[Crypto-chi] Hardware tokens

Tue Dec 23 13:58:24 CST 2014

Off-topic:
lol. GSM SIM cards are not secure.

On-topic

I love this topic. I have been looking at hardware tokens out of
curiosity for work and have a few ideas as well. I'd love to see
something like this Jesse.  My concern is that this would be out of
scope for cryptoparty but we could do something like this at CCC. The
goal for CCC was to do more advanced level talks and create a place
for working on projects like this.

Freddy

On Tue, Dec 23, 2014 at 1:42 PM, Jesse Young <jlyo at jlyo.org> wrote:
> Hey all,
>
> I've taken an interest in hardware based security tokens on Linux
> lately. Let's just say it's a big painful mess of components that don't
> quite work together [1]. I've come up with a set of requirements for my
> personal setup that I think are achievable, although it has and will
> take quite a bit of work. I've surveyed the ecosystem, and came up with
> a set of requirements that I think are achievable.
>
> My requirements are:
> 1. All secrets must be stored or wrapped in hardware
> 2. All secret keys must be unextractable
> 3. New key generation must be done in hardware
> 4. Existing keys must be able to be imported into hardware
>
> As far as application integration goes, here are my ideas:
> 1. Linux PAM (authentication and single-sign-on)
> 2. LUKS disk encryption
> 3. OpenSSH
> 4. GnuPG
> 5. Web browser client cert (Chromium and/or Firefox)
> 6. X.509 certificate authority
> 7. Kerberos auth for work (not very familiar with this one)
> 8. OATH time and HMAC one-time-passwords
>
> I have a TPM in my laptop, and access to an Aladdin eToken 32k 4.2b to
> play around with at work. I also bought a smartcard reader, and have
> been exploring GSM SIM cards and a Bank of America EMV (chip credit
> card). So far most of my success has been with the TPM, namely SSH keys
> [2] and the X.509 CA. I haven't been able to generate useful keys on the
> eToken.
>
> I have (5) implemented against OpenDNSSEC's SoftHSM, although it fails
> all the requirements since it's a software solution. The value, however,
> is that I can isolate the key in a separate user and process, similar to
> ssh-agent or gpg-agent. The interface to SoftHSM is PKCS#11 which is
> common among hardware PKI tokens.
>
> This brings me to my next idea: the Yubikey NEO [2]. It's a USB device
> that seems to have a bit of a following and support. Does anyone have
> experience and opinions with this device (or other hardware tokens)?
> The Yubikey NEO looks like it can integrate with most the applications
> I have.
>
> I'm at a point where I can start writing a presentation about all
> this with some confidence. When's the next cryptoparty when I should
> have it ready by?
>
> Thanks,
> Jesse
>
> [1]
> https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11
> [2] https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
>
> _______________________________________________
> cryptoparty-chi mailing list
> cryptoparty-chi at groups.sshchicago.org
> http://groups.sshchicago.org/listinfo/cryptoparty-chi
>