use policy of the GnuPG-card

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

use policy of the GnuPG-card

Matthias Apitz

Hello,

I'm using the GnuPG card for signing, SSH, password-store (Firefox web passwords)
and locking un-locking the KDE desktop on card-insert or withdraw.
After resolving some technical (FreeBSD) issues, I now have it on daily
usage on my netbook and my workstation in the office.

One problem comes obviously in mind: Someone with priv access to your workstation,
for example IT personal, could relatively easy steal your passwords, just setting your
environment and waiting for the moment that you have unlocked the card with the PIN;
than he/she could run as root:

# GNUPGHOME=/home/guru/.gnupg-ccid export GNUPGHOME
# PASSWORD_STORE_DIR=/home/guru/.password-store export PASSWORD_STORE_DIR
# pass Business/cheese-whiz-factory
gpg: WARNING: unsafe ownership on homedir '/home/guru/.gnupg-ccid'
cheese

It would also not help to just withdraw the card after any short usage, for example to
fire up a SSH session. The attacker could just sit in background waiting for this short moment,
which is long enough to copy all your passwords in to clear mode and send them away.

How is this supposed to be managed?


         matthias

--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: use policy of the GnuPG-card

Andrew Gallagher
On 2017/07/13 11:49, Matthias Apitz wrote:
>
> One problem comes obviously in mind: Someone with priv access to your workstation,
> for example IT personal, could relatively easy steal your passwords, just setting your
> environment and waiting for the moment that you have unlocked the card with the PIN;
> than he/she could run as root:

*snipped evil plan*

Worse than that, they can keylog your PIN and use that to perform
unlimited crypto operations using your smartcard whenever they detect it
is plugged in. Or they can read decrypted passwords out of memory, or
replace gpg with a version that copies everything it touches to a
network connection. The possibilities are literally endless.

> How is this supposed to be managed?

Don't plug your smartcard into a computer that someone else has root
access to. That's not flippant, that's the best you can do in principle.
Smartcards can protect you against disclosure of your secret key, but
not of data encrypted to that key. If you want to protect all the data
encrypted by that key, then you still need to take all the precautions
that you need to with any other method of secret key storage, and that
means (amongst other things) don't decrypt your data on an untrusted
machine.

Remember, if someone else has root on your computer then it isn't your
computer - it's theirs.

A


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: use policy of the GnuPG-card

Andreas Heinlein-2
Am 13.07.2017 um 13:44 schrieb Andrew Gallagher:

> On 2017/07/13 11:49, Matthias Apitz wrote:
>> One problem comes obviously in mind: Someone with priv access to your workstation,
>> for example IT personal, could relatively easy steal your passwords, just setting your
>> environment and waiting for the moment that you have unlocked the card with the PIN;
>> than he/she could run as root:
> *snipped evil plan*
>
> Worse than that, they can keylog your PIN and use that to perform
> unlimited crypto operations using your smartcard whenever they detect it
> is plugged in. Or they can read decrypted passwords out of memory, or
> replace gpg with a version that copies everything it touches to a
> network connection. The possibilities are literally endless.
>> How is this supposed to be managed?
> Don't plug your smartcard into a computer that someone else has root
> access to. That's not flippant, that's the best you can do in principle.
> Smartcards can protect you against disclosure of your secret key, but
> not of data encrypted to that key. If you want to protect all the data
> encrypted by that key, then you still need to take all the precautions
> that you need to with any other method of secret key storage, and that
> means (amongst other things) don't decrypt your data on an untrusted
> machine.
>
> Remember, if someone else has root on your computer then it isn't your
> computer - it's theirs.
>
> A
+1 for that. If one can install software on a machine, one can
completely take it over. No way to prevent that.

For a private machine, you could encrypt the whole hard drive, making
attacks on the OS level require physical access two times: once for
installing a compromised boot loader that intercepts the password and
once again for decrypting the drive with the stolen password and
compromising the OS.

With physical access, there are still attack vectors using firmware or
hardware manipulation which also work with physical access only once.

Andreas


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (259 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: use policy of the GnuPG-card

Werner Koch
In reply to this post by Matthias Apitz
On Thu, 13 Jul 2017 12:49, [hidden email] said:

> How is this supposed to be managed?

You can't do anything about it.  The card protects your key against
compromise - but not the use of the key.

For the signing key we have a signature counter and if you can memorize
the count and the number of signatures you did, you have a way to detect
malicious use of that key.  Better malware could of course also present
you a different count - checking on a clean machine would detect that,
though.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: use policy of the GnuPG-card

Robert J. Hansen-3
In reply to this post by Matthias Apitz
> One problem comes obviously in mind: Someone with priv access to your workstation,

You just lost.  Everything after this sentence is irrelevant.  Once an
attacker has privileged access to your machine it's all over.

> How is this supposed to be managed?

It can't be.  GnuPG is only for use in environments where you trust the
admins.  GnuPG cannot protect you from a rogue admin.  Do not fall into
the trap of thinking you can manage this: you cannot.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: use policy of the GnuPG-card

Matthias Apitz
In reply to this post by Werner Koch
El día jueves, julio 13, 2017 a las 03:57:47p. m. +0200, Werner Koch escribió:

> ...
>
> For the signing key we have a signature counter and if you can memorize
> the count and the number of signatures you did, you have a way to detect
> malicious use of that key.  Better malware could of course also present
> you a different count - checking on a clean machine would detect that,
> though.

Why we only have a counter for the signing key?

        matthias
--
Matthias Apitz, ✉ [hidden email], ⌂ http://www.unixarea.de/  ☎ +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
8. Mai 1945: Wer nicht feiert hat den Krieg verloren.
8 de mayo de 1945: Quien no festeja perdió la Guerra.
May 8, 1945: Who does not celebrate lost the War.

_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: use policy of the GnuPG-card

Peter Lebbing
On 16/07/17 21:25, Matthias Apitz wrote:
> Why we only have a counter for the signing key?

I don't think a decryption counter makes sense as you'll decrypt the
same data multiple times (a signature is made only once).

An authentication counter would make more sense. However, you can't
collect all authentications you've ever done. You could collect all the
signatures you do and compare the number of results.

HTH,

Peter.

--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>


_______________________________________________
Gnupg-users mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

signature.asc (499 bytes) Download Attachment
Loading...