[Crypto-chi] Hardware tokens

Matt Chapman mchap88 at gmail.com
Tue Dec 23 14:08:15 CST 2014 

On-topic:
With hardware tokens, never forget:
http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise

Off-topic-ish:
How's CCC going? I'd love to go to one, but haven't heard much about it
since the last crypto party.

Matt

On Tue, Dec 23, 2014 at 1:58 PM, Freddy Martinez <freddymartinez9 at gmail.com>
wrote:

> Off-topic:
> lol. GSM SIM cards are not secure.
>
> On-topic
>
> I love this topic. I have been looking at hardware tokens out of
> curiosity for work and have a few ideas as well. I'd love to see
> something like this Jesse.  My concern is that this would be out of
> scope for cryptoparty but we could do something like this at CCC. The
> goal for CCC was to do more advanced level talks and create a place
> for working on projects like this.
>
> Freddy
>
> On Tue, Dec 23, 2014 at 1:42 PM, Jesse Young <jlyo at jlyo.org> wrote:
> > Hey all,
> >
> > I've taken an interest in hardware based security tokens on Linux
> > lately. Let's just say it's a big painful mess of components that don't
> > quite work together [1]. I've come up with a set of requirements for my
> > personal setup that I think are achievable, although it has and will
> > take quite a bit of work. I've surveyed the ecosystem, and came up with
> > a set of requirements that I think are achievable.
> >
> > My requirements are:
> > 1. All secrets must be stored or wrapped in hardware
> > 2. All secret keys must be unextractable
> > 3. New key generation must be done in hardware
> > 4. Existing keys must be able to be imported into hardware
> >
> > As far as application integration goes, here are my ideas:
> > 1. Linux PAM (authentication and single-sign-on)
> > 2. LUKS disk encryption
> > 3. OpenSSH
> > 4. GnuPG
> > 5. Web browser client cert (Chromium and/or Firefox)
> > 6. X.509 certificate authority
> > 7. Kerberos auth for work (not very familiar with this one)
> > 8. OATH time and HMAC one-time-passwords
> >
> > I have a TPM in my laptop, and access to an Aladdin eToken 32k 4.2b to
> > play around with at work. I also bought a smartcard reader, and have
> > been exploring GSM SIM cards and a Bank of America EMV (chip credit
> > card). So far most of my success has been with the TPM, namely SSH keys
> > [2] and the X.509 CA. I haven't been able to generate useful keys on the
> > eToken.
> >
> > I have (5) implemented against OpenDNSSEC's SoftHSM, although it fails
> > all the requirements since it's a software solution. The value, however,
> > is that I can isolate the key in a separate user and process, similar to
> > ssh-agent or gpg-agent. The interface to SoftHSM is PKCS#11 which is
> > common among hardware PKI tokens.
> >
> > This brings me to my next idea: the Yubikey NEO [2]. It's a USB device
> > that seems to have a bit of a following and support. Does anyone have
> > experience and opinions with this device (or other hardware tokens)?
> > The Yubikey NEO looks like it can integrate with most the applications
> > I have.
> >
> > I'm at a point where I can start writing a presentation about all
> > this with some confidence. When's the next cryptoparty when I should
> > have it ready by?
> >
> > Thanks,
> > Jesse
> >
> > [1]
> >
> https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11
> > [2] https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
> >
> > _______________________________________________
> > cryptoparty-chi mailing list
> > cryptoparty-chi at groups.sshchicago.org
> > http://groups.sshchicago.org/listinfo/cryptoparty-chi
> >
> _______________________________________________
> cryptoparty-chi mailing list
> cryptoparty-chi at groups.sshchicago.org
> http://groups.sshchicago.org/listinfo/cryptoparty-chi
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://groups.sshchicago.org/pipermail/cryptoparty-chi/attachments/20141223/1c5ffa2e/attachment.html>

More information about the cryptoparty-chi mailing list