| 1 |
On 2019-04-24 20:34, Rich Freeman wrote: |
| 2 |
|
| 3 |
> The only reason to have a separate primary key is to have an offline |
| 4 |
> copy, |
| 5 |
|
| 6 |
Not quite. First and foremost, you don not want to have an offline copy |
| 7 |
of the primary private key - you want to have the primary ENTIRELY |
| 8 |
offline. Secondly, the reason for that is not (just) to have a backup |
| 9 |
but that the primary private key gives you virtually unlimited control. |
| 10 |
Create pretty much any number of additional subkeys? Check. Assign |
| 11 |
additional user IDs? Check. Change expiration dates? Check. And so on... |
| 12 |
In short, having the primary private key compromised means A LOT of |
| 13 |
trouble - and not just for the key owner either, the primary is also |
| 14 |
used to sign other people's public keys so it could mess up other users' |
| 15 |
trust databases. |
| 16 |
|
| 17 |
> So, maintaining this requirement with a Nitrokey means that we in |
| 18 |
> reality have the primary key online most of the time, |
| 19 |
|
| 20 |
Seeing as separating the primary and the signing key has been part of |
| 21 |
OpenPGP best practices for a long, long time, I have got highly mixed |
| 22 |
feelings about this statement. On the one hand, it is not reasonable to |
| 23 |
expect someone with no or minimal prior knowledge of OpenPGP to master |
| 24 |
it overnight. On the other, we are not just some random people from Teh |
| 25 |
Intarwebz and we *have* been using OpenPGP signatures on commits for |
| 26 |
quite a while now. |
| 27 |
|
| 28 |
> when if it were the same as the signing key then both would be |
| 29 |
> offline in the Nitrokey. |
| 30 |
|
| 31 |
Using a hardware security device is not the same as making the key |
| 32 |
offline - especially given that the Gentoo NitroKey workflow as |
| 33 |
currently posted on the Wiki suggests disabling forcesig, which could |
| 34 |
effectively leave the signing private key unlocked for extended periods |
| 35 |
of time. |
| 36 |
|
| 37 |
> Also, by generating the key outside the Nitrokey it is exposed to a |
| 38 |
> far higher risk of compromise. |
| 39 |
|
| 40 |
As Kristian has already mentioned, in principle one could keep the |
| 41 |
primary private key on a separate token. |
| 42 |
|
| 43 |
> In any case, I think it is far more likely that somebody generating |
| 44 |
> keys using software has a rooted box than somebody is going to come |
| 45 |
> up with a way to extract keys from a Nitrokey. |
| 46 |
|
| 47 |
You do not have to extract keys from a smartcard in order to be able to |
| 48 |
use keys physically present on it. All you have to do observe the |
| 49 |
smartcard user's PIN - either physically or using said rooted box - then |
| 50 |
nick the smartcard off them, ehich given that we are talking about keys |
| 51 |
that are supposed to be used on a regular basis might be very simple. |
| 52 |
Hell, if said smartcard contains the primary key you might even return |
| 53 |
it to them once you're done compromising them (e.g. by generating your |
| 54 |
own set of subkeys) and chances are pretty good that as long as |
| 55 |
everything keeps on working fine for them, it will take a quite a while |
| 56 |
before anyone notices. |
| 57 |
|
| 58 |
Conversely, even a software-generated primary key stored on a |
| 59 |
software-encrypted USB stick might be more secure simply because with it |
| 60 |
being only occasionally required, it can be stored somewhere hard to |
| 61 |
access. You don't even need a vault (which, incidentally, is something I |
| 62 |
have found people trying to make fun of crypto nerds mention a lot) |
| 63 |
either - my personal experience has taught me that giving to a trusted |
| 64 |
family member or friend who doesn't live with you is not a bad solution |
| 65 |
either. |
| 66 |
|
| 67 |
> Really the only thing we're missing with the Nitrokey is some form of |
| 68 |
> attestation to ensure the keys are in fact generated on the device. |
| 69 |
|
| 70 |
That would indeed be nice to have, unfortunately I do not think the |
| 71 |
current hardware supports this. I know recent YubiKeys do but only in |
| 72 |
PIV mode (i.e. for X.509). |
| 73 |
|
| 74 |
On the other hand, vulnerabilities such as ROCA show clearly that |
| 75 |
generating the private key on a smartcard does NOT necessarily make it |
| 76 |
more secure than generating it in software, importing it into the |
| 77 |
smartcard and wiping the original. |
| 78 |
|
| 79 |
-- |
| 80 |
MS |
Archives