<div dir="ltr">I posted some comments in twitter about this yesterday @jujueyeball. Haven't read the docs but the methods as described were interesting.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Sat, Feb 21, 2015 at 10:00 AM, joe fuentes <span dir="ltr"><<a href="mailto:joseph.fuentes@live.com" target="_blank">joseph.fuentes@live.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">hello everyone<div><br></div><div>this goes back to wot Freddie said late last year. SIM cards aren't secure.</div><div><br></div><div>Those naughty boys at the NSA and GCHA are up to their dastardly deeds again. Read all about it!</div><div><br></div><div>thoughts?</div><div>-Joe</div><div><br></div><div><a href="https://firstlook.org/theintercept/2015/02/19/great-sim-heist/?t=dXNlcmlkPTQ3ODYxNDMwLGVtYWlsaWQ9OTUyOQ==" target="_blank">https://firstlook.org/theintercept/2015/02/19/great-sim-heist/?t=dXNlcmlkPTQ3ODYxNDMwLGVtYWlsaWQ9OTUyOQ==</a><br><br><div>> Date: Sat, 27 Dec 2014 14:50:00 -0600<br>> From: <a href="mailto:freddymartinez9@gmail.com" target="_blank">freddymartinez9@gmail.com</a><br>> To: <a href="mailto:cryptoparty-chi@groups.sshchicago.org" target="_blank">cryptoparty-chi@groups.sshchicago.org</a>; <a href="mailto:mchap88@gmail.com" target="_blank">mchap88@gmail.com</a><br>> Subject: Re: [Crypto-chi] Hardware tokens<br>> <br>> -----BEGIN PGP SIGNED MESSAGE-----<br>> Hash: SHA1<br>> <br>> Hi all,<br>> <br>> I just picked up a FIDO U2F Security Key. I'll report my findings at<br>> the next cryptoparty/CCC. Having to remember passwords is WYFU.<br>> <br>> > This is known as key escrow, and it's a bad thing if you don't <br>> > trust your escrow service (and why should you?) Lockheed was bitten<br>> > by<br>> <br>> Actually your sentence could be better written as: "This is known as<br>> key escrow and its a bad thing.<br>> <br>> CCC will be mid/late-January<br>> <br>> On 12/23/2014 05:10 PM, Jesse Young wrote:<br>> > I remember the SecurID breach, but only looked up the details<br>> > recently. I doesn't look like there was a problem with the token<br>> > itself, rather RSA (the company) kept a copy of all the secrets<br>> > resident on the tokens. This is known as key escrow, and it's a bad<br>> > thing if you don't trust your escrow service (and why should you?)<br>> > Lockheed was bitten by it. Really the only parties that should have<br>> > had the secret were Lockheed and their employees (with the<br>> > employee's copy locked up in the token.)<br>> > <br>> > Shared secret tokens (like the SecurID) are also less of an<br>> > interest to me, because the secret, by definition, needs to be<br>> > available to the service you're authenticating against. It does<br>> > seem to be more popular on the web these days (see Google<br>> > Authenticator / OATH). I have it set up for my email.<br>> > <br>> > I think the hardware tokens can be made secure precluding poor <br>> > implementations. In fact some cryptoprocessors have anti-tampering <br>> > features that are purported to defend against highly sophisticated <br>> > and expensive attacks.<br>> > <br>> > FWIW, everything I know about the SecurID breach came from this <br>> > Slashdot discussion: <br>> > <a href="http://yro.slashdot.org/story/11/06/07/129217/rsa-admits-securid-tokens-have-been-compromised" target="_blank">http://yro.slashdot.org/story/11/06/07/129217/rsa-admits-securid-tokens-have-been-compromised</a><br>> ><br>> > Tell me more about the CCC, is there a separate mailing list /<br>> > resources from the cryptoparty's?<br>> > <br>> > Jesse<br>> > <br>> > On Tue, 23 Dec 2014 14:08:15 -0600 Matt Chapman <<a href="mailto:mchap88@gmail.com" target="_blank">mchap88@gmail.com</a>><br>> > wrote:<br>> > <br>> >> On-topic: With hardware tokens, never forget: <br>> >> <a href="http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise" target="_blank">http://en.wikipedia.org/wiki/SecurID#March_2011_system_compromise</a><br>> >><br>> >><br>> >> <br>> Off-topic-ish:<br>> >> How's CCC going? I'd love to go to one, but haven't heard much<br>> >> about it since the last crypto party.<br>> >> <br>> >> Matt<br>> >> <br>> >> On Tue, Dec 23, 2014 at 1:58 PM, Freddy Martinez <br>> >> <<a href="mailto:freddymartinez9@gmail.com" target="_blank">freddymartinez9@gmail.com</a>> wrote:<br>> >> <br>> >>> Off-topic: lol. GSM SIM cards are not secure.<br>> >>> <br>> >>> On-topic<br>> >>> <br>> >>> I love this topic. I have been looking at hardware tokens out<br>> >>> of curiosity for work and have a few ideas as well. I'd love to<br>> >>> see something like this Jesse. My concern is that this would<br>> >>> be out of scope for cryptoparty but we could do something like<br>> >>> this at CCC. The goal for CCC was to do more advanced level<br>> >>> talks and create a place for working on projects like this.<br>> >>> <br>> >>> Freddy<br>> >>> <br>> >>> On Tue, Dec 23, 2014 at 1:42 PM, Jesse Young <<a href="mailto:jlyo@jlyo.org" target="_blank">jlyo@jlyo.org</a>><br>> >>> wrote:<br>> >>>> Hey all,<br>> >>>> <br>> >>>> I've taken an interest in hardware based security tokens on<br>> >>>> Linux lately. Let's just say it's a big painful mess of<br>> >>>> components that don't quite work together [1]. I've come up<br>> >>>> with a set of requirements for my personal setup that I think<br>> >>>> are achievable, although it has and will take quite a bit of<br>> >>>> work. I've surveyed the ecosystem, and came up with a set of<br>> >>>> requirements that I think are achievable.<br>> >>>> <br>> >>>> My requirements are: 1. All secrets must be stored or wrapped<br>> >>>> in hardware 2. All secret keys must be unextractable 3. New<br>> >>>> key generation must be done in hardware 4. Existing keys must<br>> >>>> be able to be imported into hardware<br>> >>>> <br>> >>>> As far as application integration goes, here are my ideas: 1.<br>> >>>> Linux PAM (authentication and single-sign-on) 2. LUKS disk<br>> >>>> encryption 3. OpenSSH 4. GnuPG 5. Web browser client cert<br>> >>>> (Chromium and/or Firefox) 6. X.509 certificate authority 7.<br>> >>>> Kerberos auth for work (not very familiar with this one) 8.<br>> >>>> OATH time and HMAC one-time-passwords<br>> >>>> <br>> >>>> I have a TPM in my laptop, and access to an Aladdin eToken<br>> >>>> 32k 4.2b to play around with at work. I also bought a<br>> >>>> smartcard reader, and have been exploring GSM SIM cards and a<br>> >>>> Bank of America EMV (chip credit card). So far most of my<br>> >>>> success has been with the TPM, namely SSH keys [2] and the<br>> >>>> X.509 CA. I haven't been able to generate useful keys on the<br>> >>>> eToken.<br>> >>>> <br>> >>>> I have (5) implemented against OpenDNSSEC's SoftHSM, although<br>> >>>> it fails all the requirements since it's a software solution.<br>> >>>> The value, however, is that I can isolate the key in a<br>> >>>> separate user and process, similar to ssh-agent or gpg-agent.<br>> >>>> The interface to SoftHSM is PKCS#11 which is common among<br>> >>>> hardware PKI tokens.<br>> >>>> <br>> >>>> This brings me to my next idea: the Yubikey NEO [2]. It's a<br>> >>>> USB device that seems to have a bit of a following and<br>> >>>> support. Does anyone have experience and opinions with this<br>> >>>> device (or other hardware tokens)? The Yubikey NEO looks like<br>> >>>> it can integrate with most the applications I have.<br>> >>>> <br>> >>>> I'm at a point where I can start writing a presentation about<br>> >>>> all this with some confidence. When's the next cryptoparty<br>> >>>> when I should have it ready by?<br>> >>>> <br>> >>>> Thanks, Jesse<br>> >>>> <br>> >>>> [1]<br>> >>>> <br>> >>> <a href="https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11" target="_blank">https://blog.flameeyes.eu/2011/04/network-security-services-nss-and-pkcs-11</a><br>> >>>><br>> >>> <br>> [2] <a href="https://www.yubico.com/products/yubikey-hardware/yubikey-neo/" target="_blank">https://www.yubico.com/products/yubikey-hardware/yubikey-neo/</a><br>> >>>> <br>> >>>> _______________________________________________ <br>> >>>> cryptoparty-chi mailing list <br>> >>>> <a href="mailto:cryptoparty-chi@groups.sshchicago.org" target="_blank">cryptoparty-chi@groups.sshchicago.org</a> <br>> >>>> <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>> >>>> <br>> >>> _______________________________________________ cryptoparty-chi<br>> >>> mailing list <a href="mailto:cryptoparty-chi@groups.sshchicago.org" target="_blank">cryptoparty-chi@groups.sshchicago.org</a> <br>> >>> <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>> >>> <br>> > <br>> > _______________________________________________ cryptoparty-chi<br>> > mailing list <a href="mailto:cryptoparty-chi@groups.sshchicago.org" target="_blank">cryptoparty-chi@groups.sshchicago.org</a> <br>> > <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>> > <br>> -----BEGIN PGP SIGNATURE-----<br>> Version: GnuPG v1.4.12 (GNU/Linux)<br>> <br>> iQIcBAEBAgAGBQJUnxtxAAoJEPMZXCkqgi71i+UP/jBi03gKGmcrEYOaHwF2hEjW<br>> KapmSj1k8lum5EcG0Ri5vEATaUgGW8kKWa2G0aiu6c7FmS6B3CAhxqN+5vcJIvtY<br>> 7aArWmtN/WUslGGk4rZAFoYOUJN9ZHyBHBN6XhBdLY/cfi6Jf8/EjfAlRDK2Hqg+<br>> meBLM1oVHpidbsMg2lsyzj/QjQ79WP2OCECdL+YrfSpO67Ksj2ol5HJEYZAyguM9<br>> CEbvfm5vFVeZtqDcZynyMe1HoEUeDChm694UZ9P1MHGnwsTW6SbfJ488TaLnzgzv<br>> eXjwurr847OsdfIRn3wHfW8iKhjBhULFd1IHSJrCFnY4FXGbDHlN8roEZcJG+NBg<br>> QKw8ROP46qZWaZvzz6nmko28ov/53fXBvPCRj7Ghs/I+h+fbW5TkHLLshRcVKZIu<br>> Qcl9SkRBK0sYXEk07dTkwYDePK3rNV2Wr7ZYXfAwbyL1wu9fBxCuoazc0XvXcIYU<br>> Ojt4DxVt1GPhdoWoXUsBPPilU5P89RTI7/QfgE4RULylnbtPQX4jI2qxmxKTHU1O<br>> L35nenZvpRUOcp7AaXwb8ZfwaKS5lor/YWK9pYkBuW3oXqF0lZUgodZRwPZQVh3a<br>> 7Ycgp6nzeNWGflWMAehroZxoOVWBPiQ14iCj/DnfRV+zeZ6OQv2NtWPXokOjYmik<br>> vy/luQmivTX/M7JWDoLM<br>> =+pPl<br>> -----END PGP SIGNATURE-----<br>> _______________________________________________<br>> cryptoparty-chi mailing list<br>> <a href="mailto:cryptoparty-chi@groups.sshchicago.org" target="_blank">cryptoparty-chi@groups.sshchicago.org</a><br>> <a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br></div></div> </div></div>
<br>_______________________________________________<br>
cryptoparty-chi mailing list<br>
<a href="mailto:cryptoparty-chi@groups.sshchicago.org">cryptoparty-chi@groups.sshchicago.org</a><br>
<a href="http://groups.sshchicago.org/listinfo/cryptoparty-chi" target="_blank">http://groups.sshchicago.org/listinfo/cryptoparty-chi</a><br>
<br></blockquote></div><br></div>