Smart card

Mike Gerwitz mtg at gnu.org
Mon Apr 10 04:32:23 CEST 2017


On Sun, Apr 09, 2017 at 16:44:03 -0400, Robert J. Hansen wrote:
>> But this is a dangerous
>> article, and hard to distinguish between satire and actual security
>> advice.  And there's both.
>
> I thoroughly disagree.  This is not an article filled with actual
> security advice.  It was published in USENIX's humor column, after all.
> It is straight-up satire of tendencies that need satirizing.  Satire
> deeply grounded in truth, yes, but I shudder to think of the foolishness
> required to mistake this satire for actual security advice.
>
> Satire is an excellent weapon against folly, and the idea that everyone
> should use smartcards is exactly the kind of folly Mickens is railing
> against.

The number of times I have seen this article to rationalize
black-and-white threat models and dismiss threats is concerning---its
grounding in truth is what makes it good satire, and it's not hard to
distill security "advice" from it.

>>> Once you assume that your opponent is specifically targeting you with
>>> malware capable of sophisticated memory forensics, you're screwed.
>> 
>> Again, defeatist.
>
> No, realistic.  At that point you've got an attacker who is highly
> motivated against you specifically, who has access to technical experts,
> who has a significant operating budget.

I think this is being confounded by adjoining two conversations---that
smartcards provide additional security given a compromised system, and
the satirical quote your provided.  I was referring in this case to the
latter.

My point is that if you base your entire threat model and practices on
the fact that some attacker somewhere is going to succeed in a targeted
attack against you, then you may as well give up on security period.

And my point was further that memory forensics is a pretty poor baseline
for "screwed".  That's the default category for any user of a
surveillance operating system like Windows 10.  Is the decision there to
not attempt to address the problem at all?

>> Nor should anyone think they are.  But it's sure as hell a smaller
>> attack surface than the, uh, near-unlimited attack surface of an
>> Internet-connected computer (or mobile device!) that most people store
>> their private keys on.
>
> I've always been amused by how often people think that if their keys are
> safe, their communications are, too.

I'm not sure if you're adding that to the discussion or saying that I
implied that; I certainly didn't.

> Apparently, the prospect of a well-funded attacker rooting your laptop,
> planting a trojaned GnuPG with a compromised PRNG, and being able to
> read all your traffic at their leisure, though, you're just fine with that.
>
> Once you assume the attacker can root your machine, *you* *are*
> *screwed*.  There is no way around it.  The universe of malfeasance the
> attacker can throw at you is effectively unlimited.  And you're
> seriously saying, "but at least my keys are safe!"?
>
> Give me a break.

This is the other conversation, which I didn't comment on; I should have
made that more clear.

You seem to be suggesting that key safety isn't even a concern if you're
compromised---that nothing else matters, and the distinction between a
compromise as you described with or without access to the key(s) is
irrelevant.

This doesn't have to start with a compromise from Day 1.  If you are
using a compromised system for generating your GPG key, sure, a
smartcard isn't going to help you at all.  But note that you can also
generate the keys on the smart card itself rather than the host
system, which would circumvent a compromised PRNG.  Of course that's not
much of an option if you need a long-term identity, but for someone
looking to use GPG for other purposes, that's certainly an option.

Let's say you're not compromised Day 1, and you don't have a
smartcard.  Your key can be copied by malware at any point in time.  The
password can be brute-forced offline or can be gathered through some
other method at a later date.

Let's say Eve has access to system memory, and a keylogger, and can view
communications before they are even encrypted.  Fair enough, a smart
card won't help you if crypto is circumvented entirely.  That's the case
with or without it.  But GPG keys are seldom rotated.  If you do happen
to use it for encrypting sensitive communications, the compromise of
your encryption key at any point means the compromise of possibly years
(or a lifetime's worth) of data.  With a smartcard, a passive
eavesdropper can't do anything---Mallory would be forced to either steal
it from you, or issue commands to decrypt when it's connected to the
system, which would prompt for the PIN at least once, would be slow, and
would hopefully trigger an indicator on the smartcard.

Let's say I receive encrypted correspondence from someone.  If Mallory
has access to my communications/mailbox, he could grab the message,
decrypt it, and be done.  He could then write a reply, sign it as me,
and have a full-on conversation, without me knowing.  With a smartcard,
I'm still needed---he'll have to find a way to sneak in those crypo
operations on the card without me noticing.

The primary purpose of my key is signing.  If Mallory wanted me to sign
something unwittingly, and I used an external reader, he would have to
intercept a legitimate operation and replace it with his own.  But then
I wouldn't have the signature that I requested.  If I noticed (I
personally would, I don't know that everyone would; maybe a recipient),
Mallory would be at risk of being
discovered.

My Nitrokey locks the user PIN after three invalid attempts and bricks
itself after three admin PIN attempts.  If my smartcard is stolen, brute
force isn't possible---they will have had to have gathered my PIN in
some other manner.  Since I use a Nitrokey, I'd be owned by a
keylogger.  But if you use an external card reader with a PIN pad, then
Mallory might have a harder time, especially if he is a remote attacker.

I use GPG as an SSH agent---I can use SSH on any system that will
recognize my card.  Otherwise, you'd generate a key per host, any of
which could be compromised at some point in the past or future.

For users that need their GPG key on multiple boxes, I consider a
smartcard to be essential.  Otherwise, the user is just furthering her
risk of compromise.

Key safety is still important.

But again, that's assuming that Eve/Mallory _exist_.  With my original
argument: they may not.  The average user is far more likely to get some
random malware and get added to a botnet than they are to be a specific
target, and in those cases especially, their key won't be grabbed with
all the other data on their disk.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: </pipermail/attachments/20170409/7d8a52c2/attachment.sig>


More information about the Gnupg-users mailing list