[Gnuk-users] Ed25519 for signing broken?

Sun Feb 8 02:45:40 UTC 2015

Let me try to solve one problem by one.

Currently, I don't know why Gnuk generates invalid signature, I
haven't had such a issue.  I'll investigate this next week.  It's good
if you can show me reproducible concrete scenario.

On 02/08/2015 05:44 AM, Jonathan Schleifer wrote:
> I tried to set a pin when there was no key on the Gnuk, but that did
> not seem to work. As soon as there was a key on the Gnuk, I could
> set a PIN.

This is expected.  It is incompatible change of Gnuk 1.1.x.

With stable version of Gnuk 1.0.x (which is in FST-01 from Seeed
Studio), you can change PIN without private keys.

With experimental version of Gnuk 1.1.x (which is the "master" in the
repository), you can't change PIN without private keys.  The error you
encountered, "Conditions of use not satisfied", is expected when you
try to change PIN with no private keys.

It was explained in Gnuk README somehow, but I failed to explain
successfully in a way that I could help users.

============================= gnuk/README
This is another experimental release of Gnuk, version 1.1.4, which has
incompatible changes to Gnuk 1.0.x.  Specifically, it now supports
overriding key import, but importing keys (or generating keys) results
password reset.  Please update your documentation for Gnuk Token, so
that the instruction of importing keys won't cause any confusion.
=============================

In the Gnuk implementations (both for 1.0.x and 1.1.x), we don't
record raw PIN information on the flash at all, but it is used
indirectly to decrypt private keys.  Gnuk 1.0.x records some PIN
information (not raw, the result of key derivation function) on the
flash when there is no private keys.  When all three private keys are
registered, the PIN information is removed.  And Gnuk 1.0.x doesn't
support overriding key import, because of this process.

In 1.0.x, it's (somehow) risky to keep using with one or two private
keys only if we consider some attacks to access flash directly.  But,
I realized that it's not everyone who uses three private keys
installed.

Thus, I changed the process in Gnuk 1.1.x, so that we never record any
PIN information on the flash (raw or some).  In this new design, there
is nothing to be used for authentication when there is no private
keys.  In other words, it authenticates by decrypting private keys
with PIN.  The consequence is we can't change PIN with no private
keys.  This is a incompatible change and it's a kind of strange
restriction, but it would be OK.  Well, I could support overriding key
import with this new design, rather easily, that's a bonus point.

(I think that other OpenPGPcard implementations has some or raw PIN
information on it's memory.)

Overriding key import resets PIN.  This restriction is inevitable by
the OpenPGPcard specification and current Gnuk implementation.  If
there is some possibility to improve the situation, it's welcome.

Ideally, it would be good if it's like gpg-agent supporting more
private keys with possible independent pass phrases.
-- 