Re: [Infrastructure] Smartcard hardware recommendations

Re: [Infrastructure] Smartcard hardware recommendations

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 5129 bytes --]

Hello Michael, hello *,

> Hey,
> 
> thanks for this, but I think it is best if you send this to the dev list. On
> here are only like five people :)
here you go... :-)

Sorry for the delay.

Thanks, and best regards,
Peter Müller
> 
> -Michael
> 
> On Thu, 2018-11-15 at 18:32 +0100, Peter Müller wrote:
>> Hello,
> 
>> after bringing this up in telephone conferences for several times now,
>> Michael asked me to write a brief summary concerning Smartcard hardware
>> recommendations.
> 
>> Here you go...
> 
>> (a) GnuPG compatible card
>> In our environment, smartcards will be used in combination with GnuPG
>> so they need to be compatible to this software. The private key stored
>> on the card is basically a GPG key, with some additional subkeys for
>> encryption, signing and authenticating.
> 
>> Such cards support RSA up to 4096 bits (newer ones already make use
>> of ECC crypto, but depending on how much you trust NIST/Brainpool curves,
>> RSA might be a more satisfying choice here) and are available, for example,
>> here: 
>> https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-card-v3.3?c=5
> 
>> They are available with or without a SIM card size cutout and cost
>> about 18,- EUR.
> 
>> (b) Choose the right card format
>> Needless to say, a smartcard reader is required to use such a device.
>> These readers come in three different versions: Similar to an ordinary
>> USB stick, as a card reader or as a card reader with dedicated numerical
>> keypad.
> 
>> Readers in USB stick style are more easy to use, since there is no
>> need to look for a reader if sitting in front of a new computer. Since
>> they can only hold a cutout version of the smartcard, you need to order
>> this one here.
> 
>> Card readers are nothing special: A smartcard is just inserted and
>> then connected via USB to the computer. They might be more useful if
>> storing the smartcard in your briefcase between all other plastic
>> cards is desired.
> 
>> Smartcards are secured with a PIN (which may also contain non-numerical
>> characters, so it actually is a password) and for both reader devices
>> discussed so far, the PIN will be entered normally via the keyboard.
>> In case a system is infected, an attacker might gain access to the PIN.
>> He only needs to steal the card from its victim in order to use it.
> 
>> Because of this, I prefer card readers with a dedicated keypad. In
>> case the GnuPG version installed recognises such a reader, it forwards
>> the PIN entry dialogue to the reader itself, so the PIN will never reach
>> the computer.
> 
>> (For some hardware, an up-to-date GnuPG version is required for this.
>> Otherwise, such a reader might be used as a normal one, making the PIN
>> visible to the operating system.)
> 
>> Of course, an attacker might bug the reader, but this is certainly more
>> expensive than just installing a (software) keylogger on the victims machine.
> 
>> Normal card readers (USB stick style or with a card slot) cost around
>> 20,- EUR, readers with dedicated keypad usually 50,- to 60,- EUR.
> 
>> (c) What about (NitroKey|YubiKey|*)?
>> Besides smartcards, there are other cryptography devices available.
>> Popular ones include NitroKey and YubiKey. While some of them use
>> other mechanism for authentication (such as one time passwords), some
>> provide smartcard functionality with additional features.
> 
>> As there seems to be no way to enter needed passwords/PINs to them
>> but by using a normal keyboard, I prefer plain smartcards in combination
>> with a dedicated keypad reader.
> 
>> Talking about the NitroKey, there are two similar (?) models available:
>> NitroKey Start and Pro 2. The latter one has a "tamper-resistant smartcard",
>> while the first does not. It never became clear to me how big the security
>> impact of this divergence is.
> 
>> Just my personal opinion... :-)
> 
>> (d) Avoid proprietary stuff!
>> Talking about cryptography, closed software (and hardware) seem to
>> cause more trouble than it solves. Thereof, I think it's best to stay
>> away from these - if possible. Open hardware is rare, usually expensive,
>> and difficult to obtain.
> 
> 
>> In case further details about software implementation, key setup, etc.
>> is used, please drop me a line. Same thing goes if there are any questions.
> 
>> The idea behind this was to use smartcards for all people having SSH
>> access to any *.ipfire.org server, as private keyfiles are vulnerable
>> to brute force attacks. Of course, disabling password authentication
>> is needed first in my point of view.
> 
>> Thank you, and best regards,
>> Peter Müller
>> _______________________________________________
>> Infrastructure mailing list
>> Infrastructure(a)lists.ipfire.org
>> https://lists.ipfire.org/mailman/listinfo/infrastructure
> 

-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq