Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 5:50 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Sun Jan 03, 2016 9:35 pm 
Offline

Joined: Fri Jan 01, 2016 1:07 am
Posts: 8
Hello,

does the Yubikey 4 store the GnuPG (GPG) private-keys on the Yubikey 4 encrypted on the silicon?


Regards,
Codebase


Last edited by codebase on Thu Jan 14, 2016 2:54 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Fri Jan 08, 2016 1:54 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
I don't think any current smartcards store keys encrypted. If your threat model includes adversary capable of extracting private keys from silicon, you have bigger problems than a $40 device is likely to address.


Top
 Profile  
Reply with quote  
PostPosted: Fri Jan 08, 2016 4:22 am 
Offline

Joined: Wed Sep 02, 2015 7:30 pm
Posts: 5
mouse008 wrote:
I don't think any current smartcards store keys encrypted. If your threat model includes adversary capable of extracting private keys from silicon, you have bigger problems than a $40 device is likely to address.


That reminds me of the Mickens paper:
Quote:
Basically, you're either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you'll probably be fine if you pick a good password and don't respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU'RE GONNA DIE AND THERE'S NOTHING THAT YOU CAN DO ABOUT IT.


https://www.schneier.com/blog/archives/2015/08/mickens_on_secu.html


Top
 Profile  
Reply with quote  
PostPosted: Sun Jan 10, 2016 7:27 pm 
Offline

Joined: Fri Jan 01, 2016 1:07 am
Posts: 8
mouse008 wrote:
I don't think any current smartcards store keys encrypted. If your threat model includes adversary capable of extracting private keys from silicon, you have bigger problems than a $40 device is likely to address.

Give me 1 reason why you are not using the user's PIN (1-256 character, digits, letters) to encrypt the private-keys on the silicon? It has nothing to do with threat-models at all, it's just common sense.


... So IF you loose your Yubikey for whatever reason ... you come home ... and lay in bed ... and know exactely as your thoughts are circling ... "Oh Dear. All the private-key material is stored there in plain text with no additional cryptographic protection at all." Then you are beginning to worry my friend, because then you are pretty f* up cause you just lost your private-keys, like a 12 year old school kid just lost his lunch and milky money. And guess what ... it has nothing to do with any conspiracy theory or three-letter-agency ... it's just not reasonable to store private-key material in plain-text on the hardware.


Last edited by codebase on Mon Jan 11, 2016 11:46 pm, edited 2 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 11, 2016 8:38 pm 
Offline

Joined: Mon Mar 02, 2015 9:39 pm
Posts: 27
Quote:
... So IF you loose your Yubikey for whatever reason ...

Ever heard of key revocation?


Top
 Profile  
Reply with quote  
PostPosted: Mon Jan 11, 2016 11:38 pm 
Offline

Joined: Fri Jan 01, 2016 1:07 am
Posts: 8
Uriel wrote:
Quote:
... So IF you loose your Yubikey for whatever reason ...

Ever heard of key revocation?

Does key revocation justify, keeping the private-keys in plain-text on the device? interessting :roll:


Don't get me wrong, I'm pretty happy with my Yubikey 4 and I will keep using it; though I'm still shocked how you can keep the private-keys in plain-text when you are able to offer so many other features with this tiny piece of hardware.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 12, 2016 1:19 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
The security of the keys lies in the secure element itself. That's the very purpose of the chip, so I would say that yes, it is reasonable to store private-key material in such hardware.

Encrypting the keys using the PIN would be troublesome for a few reasons: First off, if you forget your PIN you can reset it using the Reset Code or the Admin PIN. You'd then be left with encrypted private keys and no knowledge of the key. To avoid this you could encrypt using each of these three PINs, so that any one of them can be used to decrypt. The problem then becomes that you would need to enter all codes when generating/importing a new key, to be able to do this encryption. This would not be compatibly with the OpenPGP card standard, so key management would require a separate client.

For this to give any real protection you would need a lot of entropy in each of the three PINs. Surely an adversary capable of extracting the keys from the chip would be able to spend some effort bruteforcing the encryption as well. Sure, you could use a key strengthening algorithm like PBKDF2 or scrypt, but again, this would be non-standard and require a specialized client which does this (so say goodbye to gpg).

It's just not practical to do what you're asking, and questionable if it would add any real security in practice.


Top
 Profile  
Reply with quote  
PostPosted: Tue Jan 12, 2016 4:46 pm 
Offline

Joined: Fri Jan 01, 2016 1:07 am
Posts: 8
dain wrote:
It's just not practical to do what you're asking, and questionable if it would add any real security in practice.
I have an idea: When you are creating new keys in GnuPG, you are able to do a backup of the private-keys. When you choose to backup your private-keys in GnuPG, you are asked for a passphrase which protects the backup (so the backup of the private-keys is encrypted, even if it's stored in a secure location offline).

Now, if you want to export your existing GnuPG keys to your Yubikey: Instead of taking the actual plain-text-secret-key, you simply take the encrypted backup of the secret-key to export it to the Yubikey! So you end up with your secret-keys encrypted on the Yubikey. And when you are about to do crypto-operations you are required to input your PIN (aka. passphrase for your backup).

  • Of course this would require change in code, but would this be possible?
  • Maybe without re-flashing the Yubikey firmware, e.g. by only changing software code on PC client side?



PS: Regarding "lost PIN / passphrase": If you have a backup of your private-keys from GnuPG, you can always re-export these private-keys to your Yubikey! Maybe change the passphrase of your offline backup keys afterwards in GnuPG, so you can access them even if you forgot your Yubikey PIN (aka passphrase).


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 13, 2016 3:44 am 
Offline

Joined: Sun Nov 15, 2015 11:47 pm
Posts: 36
Quote:
It's just not practical to do what you're asking, and questionable if it would add any real security in practice.

Agree 100%.

Quote:
I have an idea: ...

How about establishing a startup that would manufacture hardware tokens with the capability you described - storing private keys encrypted in hardware, and requiring a complex passphrase (scrypt- or argon2-derived key) to decrypt them? Then we'll see (a) at what price point you'd be able to sell them, and (b) how much interest there is for this capability on the market.

NSA, KGB, whoever, are you listening? :-)


Top
 Profile  
Reply with quote  
PostPosted: Wed Jan 13, 2016 2:01 pm 
Offline
Site Admin
Site Admin

Joined: Mon Mar 02, 2009 9:51 pm
Posts: 83
codebase wrote:
I have an idea: When you are creating new keys in GnuPG, you are able to do a backup of the private-keys. When you choose to backup your private-keys in GnuPG, you are asked for a passphrase which protects the backup (so the backup of the private-keys is encrypted, even if it's stored in a secure location offline).


I don't think this really solves any of the issues. Anyway, it would require both firmware level changes and client software changes, and would break compatibility with the specification.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 11 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group