Hello Michael, hello *,
Hey,
thanks for this, but I think it is best if you send this to the dev list. On here are only like five people :)
here you go... :-)
Sorry for the delay.
Thanks, and best regards, Peter Müller
-Michael
On Thu, 2018-11-15 at 18:32 +0100, Peter Müller wrote:
Hello,
after bringing this up in telephone conferences for several times now, Michael asked me to write a brief summary concerning Smartcard hardware recommendations.
Here you go...
(a) GnuPG compatible card In our environment, smartcards will be used in combination with GnuPG so they need to be compatible to this software. The private key stored on the card is basically a GPG key, with some additional subkeys for encryption, signing and authenticating.
Such cards support RSA up to 4096 bits (newer ones already make use of ECC crypto, but depending on how much you trust NIST/Brainpool curves, RSA might be a more satisfying choice here) and are available, for example, here: https://www.floss-shop.de/de/security-privacy/smartcards/13/openpgp-smart-ca...
They are available with or without a SIM card size cutout and cost about 18,- EUR.
(b) Choose the right card format Needless to say, a smartcard reader is required to use such a device. These readers come in three different versions: Similar to an ordinary USB stick, as a card reader or as a card reader with dedicated numerical keypad.
Readers in USB stick style are more easy to use, since there is no need to look for a reader if sitting in front of a new computer. Since they can only hold a cutout version of the smartcard, you need to order this one here.
Card readers are nothing special: A smartcard is just inserted and then connected via USB to the computer. They might be more useful if storing the smartcard in your briefcase between all other plastic cards is desired.
Smartcards are secured with a PIN (which may also contain non-numerical characters, so it actually is a password) and for both reader devices discussed so far, the PIN will be entered normally via the keyboard. In case a system is infected, an attacker might gain access to the PIN. He only needs to steal the card from its victim in order to use it.
Because of this, I prefer card readers with a dedicated keypad. In case the GnuPG version installed recognises such a reader, it forwards the PIN entry dialogue to the reader itself, so the PIN will never reach the computer.
(For some hardware, an up-to-date GnuPG version is required for this. Otherwise, such a reader might be used as a normal one, making the PIN visible to the operating system.)
Of course, an attacker might bug the reader, but this is certainly more expensive than just installing a (software) keylogger on the victims machine.
Normal card readers (USB stick style or with a card slot) cost around 20,- EUR, readers with dedicated keypad usually 50,- to 60,- EUR.
(c) What about (NitroKey|YubiKey|*)? Besides smartcards, there are other cryptography devices available. Popular ones include NitroKey and YubiKey. While some of them use other mechanism for authentication (such as one time passwords), some provide smartcard functionality with additional features.
As there seems to be no way to enter needed passwords/PINs to them but by using a normal keyboard, I prefer plain smartcards in combination with a dedicated keypad reader.
Talking about the NitroKey, there are two similar (?) models available: NitroKey Start and Pro 2. The latter one has a "tamper-resistant smartcard", while the first does not. It never became clear to me how big the security impact of this divergence is.
Just my personal opinion... :-)
(d) Avoid proprietary stuff! Talking about cryptography, closed software (and hardware) seem to cause more trouble than it solves. Thereof, I think it's best to stay away from these - if possible. Open hardware is rare, usually expensive, and difficult to obtain.
In case further details about software implementation, key setup, etc. is used, please drop me a line. Same thing goes if there are any questions.
The idea behind this was to use smartcards for all people having SSH access to any *.ipfire.org server, as private keyfiles are vulnerable to brute force attacks. Of course, disabling password authentication is needed first in my point of view.
Thank you, and best regards, Peter Müller _______________________________________________ Infrastructure mailing list Infrastructure@lists.ipfire.org https://lists.ipfire.org/mailman/listinfo/infrastructure