<div dir="ltr"><div><div>On-topic:<br></div><div>With hardware tokens, never forget: <a href="http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise">http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise</a><br></div><div><br></div><div>Off-topic-ish:<div>How's CCC going? I'd love to go to one, but haven't heard much about it since the last crypto party.</div></div><div><br></div><div>Matt</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Dec 23, 2014 at 1:58 PM, Freddy Martinez <span dir="ltr"><<a href="mailto:freddymartinez9@gmail.com" target="_blank">freddymartinez9@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Off-topic:<br>
lol. GSM SIM cards are not secure.<br>
<br>
On-topic<br>
<br>
I love this topic. I have been looking at hardware tokens out of<br>
curiosity for work and have a few ideas as well. I'd love to see<br>
something like this Jesse. My concern is that this would be out of<br>
scope for cryptoparty but we could do something like this at CCC. The<br>
goal for CCC was to do more advanced level talks and create a place<br>
for working on projects like this.<br>
<br>
Freddy<br>
<div><div class="h5"><br>
On Tue, Dec 23, 2014 at 1:42 PM, Jesse Young <<a href="mailto:jlyo@jlyo.org">jlyo@jlyo.org</a>> wrote:<br>
> Hey all,<br>
><br>
> I've taken an interest in hardware based security tokens on Linux<br>
> lately. Let's just say it's a big painful mess of components that don't<br>
> quite work together [1]. I've come up with a set of requirements for my<br>
> personal setup that I think are achievable, although it has and will<br>
> take quite a bit of work. I've surveyed the ecosystem, and came up with<br>
> a set of requirements that I think are achievable.<br>
><br>
> My requirements are:<br>
> 1. All secrets must be stored or wrapped in hardware<br>
> 2. All secret keys must be unextractable<br>
> 3. New key generation must be done in hardware<br>
> 4. Existing keys must be able to be imported into hardware<br>
><br>
> As far as application integration goes, here are my ideas:<br>
> 1. Linux PAM (authentication and single-sign-on)<br>
> 2. LUKS disk encryption<br>
> 3. OpenSSH<br>
> 4. GnuPG<br>
> 5. Web browser client cert (Chromium and/or Firefox)<br>
> 6. X.509 certificate authority<br>
> 7. Kerberos auth for work (not very familiar with this one)<br>
> 8. OATH time and HMAC one-time-passwords<br>
><br>
> I have a TPM in my laptop, and access to an Aladdin eToken 32k 4.2b to<br>
> play around with at work. I also bought a smartcard reader, and have<br>
> been exploring GSM SIM cards and a Bank of America EMV (chip credit<br>
> card). So far most of my success has been with the TPM, namely SSH keys<br>
> [2] and the X.509 CA. I haven't been able to generate useful keys on the<br>
> eToken.<br>
><br>
> I have (5) implemented against OpenDNSSEC's SoftHSM, although it fails<br>
> all the requirements since it's a software solution. The value, however,<br>
> is that I can isolate the key in a separate user and process, similar to<br>
> ssh-agent or gpg-agent. The interface to SoftHSM is PKCS#11 which is<br>
> common among hardware PKI tokens.<br>
><br>
> This brings me to my next idea: the Yubikey NEO [2]. It's a USB device<br>
> that seems to have a bit of a following and support. Does anyone have<br>
> experience and opinions with this device (or other hardware tokens)?<br>
> The Yubikey NEO looks like it can integrate with most the applications<br>
> I have.<br>
><br>
> I'm at a point where I can start writing a presentation about all<br>
> this with some confidence. When's the next cryptoparty when I should<br>
> have it ready by?<br>
><br>
> Thanks,<br>
> Jesse<br>
><br>
> [1]<br>
> <a href="https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11" target="_blank">https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11</a><br>
> [2] <a href="https://www.yubico.com/products/yubikey-hardware/yubikey-neo/" target="_blank">https://www.yubico.com/products/yubikey-hardware/yubikey-neo/</a><br>
><br>
</div></div>> _______________________________________________<br>
> cryptoparty-chi mailing list<br>
> <a href="mailto:cryptoparty-chi@groups.sshchicago.org">cryptoparty-chi@groups.sshchicago.org</a><br>
> <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>
><br>
_______________________________________________<br>
cryptoparty-chi mailing list<br>
<a href="mailto:cryptoparty-chi@groups.sshchicago.org">cryptoparty-chi@groups.sshchicago.org</a><br>
<a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>
</blockquote></div><br></div>