Hello Michael, hello *, > Hey, > > thanks for this, but I think it is best if you send this to the dev list. On > here are only like five people :) here you go... :-) Sorry for the delay. Thanks, and best regards, Peter Müller > > -Michael > > On Thu, 2018-11-15 at 18:32 +0100, Peter Müller wrote: >> Hello, > >> after bringing this up in telephone conferences for several times now, >> Michael asked me to write a brief summary concerning Smartcard hardware >> recommendations. > >> Here you go... > >> (a) GnuPG compatible card >> In our environment, smartcards will be used in combination with GnuPG >> so they need to be compatible to this software. The private key stored >> on the card is basically a GPG key, with some additional subkeys for >> encryption, signing and authenticating. > >> Such cards support RSA up to 4096 bits (newer ones already make use >> of ECC crypto, but depending on how much you trust NIST/Brainpool curves, >> RSA might be a more satisfying choice here) and are available, for example, >> here: >> https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.3?c=5 > >> They are available with or without a SIM card size cutout and cost >> about 18,- EUR. > >> (b) Choose the right card format >> Needless to say, a smartcard reader is required to use such a device. >> These readers come in three different versions: Similar to an ordinary >> USB stick, as a card reader or as a card reader with dedicated numerical >> keypad. > >> Readers in USB stick style are more easy to use, since there is no >> need to look for a reader if sitting in front of a new computer. Since >> they can only hold a cutout version of the smartcard, you need to order >> this one here. > >> Card readers are nothing special: A smartcard is just inserted and >> then connected via USB to the computer. They might be more useful if >> storing the smartcard in your briefcase between all other plastic >> cards is desired. > >> Smartcards are secured with a PIN (which may also contain non-numerical >> characters, so it actually is a password) and for both reader devices >> discussed so far, the PIN will be entered normally via the keyboard. >> In case a system is infected, an attacker might gain access to the PIN. >> He only needs to steal the card from its victim in order to use it. > >> Because of this, I prefer card readers with a dedicated keypad. In >> case the GnuPG version installed recognises such a reader, it forwards >> the PIN entry dialogue to the reader itself, so the PIN will never reach >> the computer. > >> (For some hardware, an up-to-date GnuPG version is required for this. >> Otherwise, such a reader might be used as a normal one, making the PIN >> visible to the operating system.) > >> Of course, an attacker might bug the reader, but this is certainly more >> expensive than just installing a (software) keylogger on the victims machine. > >> Normal card readers (USB stick style or with a card slot) cost around >> 20,- EUR, readers with dedicated keypad usually 50,- to 60,- EUR. > >> (c) What about (NitroKey|YubiKey|*)? >> Besides smartcards, there are other cryptography devices available. >> Popular ones include NitroKey and YubiKey. While some of them use >> other mechanism for authentication (such as one time passwords), some >> provide smartcard functionality with additional features. > >> As there seems to be no way to enter needed passwords/PINs to them >> but by using a normal keyboard, I prefer plain smartcards in combination >> with a dedicated keypad reader. > >> Talking about the NitroKey, there are two similar (?) models available: >> NitroKey Start and Pro 2. The latter one has a "tamper-resistant smartcard", >> while the first does not. It never became clear to me how big the security >> impact of this divergence is. > >> Just my personal opinion... :-) > >> (d) Avoid proprietary stuff! >> Talking about cryptography, closed software (and hardware) seem to >> cause more trouble than it solves. Thereof, I think it's best to stay >> away from these - if possible. Open hardware is rare, usually expensive, >> and difficult to obtain. > > >> In case further details about software implementation, key setup, etc. >> is used, please drop me a line. Same thing goes if there are any questions. > >> The idea behind this was to use smartcards for all people having SSH >> access to any *.ipfire.org server, as private keyfiles are vulnerable >> to brute force attacks. Of course, disabling password authentication >> is needed first in my point of view. > >> Thank you, and best regards, >> Peter Müller >> _______________________________________________ >> Infrastructure mailing list >> Infrastructure(a)lists.ipfire.org >> https://lists.ipfire.org/mailman/listinfo/infrastructure > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq