your trust in that machine*. You want a system in which, even if GnuPG is compromised, you can't be tricked into signing something other than what you intend to sign -- where, even if GnuPG is compromised, you can trust the signatures you make. Good luck. It can't be done. You need to be able to trust your hardware. If you don't, then no matter what dongle you use, the door is open for an enterprising malcontent to exploit you in any of hundreds of ways. Why do you even have GnuPG if you feel that an attacker worth your time would have you in his pocket? Because I trust my hardware. If you can trust your hardware, then there's a lot of stuff you can do. If you can't trust your hardware, then the only thing you should be doing is figuring out a way to restore that trust. Actually, you might want to rethink that whole Fedora thing, because I think someone has gone through quite some effort for your private key. He even pretended to be Werner Koch, and laughed himself silly when you gave him a bloody account to the machine he already owned more than you did. Sure. That's theoretically possible. I don't believe it to be true, though. My machine is trusted not because I'm certain that it's immune to being pwn3d, but because I acknowledge that it can break my local security policy and I'm willing to accept what I perceive as the risks. If you don't trust your hardware, then that means you're not willing to accept the risks you perceive. And that's a really big problem. If you're not willing to accept the risks you perceive as associated with your hardware, then why are you using your hardware? I'm slightly confused. Because everything you object to the device I have in mind is equally well deployed against the smartcard, yet the smartcard apparently is not bogus. The smartcard solves a completely different problem than what you're talking about. This is why there's a differential answer. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On Fri, Feb 8, 2013 at 1:17 AM, Robert J. Hansen r...@sixdemonbag.org wrote: Sure. That's theoretically possible. I don't believe it to be true, though. My machine is trusted not because I'm certain that it's immune to being pwn3d, but because I acknowledge that it can break my local security policy and I'm willing to accept what I perceive as the risks. If you don't trust your hardware, then that means you're not willing to accept the risks you perceive. And that's a really big problem. If you're not willing to accept the risks you perceive as associated with your hardware, then why are you using your hardware? Of course you can trust a hardware created for the sole purpose of signing clear text after displaying it more than a general purpose PC that has a lot of software that has absolutely nothing to do with security on it and regularly connects to a very insecure network (the Internet). You argue that there is only one level of trust for all hardware someone owns and either you trust all of it or none, and that is just not true! Why do you think do Banks use Smart Card readers with own display/keyboard and serial connection or TAN-generators using flicker codes? They do this because on the average PC there is a lot of software, a lot of it closed source which the bank can not control and neither can the owner. I can write some virus a user has to install himself (and we all know a lot will!) which sends signed mails to someone using GnuPG installed on the PC, even if using a smart card, in probably less than a day! Writing a modified firmware that shows wrong amounts/account ids for my Class 3 card reader and finding a way to install it (updates are cryptographically checked) is much much harder. I have no idea how long that would take or if I would ever succeed. I assume for TAN generators which get the transaction data using flicker codes it will be even harder! So even if I get someone to install my malware on his PC, his online banking will stay relatively safe. I have a smart card that has digital certificates on it which can be used to sign documents legally binding in my country. I use that card with a reader with own pin pad. Of course someone can highjack my PC and fake the data I want to sign. There are just a few problems: • He can only sign something whenever I want to sign something, else I won't input my PIN • I expect something to have a valid signature after that, so either he hopes I don't check this signature, or he fakes all the ways I can check that, which is very hard. With GnuPG on the other hand someone who has access to my PC can sign whatever he likes and sign as much as he likes, as long as my card reader is attached (which is, to be honest, quite long some times). If I wouldn't have a smart card he could even copy my key and then sign and decrypt whatever he likes, where- and whenever he likes! So given the fact that I maybe sign an average of three documents a day, in case one an attacker could sign up to three documents a day, but I would notice that very quickly because someone of the recipients would call me telling me the signature is invalid or I sent him some things he didn't expect (except if the attacker waits for exactly THE one document he wants to forge, has the right programming logic to detect and change it accordingly, etc..). With GnuPG in its current state he could sign millions of documents without me even noticing. I see a difference there! There is a risk to die when bungee jumping. There is a risk to die when jumping naked from a bridge without bungee rope. This doesn't mean I tell every bungee jumper to jump naked from bridges, because he could die with bungee rope too! I I don't do this because the odds to die are very different! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 El 06-02-2013 19:51, Robert J. Hansen escribió: On 2/6/13 4:28 AM, Peter Lebbing wrote: Can you explain (broadly) how one would compromise the signature/the device that you sign with? Happily! I have an OpenPGP smartcard and an SCM card reader. I installed it under Fedora 16 and it worked beautifully. Under Fedora 17 it's broken. After a few rounds of unfruitful debugging I gave Werner an account on an F17 box with this hardware plugged in, and even then we were unable to figure out what was wrong. So, since this device clearly doesn't work under F17 (or F18, now, for that matter), I've elected to stop using it in favor of using my desktop PC. Just makes sense. Damned thing doesn't work. -- And that is _exactly_ the attack I would use against any dongle you plug into a compromised PC in order to make signatures safely. If I've compromised the system, all I need to do is make the dongle not work properly. After a few rounds of frustrating debugging and discovering the thing just doesn't work, you'll revert back to using your compromised PC. You'll do it for the exact same reason that I stopped using my smartcard reader: damned thing doesn't work. Ah, but there are situations in which that would not work... if the secret key is ONLY present in the smartcard, and you are required by law to only use a secret key from a smartcard, that attack would make you unable to use digital signatures, but would not allow you to obtain documents signed by the victim. Now, why did I came with that case where law forces the use of smartcards? Easy, because that is what chilean law says about digital signatures. Of course, it focus on x.509 standard, and only if the certificate was issued by one of the CAs in the short list of government approved CAs. You can use other kind of digital signatures, but they won't be considered as legal as the smartcard ones, the judge would have to decide how much prove value to assign to those signatures... and that would be a bit scary ;) Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBCAAGBQJRFDwCAAoJEMV4f6PvczxAFbwH/jEv4rKh0oX2yk+5c8F+cy4l bgV/Yj4GLVv3ICtZ1whvdACLxo9eGKOntRRaHfio4lUVSwYQH9dcYDb+L7VMf//A XGMLzO8YKuXYCtLYbPihkk6ElH4UmhOUjmTOEZ3thpNTLYpjQGu31NQSgW+cDX22 O+yEymizYpZTODJ+rNMMEg0658W7okcsRlJnvuYDaINlxJZn4YPusd+fmTpH03Mj lw8jT5to2cMyKYgJ888AvFibQVJRaEzAsnMB+Y3+xZUz+kWblPsTE2waDTGe4vVb bevO9UMOga0aNqYrDR1oYfOR4XxkIrBmNfIVwr7nIlrNRcn261SxmL4y+khrTZs= =bY0L -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 02/07/2013 06:42 PM, Faramir wrote: Ah, but there are situations in which that would not work... Sure. There are always situations where a particular attack won't work. For instance, if there's an ironclad no-exceptions policy that you may never, ever, fall back to using GnuPG on the PC, then this attack wouldn't work. But that quickly reduces to a game of whack-a-mole -- a game you're not going to win. The attacker gets to tailor his attack to your defenses; you don't get to tailor your defense to the attacker. If you don't trust your hardware, get new hardware that you do trust. signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
Am Mi 06.02.2013, 10:28:13 schrieb Peter Lebbing: Can you explain (broadly) how one would compromise the signature/the device that you sign with? That seems easy to me: Except for small amounts (secure device's display capacity) of very simple data (plain text) you have the problem that the PC which you need to create (and view) the data to be signed sends a blob to the secure device which is opaque to you. The problem is not to forge a signature but the difficulty to force that only data with checked integrity gets signed. How are you going to do that with a PDF? The only possibility I see is that the secure device shows you the hash of the data to be signed. IIRC unfortunately OpenPGP does not sign the data hash but the hash of the combination of the data and signature metadata which really doesn't make this easier. So you would need a secure device which you can give both the data and the metadata so that it can show both (in case of the data: just the hash) to the user. Then you can (safely...) copy the data to several PCs and have them show you both the file hash and the document (in that order). Hoping that at least one of the PCs is not compromised. I really hope that the next version of OpenPGP will sign data and metadata separately (and allow for multiple hashes of different types in the same signature) to get rid of this annoyance. Hauke -- ☺ PGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5 (seit 2012-11-04) http://www.openpgp-schulungen.de/ signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 06/02/13 11:37, Hauke Laging wrote: That seems easy to me: Except for small amounts (secure device's display capacity) of very simple data (plain text) [...] Seems to me to be enough to do what OP requested: signing e-mails he/she wrote. It indeed seems easy to me that this won't work for binary data, I left that implied. A solution that works for signing e-mails sounds like a viable solution. Just like the USB device the OP linked to only works for signing an electronic bank transfer. Obviously you shouldn't use the same signing key for other duties because those other duties open up different methods to get an e-mail falsely signed. Still, not a deal breaker. I'm not suggesting anybody build this solution. I'm arguing on the technical merits, not the economical ones. Robert suggested it is impossible or close to that. I don't see it that way, but maybe I'm missing some interesting attack vector. And that would be interesting to hear. How are you going to do that with a PDF? You're not going to achieve that. The only possibility I see is that the secure device shows you the hash of the data to be signed. I don't see how that would work. Or, put differently, how that would work any better than transferring the file to a secured system. Because I can't calculate the hash easily using pen and paper, I really need to be seeing something other than the hash before I can be sure it's the data I wanted to sign. Even if hashes could be calculated by pen and paper, it seems like it's an unworkable solution. You would also need to be able to interpret all the binary data you're calculating the hash over, or else you still don't know what you're signing. The PDF could contain a vector image that renders to text saying I owe you € 1000. I would need to be able to create that vector image in my head before I can interpret the binary data that represents it. This just gets more insane the more you think about it. But it is really /way/ out of the scope of signing your e-mails. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 06/02/13 11:37, Hauke Laging wrote: Then you can (safely...) copy the data to several PCs and have them show you both the file hash and the document (in that order). Hoping that at least one of the PCs is not compromised. In my other mail I got kinda hung up on manual verification but forgot about this part of your mail :). I think what you propose is a completely different topic/solution. You seek security in numbers: hope one of the many PC's isn't compromised. The device proposed by OP/by me seeks security in being restricted and simple. And also takes a whole lot less of effort to use ;). I don't really believe in the security in numbers, by the way. Seems too stochastical. If the attacker can attack all but one of the many, why not the last one? Yes, you reduce the odds, but I prefer more determinism. But let's stick to the e-mail signing in this thread, or the discussion will get very unfocused and hard to follow. If you want to continue anyway, could you please change the Subject: line? Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://digitalbrains.com/2012/openpgp-key-peter ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On Wednesday, February 06, 2013 at 5:42 AM, Hauke Laging mailinglis...@hauke-laging.de wrote: The problem is not to forge a signature but the difficulty to force that only data with checked integrity gets signed. How are you going to do that with a PDF? There is a bigger problem with a pdf, that if, once a hash algorithm becomes insecure enough that pre-image collisions are possible, it is possible to forge a signature. Ordinarily, even if a collision is possible, a forgery of a signature over text, would instantly be detectable, as the collision forgery would have gibberish in the text. i.e. M1 has signature hash S1 M2 = (m3 + string), where m3 is the forged text, and the string added, is a string additional characters that are varied until a collision is found for the same S1 hash. The string stands out as gibberish and would be questioned, even if the signature verified. But now, in pdf form, the string can easily be hidden in the pdf, by having the string embedded as white text instead of black, and not distinguishable from the white space background. Example, M1 is a pdf of a table, or spreadsheet, or has equations or different language special characters, where it is reasonable to be sent as a pdf. M2 = Pdf of (m3 + string), where is m3 is the forged data in the table, or other visible area of the pdf, and the string is the found addition that produced a successful collision for the final pdf, after having the string rendered in 1 pt. font in white color embedded in any convenient place in the pdf. M1 does not even have to be on a pdf, as long as it has a detached .sig S1. If pre-image collisions are possible for a hash, then a pdf can be constructed to have the same. sig S1. (This could still be detected by examining the details of the metadata of the pdf and seeing what 'extra' material was embedded, but only if a habit is made of checking the metadata very carefully.) vedaal ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On Wednesday 06 of February 2013 11:57:40 ved...@nym.hush.com wrote: On Wednesday, February 06, 2013 at 5:42 AM, Hauke Laging mailinglis...@hauke-laging.de wrote: The problem is not to forge a signature but the difficulty to force that only data with checked integrity gets signed. How are you going to do that with a PDF? There is a bigger problem with a pdf, that if, once a hash algorithm becomes insecure enough that pre-image collisions are possible, it is possible to forge a signature. Don't extended (-T, -X, -A form) PAdES signatures add new hash values?! I'm quite sure not only they do, but that it's mandatory. So, new hashes can be used when ones used in file are beginning to weaken (e.g. SHA1 now). This could still be detected by examining the details of the metadata of the pdf and seeing what 'extra' material was embedded, but only if a habit is made of checking the metadata very carefully. I'd suggest to make a habit of not trusting PDF files with currently invalid timestamps... Or files without cryptographic timestamps with currently invalid signatures... Regards, -- Hubert Kario QBS - Quality Business Software 02-656 Warszawa, ul. Ksawerów 30/85 tel. +48 (22) 646-61-51, 646-74-24 www.qbs.com.pl smime.p7s Description: S/MIME cryptographic signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Hi anonymous writer, Smartcard or cryptostick will not help in my situation. might a SmartCard with reader that has its own pinpad help? http://www.gnupg.org/howtos/card-howto/en/ch02s02.html#id2519120 Olav - -- The Enigmail Project - OpenPGP Email Security For Mozilla Applications -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (MingW32) Comment: Dies ist eine elektronische Signatur - http://www.enigmail.net/ iQGcBAEBAwAGBQJRD+QiAAoJEKGX32tq4e9WU+8L/0uG2oz4iPLziLZPVFz1+ZXJ QjInwtQsdfRWQdQcA6qcVqkv+QGEXhhKYKAqbiNQsXGsVNBnSFU368YlkLbRFzeI oz5tfqFbW/arV11p2OSsMSsvNIn+mCip4REcs1ItkKPRjJB3lpYt2/D+JDpVBD/R FLuUdN70b2sz9Aq0H8USL2AP7KtacBbwjITXb6x5xJwImEM2ZjM2e3UOkDJUbsim oON+TkbZgFgV0X0M4+YRunVkH5b6yWOnQ1fHdYwXpN/JVLdFF7awbn0kbDFHY1uC yBGi64GkiNWIOGeCGuNSqBVQ9dZ7Ja+PW1sL5rGpoQK8ukkpgebUDSnU2ILs8mop odPrX2B0PS0AFNN19WddNhdUtgmmge75f7NM/SnZiFojGETeGkBpMDJg93XUkTNH pbkah9Jt7NMlRdwynSQQWHz6pnCEPXjRjyMig8JUHdbzk0MQRjSyiGukpOzgGIIF zMglSlpdYd2JCx5DbMt2l7GNb5S2eYXNsd/S+/PTTw== =Eb5H -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
Hi anonymous writer, Hello! Smartcard or cryptostick will not help in my situation. might a SmartCard with reader that has its own pinpad help? http://www.gnupg.org/howtos/card-howto/en/ch02s02.html#id2519120 No. It does not give certainty what am I actually signing. The virus could replace the text send to the device. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: More secure than smartcard or cryptostick against remote attacks?
On 02/04/2013 02:26 AM, refresh...@tormail.org wrote: Are there any external gpg signing devices to make gpg more resistant against remote control viruses? No. There are none, nor will there be. You absolutely must retain control of the processing hardware GnuPG runs upon. If you don't have that control, there is literally no device -- hardware or software -- that can help you. But when I send a mail I wrote the the crypto device a virus could make my screen lie to me and sign and send a malicious message somewhere else. Against this case I want to defend. You can't. Are there any devices or systems I could use to verify my mail on a trusted device with small attack surface before I sign it? This doesn't make sense to me. You don't trust your PC running GnuPG, so you want to verify your mail on a PC running GnuPG, just one that happens to be 'trusted'? (Also, you seem to be using the word 'trusted' in a way opposite from its real meaning. A system is trusted if it has the ability to break your security policy. It doesn't mean the system is actually trustworthy. It's a statement that you're *forced* to trust it, not that you think it's *deserving* of trust. See, e.g.: http://www.cl.cam.ac.uk/~rja14/Papers/spw09.pdf ... bottom of page 2, if you want to see an academic reference to this definition of 'trusted'.) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users