[Gnuk-users] Usefulness of encryption of key in GnuK

Fri Jan 12 00:58:31 UTC 2018

We're in agreement on the vulnerability of ordinary microcontroller flash.
Exploits like the one that recently hit Trezor
<https://blog.trezor.io/fixing-physical-memory-access-issue-in-trezor-2b9b46bb4522>
are
not just inevitable but also arguably not even out of the processor's spec.
To the best of my knowledge, GnuK doesn't run on hardware that advertises
itself as tamper-resistant (TPM, secure element, ARM core supporting
TrustZone, etc.). So it's a questionable premise that it should be
architected as if it were. And you already know I believe that it's
impossible to *conveniently* secure data against offline attack on a
non-tamper-resistant device.

But even though I take that position, I still believe GnuK needs to exist.
More open-source options for OpenPGP smart cards are a good thing,
especially if they enable a manufacturer to cost-effectively port a library
to tamper-resistant hardware and sell an open-source smart-card solution.

As a newbie to this project, I found the encryption of the key by PIN
surprising. And I found it out the hard way, because I ran into the same
issue that Peter Lebbing did. To a certain group of users who think they
understand how these little key fobs work, it's counterintuitive. A clearer
statement of GnuK's threat model would ultimately lead to less surprising
behavior like this. Either the team explicitly pursues the goal of usably
securing data on insecure hardware (in which case potential users who
question that goal can take their business elsewhere), or it builds a
simpler solution that assumes perfectly secure hardware (in which case
users understand the limitations if their hardware is not considered
secure).

On Thu, Jan 11, 2018 at 1:11 PM Peter Lebbing <peter at digitalbrains.com>
wrote:

> On 11/01/18 21:26, Mike Tsao wrote:
> > That's why tamper resistance is such a critical assumption -- otherwise
> > you can't use a short PIN.
>
> Note that the flash on several models of microcontrollers has been
> succesfully read despite protections. Bunnie wiped the protection
> bits[1], although on a PIC18F he could have saved himself the trouble as
> it has a design error that allows you to read out flash from all but one
> of the pages :-).
>
> I don't know of such a hack for the GnuK microcontroller, but do keep in
> mind that the fact that the datasheet says "the memory can't be read"
> and you haven't heard of anyone doing it anyway does not mean it is
> guaranteed to be safe :-).
>
> > If you still need a good passphrase, then there is no usability benefit
> > over pure desktop GnuPG -- in either case the experience is "start GPG
> > operation, enter long passphrase into pinentry dialog on desktop,
> > complete GPG operation."
>
> I don't see an OpenPGP card implementation as a usability benefit over
> an on-disk key at all! I think they're usually a hassle. I see it as a
> /potential/ security benefit.
>
> If you're a remote attacker, good luck extracting the private key
> through the USB interface. Maybe there is an attack that can achieve it,
> but it's definitely more difficult than "cp -R
> ~/.gnupg/private-keys-v1.d/ somewhere"! Oh, okay, you still need to log
> keystrokes or something :-). Tip for the attacker: change gpg-agent.conf
> to point to your special pinentry helper.
>
> With an OpenPGP card, you can use my key material all you want if you
> remotely hacked my computer, but you probably can't create a copy of it.
> Once I pull the card, and even better, fix the compromised computer,
> you've lost access.
>
> If you're a physically present attacker, you need to target a device I
> always have on me, clipped to my pants, rather than a laptop that leaves
> my sight.
>
> But that's pretty much the only bonus (but it's a good one). Worthwhile
> protection against physically present attackers is horrible, though.
> Start enumerating attacks and countering them, and pretty soon you're
> renting a bunker with 24/7 human security guards. Fun if you can afford
> it, though. Yeah, I know, I'm being handwavy about the threat model.
>
> Cheers,
>
> Peter.
>
> [1] http://www.bunniestudios.com/blog/?page_id=40
>
> --
> I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
> You can send me encrypted mail if you want some privacy.
> My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20180112/1ff5c024/attachment.html>