[Gnuk-users] Can't change pin on FST-01 - "general error"

Duncan Guthrie dguthrie at posteo.net
Fri Dec 9 02:42:28 UTC 2016 

Dear Mr. Niibe,

Thank you for the explanation. I am now able to change the PIN. This is a very logical way to deal with the problem of the PIN being stored on the flash chip.

Thanks again,
Duncan

On 8 December 2016 11:47:07 pm GMT+00:00, NIIBE Yutaka <gniibe at fsij.org> wrote:
>Duncan Guthrie <dguthrie at posteo.net> writes:
>> I insert the device in my computer, and run "gpg --card-edit". I then
>> type "admin" to enable more privileged commands, and select
>> "passwd". I then select option 2, "unblock PIN", as directed by this
>> page, https://wiki.debian.org/Smartcards/OpenPGP, under the section
>> "initialising the smartcard". I am prompted for the admin PIN, which
>> is left as default and this is accepted.
>>
>> However, any PIN I type in to change the PIN is always rejected, with
>> the generic error message " general error".  Selecting the other
>> options, such as "change PIN", yields the same result, albeit this
>> option does not ask for the admin PIN, but the regular default PIN.
>
>Sorry for your inconvenience.
>
>This is the behaviour of Gnuk 1.2.  Changing user PIN is only possible
>when private keys are installed (at least one key).  I should address
>about this incompatible change more clearly.
>
>In Gnuk 1.0, user PIN information (hashed PIN) is recorded onto the
>flash ROM on MCU until three private keys are registered.  So, it is
>possible for Gnuk 1.0 to change user PIN with no private key.  On the
>other hand, Gnuk 1.0 doesn't allow overriding key import (user needs to
>delete keys by Gnuk specific tool, before installing new private key).
>
>In Gnuk 1.2, user PIN information is never recorded onto the flash ROM.
>Authentication is done if encrypted private key can be successfully
>decoded (or not).
>
>This breakage was introduced because I thought it is important to
>support the use case with only one private key or two private keys
>securely, allowing overriding key import.
>
>In Gnuk 1.0, I assumed that all users install three private keys onto
>OpenPGPcard.  I realized that there are many users who don't so.
>
>Please stand with the factory setting of initial user PIN of 123456
>until you install private keys (or generate them on token).  And only
>after installing pravete keys, change user PIN.
>
>I know that developers should avoid this kind of breakage which needs
>to
>change how user uses the software/device.  I tried to avoid, but I
>couldn't find any good solution with no breakage.  Then, my choice was
>(possibly acceptable) small breakage at the initial interaction, in
>order to fix major security flaw in some known use cases.
>
>Well, let me explan the possible risk of Gnuk 1.0.  When a user only
>install less than three private keys (one or two), the token has no
>protection of private key(s) against invasive physical attacks to MCU.
>
>> Also of significance is that when running the tests in the " test"
>> directory, these are all successful, however, in "tests" I get the
>> following error:
>
>Thanks for your report.  This is not related to the error you got.
>
>> ============================= test session starts
>============================== platform linux -- Python 3.4.2 --
>py-1.4.25 -- pytest-2.6.3 collected 98 items test_empty_card.py E
>==================================== ERRORS
>==================================== _________________________ ERROR at
>setup of test_login _________________________ pytest.fixture functions
>cannot use ``yield``. Instead write and return an inner
>function/generator and let the consumer call and iterate over it.:
>@pytest.fixture(scope="session") def card(): print() print("Test
>start!") reader = get_ccid_device() print("Reader:",
>reader.get_string(1), reader.get_string(2)) card = OpenPGP_Card(reader)
>card.cmd_select_openpgp() yield card del card
>/home/user/gnuk/tests/conftest.py:9 !!!!!!!!!!!!!!!!!!!! Interrupted:
>stopping after 1 failures !!!!!!!!!!!!!!!!!!!!
>=========================== 1 error in 0.09 seconds
>============================ 
>
>I guess that this is due to version difference of PyTest or Python.
>I'll check the error and I will fix as this kind error suggested.
>-- 
>
>_______________________________________________
>gnuk-users mailing list
>gnuk-users at lists.alioth.debian.org
>https://lists.alioth.debian.org/mailman/listinfo/gnuk-users

-- 
Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20161209/c17da7bd/attachment-0001.html>

More information about the gnuk-users mailing list