[Gnuk-users] gnuk-users Digest, Vol 84, Issue 3
Srinivas V
vsrinu26f at gmail.com
Sun Apr 30 17:47:57 UTC 2017
1. No situation should any key leave the token.
2. Firmware update should clear the keys.
3. User should load keys if created offline or generate new keys on token.
Firmware upgrade with key persistence is a bug and is security nightmare. I cannot trust token and will not have a clue if the firmware is silently modified to leak by rogue app.
Thank you
Srinivas
> On Apr 30, 2017, at 7:02 AM, gnuk-users-request at lists.alioth.debian.org wrote:
>
> Send gnuk-users mailing list submissions to
> gnuk-users at lists.alioth.debian.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
> or, via email, send a message with subject or body 'help' to
> gnuk-users-request at lists.alioth.debian.org
>
> You can reach the person managing the list at
> gnuk-users-owner at lists.alioth.debian.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of gnuk-users digest..."
>
>
> Today's Topics:
>
> 1. Gnuk 1.2.3: keys for firmware upgrades (Ineiev)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 29 Apr 2017 08:49:38 -0400
> From: Ineiev <ineiev at gnu.org>
> To: gnuk-users at lists.alioth.debian.org
> Subject: [Gnuk-users] Gnuk 1.2.3: keys for firmware upgrades
> Message-ID: <20170429124938.GQ3854 at gnu.org>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> With FST-01, I try to extract a key for firmware updates as
> documented in doc/note/firmware-update, but the script gets
> 257 bytes of key data rather than 256 (for any of 3 keys).
>
> Is there something wrong about my keys?
>
> This is what it looks like:
>
> $ gpg --home gnupg/ --version
> gpg (GnuPG) 2.1.20
> libgcrypt 1.7.6
> Copyright (C) 2017 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Home: /home/dti/.tmp-gnupg/gnupg/
> Supported algorithms:
> Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
> Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
> CAMELLIA128, CAMELLIA192, CAMELLIA256
> Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
> Compression: Uncompressed, ZIP, ZLIB, BZIP2
> $ gpg --home gnupg/ --card-status
>
> Reader ...........: 234B:0000:FSIJ-1.2.3-87253754:0
> Application ID ...: D276000124010200FFFE872537540000
> Version ..........: 2.0
> Manufacturer .....: unmanaged S/N range
> Serial number ....: 87253754
> Name of cardholder: [not set]
> Language prefs ...: [not set]
> Sex ..............: unspecified
> URL of public key : [not set]
> Login data .......: [not set]
> Signature PIN ....: forced
> Key attributes ...: rsa2048 rsa2048 rsa2048
> Max. PIN lengths .: 127 127 127
> PIN retry counter : 3 3 3
> Signature counter : 0
> Signature key ....: CF29 B8A6 FC34 8C7B DAA6 1E0D 04FD EFEE 6DAA 28B0
> created ....: 2017-04-17 15:50:12
> Encryption key....: F25C 6ABB CEA6 BFE0 C66A D17A B420 3EF3 44C1 B8D1
> created ....: 2017-04-17 15:50:12
> Authentication key: F4E9 047F 6DAA 9CB8 922A 5DE8 8F75 A005 8396 3DBF
> created ....: 2017-04-17 15:53:24
> General key info..: pub rsa2048/04FDEFEE6DAA28B0 2017-04-17 ???? ?????? <vp at test.org>
> sec> rsa2048/04FDEFEE6DAA28B0 created: 2017-04-17 expires: 2019-04-17
> card-no: FFFE 87253754
> ssb> rsa2048/B4203EF344C1B8D1 created: 2017-04-17 expires: 2019-04-17
> card-no: FFFE 87253754
> ssb> rsa2048/8F75A00583963DBF created: 2017-04-17 expires: 2019-04-17
> card-no: FFFE 87253754
> $ gpg-connect-agent --home gnupg/ "KEYINFO --list" /bye
> S KEYINFO A2070D0277211BD4188087E31BD8B20740139A7B T D276000124010200FFFE872537540000 OPENPGP.1 - - - - -
> S KEYINFO D35A3BE3C287D6DB05C5C615BB6E9C52C51B353C T D276000124010200FFFE872537540000 OPENPGP.2 - - - - -
> S KEYINFO 6864BCD8D33D63FC1DA94EE67EDE26EBB1ED248F T D276000124010200FFFE872537540000 OPENPGP.3 - - - - -
> OK
> $ ./get-raw-key.py 6864BCD8D33D63FC1DA94EE67EDE26EBB1ED248F
> len(key) = 257
> Traceback (most recent call last):
> File "./get-raw-key.py", line 28, in <module>
> k = get_gpg_public_key(keygrip)
> File "./get-raw-key.py", line 23, in get_gpg_public_key
> raise ValueError, binascii.hexlify(key)
> ValueError: b7cd6782738f282059a248015c4c136aa126ba0f91db90fa5c5192cd1263d1e3ac5b3747550e228e802969d1e371f8c91f3463ec973abca8030a045014da01e9b52c6e4a939230af6ae44c0ad0e4eaa3dde48a2a0caf72036d6767a783bc8ea709edd37ffb1c8203655f17cf0f635ea4fc717d15b82cbd5cc69ac6dec1fe2e4fe29333e3591dd6d7fff8787da52162a9ccfd23a94c92ac3ca48663460b9bb05cecd22df66e8571eb4408e8903688f73e89bb4236b740a765586bde1e062c5f5d4d7b02da18be0764b74c11ded95373356bd4e938ce8c4e46e505c26bb66d6be32a5f0135a8d3ccf71edbbf1fdad4bd86c93e1d805601d98a81daf2ec3eee091f29
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: get-raw-key.py
> Type: text/x-python
> Size: 904 bytes
> Desc: not available
> URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20170429/6bc764dc/attachment-0001.py>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 488 bytes
> Desc: Digital signature
> URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20170429/6bc764dc/attachment-0001.sig>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> gnuk-users mailing list
> gnuk-users at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/gnuk-users
>
>
> ------------------------------
>
> End of gnuk-users Digest, Vol 84, Issue 3
> *****************************************
More information about the gnuk-users
mailing list