| 1 |
On Thu, Apr 25, 2019 at 7:58 AM Marek Szuba <marecki@g.o> wrote: |
| 2 |
|
| 3 |
> On 2019-04-24 20:34, Rich Freeman wrote: |
| 4 |
> |
| 5 |
> > The only reason to have a separate primary key is to have an offline |
| 6 |
> > copy, |
| 7 |
> |
| 8 |
> Not quite. First and foremost, you don not want to have an offline copy |
| 9 |
> of the primary private key - you want to have the primary ENTIRELY |
| 10 |
> offline. Secondly, the reason for that is not (just) to have a backup |
| 11 |
> but that the primary private key gives you virtually unlimited control. |
| 12 |
> Create pretty much any number of additional subkeys? Check. Assign |
| 13 |
> additional user IDs? Check. Change expiration dates? Check. And so on... |
| 14 |
> In short, having the primary private key compromised means A LOT of |
| 15 |
> trouble - and not just for the key owner either, the primary is also |
| 16 |
> used to sign other people's public keys so it could mess up other users' |
| 17 |
> trust databases. |
| 18 |
> |
| 19 |
> > So, maintaining this requirement with a Nitrokey means that we in |
| 20 |
> > reality have the primary key online most of the time, |
| 21 |
> |
| 22 |
> Seeing as separating the primary and the signing key has been part of |
| 23 |
> OpenPGP best practices for a long, long time, I have got highly mixed |
| 24 |
> feelings about this statement. On the one hand, it is not reasonable to |
| 25 |
> expect someone with no or minimal prior knowledge of OpenPGP to master |
| 26 |
> it overnight. On the other, we are not just some random people from Teh |
| 27 |
> Intarwebz and we *have* been using OpenPGP signatures on commits for |
| 28 |
> quite a while now. |
| 29 |
> |
| 30 |
|
| 31 |
This is untrue though; we *are* random people from teh interwebs. |
| 32 |
|
| 33 |
I store my primary key on my desktop. |
| 34 |
I don't have copies of my primary key. |
| 35 |
My primary key is protected by a passphrase. |
| 36 |
Most of the time its cached in gpg-agent, so the passphrase is easily |
| 37 |
stealable by local attackers. |
| 38 |
I've been a dev for like > 10 years. |
| 39 |
|
| 40 |
I assume that every other dev does the same. Obviously some do not (and |
| 41 |
I've spoken to many who have better practices) but I assume |
| 42 |
people do the lazy / easy thing and I highly recommend this assumption. If |
| 43 |
you assume that people have your security practices, you should prepare to |
| 44 |
be disappointed. |
| 45 |
|
| 46 |
Many devs have *no idea* how GPG works. |
| 47 |
GPG is quite possibly the worst program I've even been forced to use in |
| 48 |
terms of doing any operation, particularly around setup (hmm maybe Imation |
| 49 |
Ironkeys were worse?) |
| 50 |
Many devs are just following the wiki instructions and get what they get. |
| 51 |
|
| 52 |
-A |
| 53 |
|
| 54 |
|
| 55 |
> > when if it were the same as the signing key then both would be |
| 56 |
> > offline in the Nitrokey. |
| 57 |
> |
| 58 |
> Using a hardware security device is not the same as making the key |
| 59 |
> offline - especially given that the Gentoo NitroKey workflow as |
| 60 |
> currently posted on the Wiki suggests disabling forcesig, which could |
| 61 |
> effectively leave the signing private key unlocked for extended periods |
| 62 |
> of time. |
| 63 |
> |
| 64 |
> > Also, by generating the key outside the Nitrokey it is exposed to a |
| 65 |
> > far higher risk of compromise. |
| 66 |
> |
| 67 |
> As Kristian has already mentioned, in principle one could keep the |
| 68 |
> primary private key on a separate token. |
| 69 |
> |
| 70 |
> > In any case, I think it is far more likely that somebody generating |
| 71 |
> > keys using software has a rooted box than somebody is going to come |
| 72 |
> > up with a way to extract keys from a Nitrokey. |
| 73 |
> |
| 74 |
> You do not have to extract keys from a smartcard in order to be able to |
| 75 |
> use keys physically present on it. All you have to do observe the |
| 76 |
> smartcard user's PIN - either physically or using said rooted box - then |
| 77 |
> nick the smartcard off them, ehich given that we are talking about keys |
| 78 |
> that are supposed to be used on a regular basis might be very simple. |
| 79 |
> Hell, if said smartcard contains the primary key you might even return |
| 80 |
> it to them once you're done compromising them (e.g. by generating your |
| 81 |
> own set of subkeys) and chances are pretty good that as long as |
| 82 |
> everything keeps on working fine for them, it will take a quite a while |
| 83 |
> before anyone notices. |
| 84 |
> |
| 85 |
> Conversely, even a software-generated primary key stored on a |
| 86 |
> software-encrypted USB stick might be more secure simply because with it |
| 87 |
> being only occasionally required, it can be stored somewhere hard to |
| 88 |
> access. You don't even need a vault (which, incidentally, is something I |
| 89 |
> have found people trying to make fun of crypto nerds mention a lot) |
| 90 |
> either - my personal experience has taught me that giving to a trusted |
| 91 |
> family member or friend who doesn't live with you is not a bad solution |
| 92 |
> either. |
| 93 |
> |
| 94 |
> > Really the only thing we're missing with the Nitrokey is some form of |
| 95 |
> > attestation to ensure the keys are in fact generated on the device. |
| 96 |
> |
| 97 |
> That would indeed be nice to have, unfortunately I do not think the |
| 98 |
> current hardware supports this. I know recent YubiKeys do but only in |
| 99 |
> PIV mode (i.e. for X.509). |
| 100 |
> |
| 101 |
> On the other hand, vulnerabilities such as ROCA show clearly that |
| 102 |
> generating the private key on a smartcard does NOT necessarily make it |
| 103 |
> more secure than generating it in software, importing it into the |
| 104 |
> smartcard and wiping the original. |
| 105 |
> |
| 106 |
> -- |
| 107 |
> MS |
| 108 |
> |
| 109 |
> |
Archives