[Crypto-chi] Hardware tokens

Jesse Young jlyo at jlyo.org
Tue Dec 23 13:42:17 CST 2014 

Hey all,

I've taken an interest in hardware based security tokens on Linux
lately. Let's just say it's a big painful mess of components that don't
quite work together [1]. I've come up with a set of requirements for my
personal setup that I think are achievable, although it has and will
take quite a bit of work. I've surveyed the ecosystem, and came up with
a set of requirements that I think are achievable.

My requirements are:
1. All secrets must be stored or wrapped in hardware
2. All secret keys must be unextractable
3. New key generation must be done in hardware
4. Existing keys must be able to be imported into hardware

As far as application integration goes, here are my ideas:
1. Linux PAM (authentication and single-sign-on)
2. LUKS disk encryption
3. OpenSSH
4. GnuPG
5. Web browser client cert (Chromium and/or Firefox)
6. X.509 certificate authority
7. Kerberos auth for work (not very familiar with this one)
8. OATH time and HMAC one-time-passwords

I have a TPM in my laptop, and access to an Aladdin eToken 32k 4.2b to
play around with at work. I also bought a smartcard reader, and have
been exploring GSM SIM cards and a Bank of America EMV (chip credit
card). So far most of my success has been with the TPM, namely SSH keys
[2] and the X.509 CA. I haven't been able to generate useful keys on the
eToken. 

I have (5) implemented against OpenDNSSEC's SoftHSM, although it fails
all the requirements since it's a software solution. The value, however,
is that I can isolate the key in a separate user and process, similar to
ssh-agent or gpg-agent. The interface to SoftHSM is PKCS#11 which is
common among hardware PKI tokens.

This brings me to my next idea: the Yubikey NEO [2]. It's a USB device
that seems to have a bit of a following and support. Does anyone have
experience and opinions with this device (or other hardware tokens)?
The Yubikey NEO looks like it can integrate with most the applications
I have.

I'm at a point where I can start writing a presentation about all
this with some confidence. When's the next cryptoparty when I should
have it ready by?

Thanks,
Jesse

[1]
https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11
[2] https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://groups.sshchicago.org/pipermail/cryptoparty-chi/attachments/20141223/569b01c0/attachment.sig>

More information about the cryptoparty-chi mailing list