[Gnuk-users] [PATCH RFC] Requiring a physical presence for authentication
noodles at earth.li
Fri Aug 11 12:12:16 UTC 2017
(I suspect you intended your reply to also go to the list, so I hope you
don't mind that I've copied it back on to this mail.)
On Thu, Aug 10, 2017 at 10:18:09AM +0200, NdK wrote:
> Il 09/08/2017 23:49, Jonathan McDowell ha scritto:
> > I've recently been playing with the Maple Mini as a GnuK device. It has
> > a hardware button and an LED on it, and it occurred to me that I could
> > add a requirement that the button must be pressed in order to perform
> > any operation that requires PIN authentication. This is in *addition* to
> > the PIN requirement, rather than instead of.
> That's exactly what I asked Gniibe some years ago ! :)
> > The attached patches implement this; I've hacked up ac.c to turn on the
> > LED and wait for up to 10 seconds for a button press, and return failure
> > if one is not seen.
> Maybe I'll be able to extend it to handle a WS2812B (to keep using a
> single GPIO) LED: blue=auth, green=decrypt, red=sign :)
Yeah, I did consider adding one of the spare tricolour LEDs I have lying
around to provide that extra information, but decided for a first cut
I'd just use the board unmodified.
> > Finally although the Maple Mini is cheap and easy to play with it
> > suffers from not being the best form factor. I'd much prefer something
> > that I could attach to a (physical) keyring and not worry about.
> Just carve an eraser :) That and a bit of hot glue makes it quite sturdy.
Hmmm. That might work (though still ends up quite a bit bulkier than
necessary due to the extra pins all being brought out on the board).
> > The Nitrokey is still around, but I don't think the hardware is
> > hackable in any way so I don't think that's an option?
> Nope. It's smartcard-based (IIRC) and accessing the button requires
> developer to sign an NDA to access the docs :(
The Nitrokey Start is GnuK based, the other models use a smartcard
101 things you can't have too much of : 19 - A Good Thing.
More information about the gnuk-users