[Crypto-chi] Hardware tokens

Tue Dec 23 15:07:09 CST 2014

I have read several mentions on various mailing lists of using an 
OpenGPG card [0] with external smart card readers, even the FSFE has 
their own personalized version. But, different card versions, and types 
against different card reader versions, and software configs that are 
not straightforward to set-up make it a PITA as previously mentioned. 
With all that said, I also have been wanting to do something like this 
for awhile now and would like to talk more about this.

As for CCC we should get together after the holidays.

ATB

-Brian

[0] http://g10code.com/p-card.html
[1] https://fsfe.org/fellowship/card.en.html

On 23-12-2014 13:42, Jesse Young wrote:
> Hey all,
> 
> I've taken an interest in hardware based security tokens on Linux
> lately. Let's just say it's a big painful mess of components that don't
> quite work together [1]. I've come up with a set of requirements for my
> personal setup that I think are achievable, although it has and will
> take quite a bit of work. I've surveyed the ecosystem, and came up with
> a set of requirements that I think are achievable.
> 
> My requirements are:
> 1. All secrets must be stored or wrapped in hardware
> 2. All secret keys must be unextractable
> 3. New key generation must be done in hardware
> 4. Existing keys must be able to be imported into hardware
> 
> As far as application integration goes, here are my ideas:
> 1. Linux PAM (authentication and single-sign-on)
> 2. LUKS disk encryption
> 3. OpenSSH
> 4. GnuPG
> 5. Web browser client cert (Chromium and/or Firefox)
> 6. X.509 certificate authority
> 7. Kerberos auth for work (not very familiar with this one)
> 8. OATH time and HMAC one-time-passwords
> 
> I have a TPM in my laptop, and access to an Aladdin eToken 32k 4.2b to
> play around with at work. I also bought a smartcard reader, and have
> been exploring GSM SIM cards and a Bank of America EMV (chip credit
> card). So far most of my success has been with the TPM, namely SSH keys
> [2] and the X.509 CA. I haven't been able to generate useful keys on 
> the
> eToken.
> 
> I have (5) implemented against OpenDNSSEC's SoftHSM, although it fails
> all the requirements since it's a software solution. The value, 
> however,
> is that I can isolate the key in a separate user and process, similar 
> to
> ssh-agent or gpg-agent. The interface to SoftHSM is PKCS#11 which is
> common among hardware PKI tokens.
> 
> This brings me to my next idea: the Yubikey NEO [2]. It's a USB device
> that seems to have a bit of a following and support. Does anyone have
> experience and opinions with this device (or other hardware tokens)?
> The Yubikey NEO looks like it can integrate with most the applications
> I have.
> 
> I'm at a point where I can start writing a presentation about all
> this with some confidence. When's the next cryptoparty when I should
> have it ready by?
> 
> Thanks,
> Jesse
> 
> [1]
> https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11
> [2] https://www.yubico.com/products/yubikey-hardware/yubikey-neo/
> 
> _______________________________________________
> cryptoparty-chi mailing list
> cryptoparty-chi at groups.sshchicago.org
> http://groups.sshchicago.org/listinfo/cryptoparty-chi