Yubico Forum

Hello,

does the Yubikey 4 store the GnuPG (GPG) private-keys on the Yubikey 4 encrypted on the silicon?


Regards,
Codebase

I don't think any current smartcards store keys encrypted. If your threat model includes adversary capable of extracting private keys from silicon, you have bigger problems than a $40 device is likely to address.

That reminds me of the Mickens paper:


https://www.schneier.com/blog/archives/2015/08/mickens_on_secu.html

Give me 1 reason why you are not using the user's PIN (1-256 character, digits, letters) to encrypt the private-keys on the silicon? It has nothing to do with threat-models at all, it's just common sense.


... So IF you loose your Yubikey for whatever reason ... you come home ... and lay in bed ... and know exactely as your thoughts are circling ... "Oh Dear. All the private-key material is stored there in plain text with no additional cryptographic protection at all." Then you are beginning to worry my friend, because then you are pretty f* up cause you just lost your private-keys, like a 12 year old school kid just lost his lunch and milky money. And guess what ... it has nothing to do with any conspiracy theory or three-letter-agency ... it's just not reasonable to store private-key material in plain-text on the hardware.

Ever heard of key revocation?

Does key revocation justify, keeping the private-keys in plain-text on the device? interessting


Don't get me wrong, I'm pretty happy with my Yubikey 4 and I will keep using it; though I'm still shocked how you can keep the private-keys in plain-text when you are able to offer so many other features with this tiny piece of hardware.

The security of the keys lies in the secure element itself. That's the very purpose of the chip, so I would say that yes, it is reasonable to store private-key material in such hardware.

Encrypting the keys using the PIN would be troublesome for a few reasons: First off, if you forget your PIN you can reset it using the Reset Code or the Admin PIN. You'd then be left with encrypted private keys and no knowledge of the key. To avoid this you could encrypt using each of these three PINs, so that any one of them can be used to decrypt. The problem then becomes that you would need to enter all codes when generating/importing a new key, to be able to do this encryption. This would not be compatibly with the OpenPGP card standard, so key management would require a separate client.

For this to give any real protection you would need a lot of entropy in each of the three PINs. Surely an adversary capable of extracting the keys from the chip would be able to spend some effort bruteforcing the encryption as well. Sure, you could use a key strengthening algorithm like PBKDF2 or scrypt, but again, this would be non-standard and require a specialized client which does this (so say goodbye to gpg).

It's just not practical to do what you're asking, and questionable if it would add any real security in practice.

I have an idea: When you are creating new keys in GnuPG, you are able to do a backup of the private-keys. When you choose to backup your private-keys in GnuPG, you are asked for a passphrase which protects the backup (so the backup of the private-keys is encrypted, even if it's stored in a secure location offline).

Now, if you want to export your existing GnuPG keys to your Yubikey: Instead of taking the actual plain-text-secret-key, you simply take the encrypted backup of the secret-key to export it to the Yubikey! So you end up with your secret-keys encrypted on the Yubikey. And when you are about to do crypto-operations you are required to input your PIN (aka. passphrase for your backup).

• Of course this would require change in code, but would this be possible?
• Maybe without re-flashing the Yubikey firmware, e.g. by only changing software code on PC client side?

PS: Regarding "lost PIN / passphrase": If you have a backup of your private-keys from GnuPG, you can always re-export these private-keys to your Yubikey! Maybe change the passphrase of your offline backup keys afterwards in GnuPG, so you can access them even if you forgot your Yubikey PIN (aka passphrase).

Agree 100%.


How about establishing a startup that would manufacture hardware tokens with the capability you described - storing private keys encrypted in hardware, and requiring a complex passphrase (scrypt- or argon2-derived key) to decrypt them? Then we'll see (a) at what price point you'd be able to sell them, and (b) how much interest there is for this capability on the market.

NSA, KGB, whoever, are you listening?

I don't think this really solves any of the issues. Anyway, it would require both firmware level changes and client software changes, and would break compatibility with the specification.