[Gnuk-users] GnuK 1.2.1 locked Admin PW

Peter Lebbing peter at digitalbrains.com
Thu Apr 6 10:20:13 UTC 2017 

On 06/04/17 03:07, NIIBE Yutaka wrote:
> I understand your frustration.  I'm sorry for that.

Oh, I don't mind. The source of the frustration is probably largely that
I'm well acquainted with the standard version of the OpenPGP card, and
I'm stumbling on the slight differences that somebody else would never
notice, probably :-).

> The reason I did reluctantly is that it might invite another risk of
> being stolen as a hardware (not as private key).

You really look at things from all angles! I can appreciate that.

> But, I recommend using working tool at first.

Is there a risk of bricking the processor if an SWD interface fails? I'm
not talking about me stupidly shorting wires, but I am talking about
loose contacts or problems with the protocol.

> FYI: what I use (and I ask the manufacturer) is my own tool of BBG-SWD.

Thanks for the hint. I'm considering options, and this is definitely one
of them.

> I guess that original OpenPGP card implementation stores some
> information of user PIN in the card.  But for Gnuk, I try hard not to do
> so, to lower the risk of possible attack reading out the content of
> flash ROM.  Gnuk 1.2 does validation of user PIN by successful
> decryption of private key.

I completely forgot! If I had remembered, my stumbling along would have
been more focused. Silly me.

> I confirmed that GnuPG frontend asks PW1 when generating keys.  I can
> find the comment in g10/card-uti.c:
> 
>       /* Check the PIN now, so that we won't get asked later for each
>          binding signature. */
> 
> It doesn't match Gnuk Token, as Gnuk Token resets PIN at key generation.

Perhaps instead of failing to unblock a PIN without keys, GnuK should
just reset the retry counters anyway, since the concept of a PIN without
keys is meaningless anyway. That way, you could unblock without keys and
the catch-22 would be resolved.

>> Back to my issues. I got there, right? No. Any attempt to do something
>> requiring the user PIN got me "PINs not synched" or similar message. I
>> could not change the PINs. An unblock lead to "PINs not synched". As a
>> final "let's try this then", I changed the Admin PIN without changing
>> it. I typed my old PIN, and then my old PIN twice again.
> 
> I don't understand this paragraph.  Could you please identify PINs by
> PIN-Admin-old, PIN-Admin-new, PIN-user-factory, PIN-user-0, etc.?

Step 1:
- Admin PIN set to PIN-Admin-0
- No keys on card
- PIN-User retry counter at 0 (blocked)
Step 2: keytocard, with encryption key
Step 3:
- Unblock PIN-User using PIN-Admin-0
- Set PIN-User to PIN-User-0
Step 4:
- Notice "PINs not synched" when trying to use PIN-User-0
Step 5a:
- Change PIN-User -> "PINs not synched" (I believe)
Step 5b:
- Unblock PIN-User using PIN-Admin-0
- Set PIN-User to PIN-User-0

I'm not sure about the order of step 5a/5b, it could have been 5b/5a.
Also, they were tried multiple times with the same failing results.

Step 6:
- Change PIN-Admin (keeping it the same)
- "Enter Admin PIN": PIN-Admin-0
- "Enter new PIN": PIN-Admin-0
- "Repeat new PIN": PIN-Admin-0

Step 7:
- Catastrophe. PIN-Admin-0 no longer accepted. Retry counter quickly
drops to 0, device locks.

Note that I did not fall in the trap that was discussed only recently on
GnuPG-Users, where somebody thought the default Admin PIN was 123456789
but this ended up with his new Admin PIN starting with an unexpected
9.[1] During, for example, keytocard, it was clear that Admin-PIN-0 was
what I expected it to be!

> I think that you can decrypt by the user PIN of factory setting
> "123456".

That doesn't seem to be the case...

------------------8<-------->8------------------
$ echo hoi | gpg2 -r 1BD86BE83C3F84D5 -e | gpg2 -d
[...]
gpg: public key decryption failed: Bad PIN
gpg: decryption failed: No secret key
------------------8<-------->8------------------

Thanks,

Peter.

[1] I'm storing this mistake in the OpenPGP Card specification in my
mind as a nice trap to avoid while designing a protocol. "The card knows
the length of the PIN", that's cute, but the user does not, so it does
you no good! It's a good learning experience.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20170406/856dcc09/attachment.sig>

More information about the gnuk-users mailing list