hardening pgp using gnupg and yubikey
play

Hardening PGP using GnuPG and Yubikey hybrid multifactor - PowerPoint PPT Presentation

Sep 17, 2022 •252 likes •690 views

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

  1. Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP

  2. PGP 101 public/private keyrings Roman, John PGP

  3. PGP 101 public/private keyrings public keys go to the world, generated on machine Roman, John PGP

  4. PGP 101 public/private keyrings public keys go to the world, generated on machine key types: signing, authentication, cryptography Roman, John PGP

  5. pitfalls private keyring. . . but how private? Roman, John PGP

  6. pitfalls private keyring. . . but how private? portability Roman, John PGP

  7. pitfalls private keyring. . . but how private? portability standards compliance Roman, John PGP

  8. conventional example, the CAC/PIV Common Access Card, in service since 2005 Roman, John PGP

  9. conventional example, the CAC/PIV Common Access Card, in service since 2005 FIPS201 PIV Federal Information Processing Standard (FIPS) 201,Personal Identity Verification Roman, John PGP

  10. OpenPGP: we we’re JUST thinking that! OpenPGP Card: in service since 2004 Roman, John PGP

  11. OpenPGP: we we’re JUST thinking that! OpenPGP Card: in service since 2004 9 different vendors, multiple form factors Roman, John PGP

  12. OpenPGP: we we’re JUST thinking that! OpenPGP Card: in service since 2004 9 different vendors, multiple form factors relatively unknown outside of FSF Europe. Roman, John PGP

  13. Our focus: Yubikey supports hybrid mode Roman, John PGP

  14. Our focus: Yubikey supports hybrid mode hermetic, crushproof, scaleable pricing Roman, John PGP

  15. Our focus: Yubikey supports hybrid mode hermetic, crushproof, scaleable pricing NFC option. Roman, John PGP

  16. general concepts card has a CPU, firmware. Roman, John PGP

  17. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card Roman, John PGP

  18. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands Roman, John PGP

  19. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands once loaded, private keys are sacrosanct. Roman, John PGP

  20. general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands once loaded, private keys are sacrosanct. Yubikey only accepts commands, only returns data. NEVER KEYS. Roman, John PGP

  21. HSM Specific concepts pin number similar to european credit cards Roman, John PGP

  22. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked Roman, John PGP

  23. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. Roman, John PGP

  24. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. 3 strikes against the SO pin? card is bricked. keys lost. game over. Roman, John PGP

  25. HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. 3 strikes against the SO pin? card is bricked. keys lost. game over. pin length 6-8 characters, some implementations more than 128 char. Roman, John PGP

  26. placing the card into ’hybrid’ mode ykpersonalize -d -m82 Firmware version 4.3.1 Touch level 527 Program sequence 3 The USB mode will be set to: 0x82 Commit? (y/n) [n]: n Roman, John PGP

  27. OpenPGP card overview keys were loaded from an airgapped system using the keytocard command. Roman, John PGP

  28. OpenPGP card programming gpg –card-edit mode, admin commands enabled Roman, John PGP

  29. applications anything GPG enabled Roman, John PGP

  30. applications anything GPG enabled anything PAM enabled Roman, John PGP

  31. applications anything GPG enabled anything PAM enabled defense in depth: OTP/Cert/PW? sure Roman, John PGP

  32. applications anything GPG enabled anything PAM enabled defense in depth: OTP/Cert/PW? sure multiple cards per key, each has a unique subkey (code signing!) Roman, John PGP

  33. applications Roman, John PGP

  34. NFC option: here be dragons easy integration with Openkeychain in Android/IPhone Roman, John PGP

  35. NFC option: here be dragons easy integration with Openkeychain in Android/IPhone keys need to be generated by the user Roman, John PGP

  36. NFC option: here be dragons easy integration with Openkeychain in Android/IPhone keys need to be generated by the user only supports a 2048 bit key Roman, John PGP

  37. deploying 450 (thousand?) of these things. Roman, John PGP

  38. Entropy. GPG relies on kernel, not userland entropy. - Flying Stone FST01 from the FSF store! - RTL digital TV dongle and a tractor paper copy of phrack Roman, John PGP

  39. OpenPGP not included... Red Hat Enterprise Linux 7 does not include opensc GnuPG Roman, John PGP

  40. y tho... NFC user fatigue. not all NFC devices are “great” at picking up NFC lack of a yubikey might cause lack of communication. Roman, John PGP

  41. “destroyed” cards... – try not to trigger a SO/Reset pin lock!! – to reissue or reset? Roman, John PGP

  42. Questions? Roman, John PGP

Recommend

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John

Hardening PGP using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017 Roman, John PGP PGP 101 public/private keyrings Roman, John PGP PGP 101

471 views • 43 slides
Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy mderoucy@linagora.com http:// dokuwiki. craoc.fr/ About myself (really quick I promise) Job Technical Account Manager OSSA Open Source

279 views • 17 slides
Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1

Let's use Ed25519 with GnuPG 2.1 and Gnuk Token! Niibe Yutaka One of New Features in GnuPG 2.1 ECC: Elliptic Curve Cryptography New algorithm for public key crypto Benefit Smaller key size for equivalent strength NOTE:

433 views • 16 slides
GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface

GNUK TOKEN AND GNUPG GNUK TOKEN AND GNUPG SCDAEMON SCDAEMON minimizing the attack surface NIIBE Yutaka <gniibe@fsij.org> FOSDEM 2018 This is a talk of my experience to have better control (by its user) of computing for privacy

610 views • 37 slides
GnuPG 2.1 Explained for Everyone Niibe {Yutaka, Hitoe, Hiroshi, Ayumi} John Paul Adrian Glaubitz

GnuPG 2.1 Explained for Everyone Niibe {Yutaka, Hitoe, Hiroshi, Ayumi} John Paul Adrian Glaubitz

GnuPG 2.1 Explained for Everyone Niibe {Yutaka, Hitoe, Hiroshi, Ayumi} John Paul Adrian Glaubitz Contents GPG 2.1 is not beta software Everyone relies on GnuPG Debian and GnuPG 3 GPG Branches What's New in 2.1?

733 views • 25 slides
Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles

Performant Security Hardening Steve Rutherford (srutherford@google.com) Googles Virtualization Security Team 1 Preface This talk is x86 and KVM centric 2 Outline Background Current Hardening Split Irqchip, PIT Prototype Hardening

884 views • 41 slides
Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories

Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories

FERMILAB-SLIDES-19-031-CD Implementing the Yubikey at Fermilab Sal Gonzlez and Al Lilianstrom National Laboratories Information Technology Summit 2019 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No.

714 views • 27 slides
Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public

Hurricane Hardening Hurricane Hardening Research Research Presentation to the Louisiana Public Service Commission May 4, 2007 Mark A. Jamison, PURC Director Leadership in Infrastructure Policy Leadership in Infrastructure Policy

487 views • 45 slides
Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by

Single Event Upset Hardening Single Event Upset Hardening by 'hijacking' the multi-VT by 'hijacking' the multi-VT flow during synthesis flow during synthesis Roland Weigand February 04, 2013 Design Automation Conference User Track European

394 views • 17 slides
Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The

www.toolcrypt.org Standing on the shoulders of the Blue Monster: Hardening Windows Applications Hardening Windows Applications olleB olle@toolcrypt.org The Toolcrypt Group www.toolcrypt.org www.toolcrypt.org Agenda Agenda Introduction

532 views • 32 slides
Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel

September 2016 BalCCon 2k16 Kernel Exploitation and Hardening Why we could have nice things! (using Split Kernel) Anil Kurmus kur@zurich.ibm.com IBM Research - Zurich Outline 1. Background Hardening Kernel Vulnerabilities Kernel

1.07k views • 39 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> 2009-10-21 Japan Linux Symposium

FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> 2009-10-21 Japan Linux Symposium

FSIJ USB Token for GnuPG Niibe Yutaka <gniibe@fsij.org> 2009-10-21 Japan Linux Symposium Contents Who am I? GNU Privacy Guard FSIJ USB Token PCB design V-USB (AVR-USB) CCID/ICCD Protocol OpenPGP Protocol RSA

991 views • 26 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden

Hardening the Firefox browser Preventing unwanted background traffic to Google, Pocket and hidden telemetry to Mozilla Per Foyer per@foyer.se 10 10 Cryptoparty 201911-R1 Hardening Firefox: Method To harden Firefox we need to: 1. Adjust

470 views • 14 slides
Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum:

Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum:

Vacuum: 12GeV Hardening Anthony DiPette Installation / Vacuum Group Leader 7/16/2015 Vacuum: 12GeV Hardening Vacuum Improvements & Status Synchrotron Radiation Effects Vacuum Spares Page 2 Vac Improvements - Linac Viewer

309 views • 13 slides
Hardening PHP - Some basic security measures. Antonio Bonifati

Hardening PHP - Some basic security measures. Antonio Bonifati

Hardening PHP - Some basic security measures. Antonio Bonifati <http://ninuzzo.freehostia.com> ABSTRACT A summary of the most important PHP settings aimed at improving security of PHP web servers. Whenever you have to harden a PHP

615 views • 5 slides
Practical Password Hardening based on TLS Constantinos Diomedous and Elias Athanasopoulos

Practical Password Hardening based on TLS Constantinos Diomedous and Elias Athanasopoulos

Practical Password Hardening based on TLS Constantinos Diomedous and Elias Athanasopoulos University of Cyprus 1 How authentication works today? 2 How web services protect passwords? Cryptographically secure hash functions One way

538 views • 22 slides
A brief presentation of ASELT In Process Control . The HBU induction heating for hardening needs

A brief presentation of ASELT In Process Control . The HBU induction heating for hardening needs

ASELT srl Montebello Vicentino (VI) A brief presentation of ASELT In Process Control . The HBU induction heating for hardening needs to be monitored very strictly in order to reach a product in conformance. The ASELT IPC is a new generation

450 views • 9 slides
A totally new approach to measuring the degree of hardening of UV cured resins AcroEdge Co., Ltd

A totally new approach to measuring the degree of hardening of UV cured resins AcroEdge Co., Ltd

A totally new approach to measuring the degree of hardening of UV cured resins AcroEdge Co., Ltd C.E.O. Kenichi Nakamune Non-contact Non-destructive Even when samples are inserted in glass or film, such as film bonding with UV curing resin,

188 views • 7 slides
Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter,

Hardening Application Security using Intel SGX Max Plauth, Frederik T eschke, Daniel Richter, and Andreas Polze Operating Systems & Middleware Group Hasso Plattner Institute at University of Potsdam, Germany Motivation data security:

423 views • 31 slides
Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary

Security AutoSecure Router HardeningAutomagically The process of turning off unnecessary services is called hardening a router to prevent attacks or exploits. The basic steps of router hardening are: 1) Administratively shut down

102 views • 8 slides
Hardening your systems against litigation Alexander Muentz, Esq LISA '07 Overview Why

Hardening your systems against litigation Alexander Muentz, Esq LISA '07 Overview Why

Hardening your systems against litigation Alexander Muentz, Esq LISA '07 Overview Why litigation should be considered an IT risk Overview of litigation How you can help or hurt Some examples What works and doesn't work Your logo here 2

706 views • 22 slides
Securing your in-ear fitness coach: Challenges in hardening next generation wearables Kavya

Securing your in-ear fitness coach: Challenges in hardening next generation wearables Kavya

Securing your in-ear fitness coach: Challenges in hardening next generation wearables Kavya Racharla Sumanth Naropanth Who are we? Kavya Racharla Security Research Manager Sports Group, Intel Oracle & Qualcomm

826 views • 48 slides

More recommend