hardening pgp using gnupg and yubikey
play

Hardening PGP using GnuPG and Yubikey hybrid multifactor - PowerPoint PPT Presentation

Sep 17, 2022 •252 likes •690 views

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

  1. Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP

  2. PGP 101 public/private keyrings Roman, John PGP

  3. PGP 101 public/private keyrings public keys go to the world, generated on machine Roman, John PGP

  4. PGP 101 public/private keyrings public keys go to the world, generated on machine key types: signing, authentication, cryptography Roman, John PGP

  5. pitfalls private keyring. . . but how private? Roman, John PGP

  6. pitfalls private keyring. . . but how private? portability Roman, John PGP

  7. pitfalls private keyring. . . but how private? portability standards compliance Roman, John PGP

  8. conventional example, the CAC/PIV Common Access Card, in service since 2005 Roman, John PGP

  9. conventional example, the CAC/PIV Common Access Card, in service since 2005 FIPS201 PIV Federal Information Processing Standard (FIPS) 201,Personal Identity Verification Roman, John PGP

  10. OpenPGP: we we’re JUST thinking that! OpenPGP Card: in service since 2004 Roman, John PGP

  11. OpenPGP: we we’re JUST thinking that! OpenPGP Card: in service since 2004 9 different vendors, multiple form factors Roman, John PGP

  12. OpenPGP: we we’re JUST thinking that! OpenPGP Card: in service since 2004 9 different vendors, multiple form factors relatively unknown outside of FSF Europe. Roman, John PGP

  13. Our focus: Yubikey supports hybrid mode Roman, John PGP

  14. Our focus: Yubikey supports hybrid mode hermetic, crushproof, scaleable pricing Roman, John PGP

  15. Our focus: Yubikey supports hybrid mode hermetic, crushproof, scaleable pricing NFC option. Roman, John PGP

  16. general concepts card has a CPU, firmware. Roman, John PGP

  17. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card Roman, John PGP

  18. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands Roman, John PGP

  19. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands once loaded, private keys are sacrosanct. Roman, John PGP

  20. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands once loaded, private keys are sacrosanct. Yubikey only accepts commands, only returns data. NEVER KEYS. Roman, John PGP

  21. HSM Specific concepts pin number similar to european credit cards Roman, John PGP

  22. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked Roman, John PGP

  23. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. Roman, John PGP

  24. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. 3 strikes against the SO pin? card is bricked. keys lost. game over. Roman, John PGP

  25. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. 3 strikes against the SO pin? card is bricked. keys lost. game over. pin length 6-8 characters, some implementations more than 128 char. Roman, John PGP

  26. placing the card into ’hybrid’ mode ykpersonalize -d -m82 Firmware version 4.3.1 Touch level 527 Program sequence 3 The USB mode will be set to: 0x82 Commit? (y/n) [n]: n Roman, John PGP

  27. OpenPGP card overview keys were loaded from an airgapped system using the keytocard command. Roman, John PGP

  28. OpenPGP card programming gpg –card-edit mode, admin commands enabled Roman, John PGP

  29. applications anything GPG enabled Roman, John PGP

  30. applications anything GPG enabled anything PAM enabled Roman, John PGP

  31. applications anything GPG enabled anything PAM enabled defense in depth: OTP/Cert/PW? sure Roman, John PGP

  32. applications anything GPG enabled anything PAM enabled defense in depth: OTP/Cert/PW? sure multiple cards per key, each has a unique subkey (code signing!) Roman, John PGP

  33. applications Roman, John PGP

  34. NFC option: here be dragons easy integration with Openkeychain in Android/IPhone Roman, John PGP

  35. NFC option: here be dragons easy integration with Openkeychain in Android/IPhone keys need to be generated by the user Roman, John PGP

  36. NFC option: here be dragons easy integration with Openkeychain in Android/IPhone keys need to be generated by the user only supports a 2048 bit key Roman, John PGP

  37. deploying 450 (thousand?) of these things. Roman, John PGP

  38. Entropy. GPG relies on kernel, not userland entropy. - Flying Stone FST01 from the FSF store! - RTL digital TV dongle and a tractor paper copy of phrack Roman, John PGP

  39. OpenPGP not included... Red Hat Enterprise Linux 7 does not include opensc GnuPG Roman, John PGP

  40. y tho... NFC user fatigue. not all NFC devices are “great” at picking up NFC lack of a yubikey might cause lack of communication. Roman, John PGP

  41. “destroyed” cards... – try not to trigger a SO/Reset pin lock!! – to reissue or reset? Roman, John PGP

  42. Questions? Roman, John PGP

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

471 views • 43 slides
Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy mderoucy@linagora.com http:// dokuwiki. craoc.fr/ About myself (really quick I promise) Job Technical Account Manager OSSA Open Source

279 views • 17 slides
Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1 ECC: Elliptic Curve Cryptography New algorithm for public key crypto Benefit Smaller key size for equivalent strength NOTE:

433 views • 16 slides
GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface NIIBE Yutaka <gniibe@fsij.org> FOSDEM 2018 This is a talk of my experience to have better control (by its user) of computing for privacy

610 views • 37 slides
GnuPG 2.1 Explained for Everyone Niibe {Yutaka, Hitoe, Hiroshi, Ayumi} John Paul Adrian Glaubitz

GnuPG 2.1 Explained for Everyone Niibe {Yutaka, Hitoe, Hiroshi, Ayumi} John Paul Adrian Glaubitz

GnuPG 2.1 Explained for Everyone Niibe {Yutaka, Hitoe, Hiroshi, Ayumi} John Paul Adrian Glaubitz Contents GPG 2.1 is not beta software Everyone relies on GnuPG Debian and GnuPG 3 GPG Branches What's New in 2.1?

733 views • 25 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories

Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories

FERMILAB-SLIDES-19-031-CD Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories Information Technology Summit 2019 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No.

714 views • 27 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org www.toolcrypt.org Agenda Agenda Introduction

532 views • 32 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> 2009-10-21 Japan Linux Symposium

FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> 2009-10-21 Japan Linux Symposium

FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> 2009-10-21 Japan Linux Symposium Contents Who am I? GNU Privacy Guard FSIJ USB Token PCB design V-USB (AVR-USB) CCID/ICCD Protocol OpenPGP Protocol RSA

991 views • 26 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden telemetry to Mozilla Per Foyer per@foyer.se 10 10 Cryptoparty 201911-R1 Hardening Firefox: Method To harden Firefox we need to: 1. Adjust

470 views • 14 slides
Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum:

Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum:

Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum: 12GeV Hardening Vacuum Improvements & Status Synchrotron Radiation Effects Vacuum Spares Page 2 Vac Improvements - Linac Viewer

309 views • 13 slides
Experiment Talks (RIXS/XES) A new x-ray emission spectrometer is available at the CLSS beamline

Experiment Talks (RIXS/XES) A new x-ray emission spectrometer is available at the CLSS beamline

Experiment Talks (RIXS/XES) A new x-ray emission spectrometer is available at the CLSS beamline of ALBA Laura Simonelli CLSS beamline responsible Dominique Heinis Wojciech Olszewski Carlo Marini Laura Simonelli Nitya Ramanan Laura

703 views • 17 slides
Combinatorics and topology of toric arrangements II. Topology of arrangements in the complex torus

Combinatorics and topology of toric arrangements II. Topology of arrangements in the complex torus

Combinatorics and topology of toric arrangements II. Topology of arrangements in the complex torus (An invitation to combinatorial algebraic topology) Emanuele Delucchi (SNSF / Universit e de Fribourg) Toblach/Dobbiaco February 23, 2017

543 views • 42 slides
rr tt ts r

rr tt ts r

r str rs tt strts stt rr

511 views • 49 slides
Infrastructures for Cloud Computing and Big Data Global Stream Processing Antonio Corradi, Luca

Infrastructures for Cloud Computing and Big Data Global Stream Processing Antonio Corradi, Luca

University of Bologna Dipartimento di Informatica Scienza e Ingegneria (DISI) Engineering Bologna Campus Class of Computer Networks M or Infrastructures for Cloud Computing and Big Data Global Stream Processing Antonio Corradi, Luca

388 views • 16 slides
Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 1.5 Usable Security and Secure Messaging Prof. Nadim Kobeissi 1.5a Usable Security: Then and Now 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi Humans are

1.24k views • 67 slides
Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020

Applied Cryptography (Pt. 2) Engineering Secure Software Last Revised: October 16, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recap Symmetric keys Benefit: fastest, mathematically the strongest Drawback:

425 views • 23 slides
Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin

Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin

Universality of group embeddability Filippo Calderoni University of Turin Polytechnic di Turin 27th July 2016 1/22 Borel reducibility In the framework of Borel reducibility, relations are defined over Polish or standard Borel spaces.

467 views • 44 slides
Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End

Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End

Secure Messaging Some slides adapted from Dr. Raluca Ada Popa at UC Berkeley End to End Encryption Only the two parties communicating can decrypt messages Forward Secrecy Key compromise doesnt compromise past session keys

424 views • 23 slides

More recommend