gnupg 'signing server'? Looking for advice on key management/security
Jacob Bachmeyer
jcb62281 at gmail.com
Thu Nov 16 06:18:40 CET 2023
Werner Koch wrote:
> On Tue, 14 Nov 2023 20:52, Jacob Bachmeyer said:
>
>> succeed in either case. If this condition is not met, Mallory will
>> eventually be able to forge a signature. Therefore, smartcards do not
>> actually provide additional security in the typical PGP usage.
>>
>
> In all environments you have the advantage that you don't need to
> re-deploy your public keys after a compromise of your signing box.
> Sure, there are signatures on software/data out there which are not
> legitimate but this is not different from the easier attack of modifying
> the software/data before doing the signature.
>
This can vary with policy; I consider the known existence of an
illegitimate signature to require the revocation of the signing key.
The easier attack you mention requires the same condition as breaking
GPG's built in security or abusing the user's smartcard: Mallory must
plant persistent malware on the device that would have an opportunity to
modify the item to be signed before GPG reads it and builds the signature.
> Further, by inserting the smartcard only when required you limit the
> exposure time of the key and hinder attackers to do a lot of
> illegitimate signatures or decryption.
>
Yes; that is the "physical isolation" I mentioned as a further layer of
security.
> The OpenPGP cards feature a signature counter which can give you a hint
> on whether it was used by something else than you. It is not a perfect
> solution but raises the hurdle for the attacker. By using the smartcard
> on different machines you can even avoid malware which fakes the
> displaying of the signature counter.
>
The convenience of easily using multiple machines is one of the use
cases for smartcards. While I do not believe that it further
/increases/ security, using a smartcard if keys are used on multiple
machines certainly /preserves/ security while increasing convenience.
On a related note, the easier attack you mention of modifying the item
to be signed would evade checks of the signature counter, since only the
authorized signing event occurred, but the item signed had been tampered
and was not the item the user intended to sign.
> For a policy POV having the key material securely locked away is also an
> advantage - even if the data can be decrypted/signed using a smartcard
> by malware. The security of the key material and the ability to use the
> key material are different topics in a security policy.
Fair enough, although in my security model, the ability for an attacker
to use the key material is the critical failure; insecurity of the key
material implies that failure but the illegitimate use is the problem.
-- Jacob
More information about the Gnupg-users
mailing list