From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [Infrastructure] Smartcard hardware recommendations Date: Sun, 25 Nov 2018 20:57:58 +0100 Message-ID: <8864fe42-9a0b-5916-8fcd-dbb20dd3629a@link38.eu> In-Reply-To: <6ab2e92d7582feaac21df0557d4e20a2357933de.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3237519100747311227==" List-Id: --===============3237519100747311227== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, hello *, > Hey, >=20 > thanks for this, but I think it is best if you send this to the dev list. On > here are only like five people :) here you go... :-) Sorry for the delay. Thanks, and best regards, Peter M=C3=BCller >=20 > -Michael >=20 > On Thu, 2018-11-15 at 18:32 +0100, Peter M=C3=BCller wrote: >> Hello, >=20 >> after bringing this up in telephone conferences for several times now, >> Michael asked me to write a brief summary concerning Smartcard hardware >> recommendations. >=20 >> Here you go... >=20 >> (a) GnuPG compatible card >> In our environment, smartcards will be used in combination with GnuPG >> so they need to be compatible to this software. The private key stored >> on the card is basically a GPG key, with some additional subkeys for >> encryption, signing and authenticating. >=20 >> Such cards support RSA up to 4096 bits (newer ones already make use >> of ECC crypto, but depending on how much you trust NIST/Brainpool curves, >> RSA might be a more satisfying choice here) and are available, for example, >> here:=20 >> https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-= card-v3.3?c=3D5 >=20 >> They are available with or without a SIM card size cutout and cost >> about 18,- EUR. >=20 >> (b) Choose the right card format >> Needless to say, a smartcard reader is required to use such a device. >> These readers come in three different versions: Similar to an ordinary >> USB stick, as a card reader or as a card reader with dedicated numerical >> keypad. >=20 >> Readers in USB stick style are more easy to use, since there is no >> need to look for a reader if sitting in front of a new computer. Since >> they can only hold a cutout version of the smartcard, you need to order >> this one here. >=20 >> Card readers are nothing special: A smartcard is just inserted and >> then connected via USB to the computer. They might be more useful if >> storing the smartcard in your briefcase between all other plastic >> cards is desired. >=20 >> Smartcards are secured with a PIN (which may also contain non-numerical >> characters, so it actually is a password) and for both reader devices >> discussed so far, the PIN will be entered normally via the keyboard. >> In case a system is infected, an attacker might gain access to the PIN. >> He only needs to steal the card from its victim in order to use it. >=20 >> Because of this, I prefer card readers with a dedicated keypad. In >> case the GnuPG version installed recognises such a reader, it forwards >> the PIN entry dialogue to the reader itself, so the PIN will never reach >> the computer. >=20 >> (For some hardware, an up-to-date GnuPG version is required for this. >> Otherwise, such a reader might be used as a normal one, making the PIN >> visible to the operating system.) >=20 >> Of course, an attacker might bug the reader, but this is certainly more >> expensive than just installing a (software) keylogger on the victims machi= ne. >=20 >> Normal card readers (USB stick style or with a card slot) cost around >> 20,- EUR, readers with dedicated keypad usually 50,- to 60,- EUR. >=20 >> (c) What about (NitroKey|YubiKey|*)? >> Besides smartcards, there are other cryptography devices available. >> Popular ones include NitroKey and YubiKey. While some of them use >> other mechanism for authentication (such as one time passwords), some >> provide smartcard functionality with additional features. >=20 >> As there seems to be no way to enter needed passwords/PINs to them >> but by using a normal keyboard, I prefer plain smartcards in combination >> with a dedicated keypad reader. >=20 >> Talking about the NitroKey, there are two similar (?) models available: >> NitroKey Start and Pro 2. The latter one has a "tamper-resistant smartcard= ", >> while the first does not. It never became clear to me how big the security >> impact of this divergence is. >=20 >> Just my personal opinion... :-) >=20 >> (d) Avoid proprietary stuff! >> Talking about cryptography, closed software (and hardware) seem to >> cause more trouble than it solves. Thereof, I think it's best to stay >> away from these - if possible. Open hardware is rare, usually expensive, >> and difficult to obtain. >=20 >=20 >> In case further details about software implementation, key setup, etc. >> is used, please drop me a line. Same thing goes if there are any questions. >=20 >> The idea behind this was to use smartcards for all people having SSH >> access to any *.ipfire.org server, as private keyfiles are vulnerable >> to brute force attacks. Of course, disabling password authentication >> is needed first in my point of view. >=20 >> Thank you, and best regards, >> Peter M=C3=BCller >> _______________________________________________ >> Infrastructure mailing list >> Infrastructure(a)lists.ipfire.org >> https://lists.ipfire.org/mailman/listinfo/infrastructure >=20 --=20 Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq --===============3237519100747311227==--