How to enable ack button functionality on FST-01sz

Wed Jan 6 22:31:18 CET 2021

 Werner Koch said:
> > After you insert and use your Gnuk token smartcard the gpg-agent will> > cache your password.  If someone has backdoor shell access then they

> No.  The agent does not cacge the PIN or passphrase - this is done by> the smartcard.

OK.  I see.

> > Otherwise how do you counter the threat of someone gaining backdoor> > shell access to your account?  That is the threat that the smartcard> > ultimately provides the extra protection against.

> You can't.  The smartcard protects your key but it can't really protect> the use of the key as long as the smartcard is plugged in.

I don't like that.

> BTW, Forcing a user to enter the Admin-PIN is pretty easy.  Just let the> malware use up the the PIN along with some social engineering and most> users will enter the Admin PIN to unblock the PIN...

However education can protect against that threat.  Only ever use the Admin-PIN in the trusted air-gapped machine.  Furthermore, if you get your PIN wrong when you know you typed it correctly then that can be a warning that there is some malware on your PC.  If you have users of the smartcard that are not very knowledgeable then you can set things up for them so that only you have the Admin-PIN and they need to come to you to unblock the PIN if there is a problem.

Otherwise, how do you guard against the malware / backdoor threat on your PC?  Wouldn't the malware just wait for you to plug in the smartcard and enter your passphrase and then proceed to use your key before you can pull out the smartcard?  For example, if you use your gpg key for authenticating ssh access then the malware could immediately set up that shell access too.
Thanks for explaining / detailing the treat model better.

Do you think that one of the crypto hardware wallets is a better device to protect against this threat?  For example, the Trezor-T has a PIN pad built into the device so you always enter the PIN on the hardware device.

However, when I looked at the Trezor-T it can only generate the gpg key on the device itself and seems directly dependent on the original seed phrase.  This means that the gpg key can be recovered on a new device if the original seed phrase is entered.  But, this also means that you can't have a master key with subkeys type of setup where only the subkeys are on the hardware device.  There seems to be no way to transfer a gpg subkey to the Trezor-T device.

Maybe it would be possible to enable gnupg use through scanning of QR codes somehow???  Some of the crypto hardware wallets are doing the signing of crypto transactions using QR codes and the device itself remains always air-gapped - it is never actually plugged into a PC.  See for example Ngrave.  
NGRAVE | Unrivaled crypto security and seamless experience

| 
| 
| 
|  |  |

 |

 |
| 
|  | 
NGRAVE | Unrivaled crypto security and seamless experience

The first end-to-end solution for managing your crypto. The Coldest hardware Wallet. The Coldest key back-up. No...
 |

 |

 |

BTW: I do not have one of these devices and have no association with the company.

Regards,Mark.

    On Thursday, 7 January 2021, 04:45:11 am AEST, Werner Koch <wk at gnupg.org> wrote:  

 On Wed,  6 Jan 2021 15:19, Mark Debian said:

> After you insert and use your Gnuk token smartcard the gpg-agent will
> cache your password.  If someone has backdoor shell access then they

No.  The agent does not cacge the PIN or passphrase - this is done by
the smartcard.

> Otherwise how do you counter the threat of someone gaining backdoor
> shell access to your account?  That is the threat that the smartcard
> ultimately provides the extra protection against.

You can't.  The smartcard protects your key but it can't really protect
the use of the key as long as the smartcard is plugged in.

BTW, Forcing a user to enter the Admin-PIN is pretty easy.  Just let the
malware use up the the PIN along with some social engineering and most
users will enter the Admin PIN to unblock the PIN...

Salam-Shalom,

  Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnuk-users/attachments/20210106/a894985c/attachment.html>