What are some threats against which OpenPGP smartcards are useful?

Mike Gerwitz mtg at gnu.org
Wed Jan 8 04:54:59 CET 2020 

On Tue, Jan 07, 2020 at 00:26:14 +0100, Christoph Groth wrote:
> Through an article [1] in LWN, I stumbled across a thread [2] on this
> list that dealt with the usefulness of smartcards for storing
> OpenPGP keys.

I don't have time to read what I already wrote in that thread, so I'm
sorry if I repeated myself here.

> I understand that OpenPGP smartcards do not protect from a compromise
> of the computer system that they are used with.  As Peter Lebbing puts
> it [3]:
>
>> You don't even have to decrypt the document they're interested in
>> yourself, and no external push button will save you. Just decrypt
>> a document twice, and the second time, the attacker can use your
>> smartcard for their own good while providing the session key they
>> logged the first time for your decryption.
>
> But then, what are threats against which smartcards *are* useful?

That's too coarse of a conclusion.

Let's say I decided to plug my Nitrokey into some adversary's computer,
willingly, and enter my PIN.  The attacker can make use of the card
while it's plugged in.  But operations using the card are very slow, and
I'll notice the light going on more than once.  I'll unplug it.  Attack
mitigated.  The only thing lost is whatever the attacker managed to do
within that time period---decrypt files, sign documents, SSH into remote
machines, etc.  (Don't get me wrong: all those are really bad.)

Then I go to a safe location and change my PIN.

Or maybe I'm punched out and my smartcard stolen.  I go home, revoke my
subkeys, and have to pay for a new smartcard.  And let some people know
that I was beat up and you shouldn't trust anything that was signed in
that time period.

But consider the alternative: if you weren't using a smartcard, and your
key were on disk, all of that still would have happened.  But in
addition, your private key has been compromised.  You now have to revoke
your entire key.  If you've built a web of trust, you have to start
again.

Smart cards _are_ useful even if your system is compromised, because it
still protects your key from offline use.  It gives me peace of mind
when it's capped and stored in a safe location.

If you just leave your smart card plugged into your computer 24/7 and
leave your computer on while you're sleeping, that's a problem.  It
won't protect you from bad practices.

You can get some of those benefits by e.g. using a laptop as a thin
client and forwarding the GPG agent to a remote box over SSH, and store
the private key on the laptop.  The risk is still higher than a
smartcard though.

It all depends on your threat model.

> I got a smartcard to ssh from computers that I trust reasonably but
> where I am not (the only) root to other (more trusted) machines that
> I control exclusively and that hold data that I would not store on the
> less-trusted machines.  From a fundamental point of view a smartcard
> does not provide any additional security here, but I have the
> imporession that in practice it does, because gaining access to the
> remote machines becomes more difficult for an attacker (without
> a smartcard, installing a simple keylogger is enough).  This is the same
> kind of imperfect security we rely on in real life, for example with
> door locks.  Would you agree with me?

I use my Nitrokey for SSH as well.  Prior to having it, I would store an
SSH key to personal accounts on e.g. my work computer.  I cannot fully
trust that system.  But today I don't need to do that: I insert the
Nitrokey only when prompted by GPG, immediately remove it, and change my
PIN when I get home.  While there's still the risk that the card may be
used for other things by a malicious process, it's pretty well
mitigated.  I know how long the light on the smartcard should be on for
and watch it the entire time.  I never allow the card to be out of my
view when connected to a system.

Of course, there's also the risk that someone has physically tampered
with the smartcard to suppress the LED under certain
circumstances.  This isn't foolproof.  But it's better than SSH keys on
my work system.

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200107/e9a09023/attachment.sig>

More information about the Gnupg-users mailing list