Hardening PGP using GnuPG and Yubikey

Similar documents
Secure All The Things Using a Yubikey for 2-Factor on (Almost) All Your Accounts. Jesse Stengel The University of Arizona

Cisco Desktop Collaboration Experience DX650 Security Overview

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

Who s Protecting Your Keys? August 2018

YubiKey Smart Card Minidriver User Guide. Installation and Usage YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, YubiKey NEO, YubiKey NEO-n

YubiKey PIV Manager User's Guide

Managing Your Privileged Identities: The Choke Point of Advanced Attacks

PGP Key Verification. Version 1.1, 08/26/2002. Stephen Gill Published: 08/26/2002

Introduction. Security Edition User Guide

Single Secure Credential to Access Facilities and IT Resources

Meeting FFIEC Meeting Regulations for Online and Mobile Banking

Securing Smart Meters with MULTOS Technical Overview

CoSign Hardware version 7.0 Firmware version 5.2

Remote Key Loading Spread security. Unlock efficiency

Managing the Risk of Privileged Accounts and Passwords

Salesforce1 Mobile Security White Paper. Revised: April 2014

Security PGP / Pretty Good Privacy. SANOGXXX July, 2017 Gurgaon, Haryana, India

OneID An architectural overview

Creating Trust in a Highly Mobile World

Authentication KAMI VANIEA 1

YubiHSM 2 for ADCS Guide. Securing Microsoft Active Directory Certificate Services with YubiHSM 2

YubiKey Personalization Tool. User's Guide

Ch 7: Mobile Device Management. CNIT 128: Hacking Mobile Devices. Updated

Cryptography: Practice JMU Cyber Defense Boot Camp

Endpoint Protection with DigitalPersona Pro

ENCRYPTION IN USE FACT AND FICTION. White Paper

BitLocker Group Policy Settings

Protecting your data with Windows 10 BitLocker

Using Smart Cards to Protect Against Advanced Persistent Threat

YubiKey Mac Operating System Login Guide

Using PIV Technology Outside the US Government

Security Requirements for Crypto Devices

SecureDoc Disk Encryption Cryptographic Engine

Yubico with Centrify for Mac - Deployment Guide

TWIC / CAC Wiegand 58 bit format

Digital signatures: How it s done in PDF

Smart cards are made of plastic, usually polyvinyl chloride. The card may embed a hologram to prevent counterfeiting. Smart cards provide strong

YubiKey Smart Card Deployment Guide

Dyadic Security Enterprise Key Management

Thales e-security. Security Solutions. PosAm, 06th of May 2015 Robert Rüttgen

On-Device troubleshooting for conferencing and enterprise equipment

SSL/TLS. How to send your credit card number securely over the internet

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

SEAhawk and Self Encrypting Drives (SED) Whitepaper

VMware, SQL Server and Encrypting Private Data Townsend Security

Stratusphere. Security Overview

MySQL Enterprise Security

Deprecating the Password: A Progress Report. Dr. Michael B. Jones Identity Standards Architect, Microsoft May 17, 2018

Rethinking Authentication. Steven M. Bellovin

UEFI, SecureBoot, DeviceGuard, TPM a WHB (un)related technologies

Open Hybrid Cloud & Red Hat Products Announcements

SERV-U MANAGED FILE TRANSFER SERVER FTP SERVER SOFTWARE FOR SECURE FILE TRANSFER & FILE SHARING

See the ID Rules Before Us: FAL IAL AAL eh? Aaaagh!!! How, How, How, How?

FIPS Security Policy

FIPS Non-Proprietary Security Policy. Level 1 Validation Version 1.2

SIMPLIFY MULTI-PLATFORM ENTERPRISE MOBILITY MANAGEMENT

Mobile Devices as Identity Carriers. Pre Conference Workshop October 14 th 2013

WHITEPAPER E-SERIES ENCRYPTION

Power LogOn s Features - Check List

Encryption I. An Introduction

Interagency Advisory Board Meeting Agenda, Wednesday, June 29, 2011

Secure Government Computing Initiatives & SecureZIP

Making Use of the Subliminal Channel in DSA

ASERCOM cyber-security guideline for connected HVAC/R equipment

Programming YubiKeys for Okta Adaptive Multi-Factor Authentication

Security in NVMe Enterprise SSDs

Is Your Compliance Strategy Putting Your Business at Risk?

Channel FAQ: Smartcrypt Appliances

Clover Flex Security Policy

epldt Web Builder Security March 2017

Identity & security CLOUDCARD+ When security meets convenience

STS Secure for Windows XP, Embedded XP Security Policy Document Version 1.4

SAML-Based SSO Solution

Reliable access to data: We endeavor to ensure you can manage and view your passwords whenever and wherever you need to, offline and online.

PGP Whole Disk Encryption Training

Learn. Connect. Explore.

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

INFORMATION TECHNOLOGY COMMITTEE ESCB-PKI PROJECT

HikCentral V.1.1.x for Windows Hardening Guide

FIPS Security Policy. for Marvell Semiconductor, Inc. Solaris 2 Cryptographic Module

DoD ANNEX FOR MOBILE DEVICE FUNDAMENTALS (MDF) PROTECTION PROFILE (PP) V3.1. Version 1, Release July Developed by DISA for the DoD

Identity and Authentication PKI Portfolio

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

Evaluating Hyperconverged Full Stack Solutions by, David Floyer

NFC Identity and Access Control

How Microsoft s Enterprise Mobility Suite Provides helps with those challenges

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Disk Encryption Buyers Guide

Functional Documentation for "NFC CSP Light" Version 1.0

GLOBAL PKI TRENDS STUDY

PGP Command Line Version 10.0 Release Notes

Oracle Solaris 11: No-Compromise Virtualization

Using Workspace ONE PIV-D Manager. VMware Workspace ONE UEM 1811 VMware Workspace ONE PIV-D Manager

BioPassport TM Enterprise Server

Public Key Infrastructures

What is MobiKEY? Definitions

Lecture 3 - Passwords and Authentication

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

TEN LAYERS OF CONTAINER SECURITY

Go mobile. Stay in control.

Transcription:

Hardening using GnuPG and Yubikey hybrid multifactor authentication and cryptography John Roman Linux System Administrator RAND Corporation SCALE 2017

101 public/private keyrings

101 public/private keyrings public keys go to the world, generated on machine

101 public/private keyrings public keys go to the world, generated on machine key types: signing, authentication, cryptography

pitfalls private keyring... but how private?

pitfalls private keyring... but how private? portability

pitfalls private keyring... but how private? portability standards compliance

conventional example, the CAC/PIV Common Access Card, in service since 2005

conventional example, the CAC/PIV Common Access Card, in service since 2005 FIPS201 PIV Federal Information Processing Standard (FIPS) 201,Personal Identity Verification

Open: we we re JUST thinking that! Open Card: in service since 2004

Open: we we re JUST thinking that! Open Card: in service since 2004 9 different vendors, multiple form factors

Open: we we re JUST thinking that! Open Card: in service since 2004 9 different vendors, multiple form factors relatively unknown outside of FSF Europe.

Our focus: Yubikey supports hybrid mode

Our focus: Yubikey supports hybrid mode hermetic, crushproof, scaleable pricing

Our focus: Yubikey supports hybrid mode hermetic, crushproof, scaleable pricing NFC option.

general concepts card has a CPU, firmware.

general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card

general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands

general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands once loaded, private keys are sacrosanct.

general concepts card has a CPU, firmware. keys are loaded into slots, or generated by the card encryption, decryption, signature are all commands once loaded, private keys are sacrosanct. Yubikey only accepts commands, only returns data. NEVER KEYS.

HSM Specific concepts pin number similar to european credit cards

HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked

HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin.

HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. 3 strikes against the SO pin? card is bricked. keys lost. game over.

HSM Specific concepts pin number similar to european credit cards 3 strikes, your pin is locked pin can be unlocked with a security officer pin. 3 strikes against the SO pin? card is bricked. keys lost. game over. pin length 6-8 characters, some implementations more than 128 char.

placing the card into hybrid mode ykpersonalize -d -m82 Firmware version 4.3.1 Touch level 527 Program sequence 3 The USB mode will be set to: 0x82 Commit? (y/n) [n]: n

Open card overview keys were loaded from an airgapped system using the keytocard command.

Open card programming gpg card-edit mode, admin commands enabled

applications anything GPG enabled

applications anything GPG enabled anything PAM enabled

applications anything GPG enabled anything PAM enabled defense in depth: OTP/Cert/PW? sure

applications anything GPG enabled anything PAM enabled defense in depth: OTP/Cert/PW? sure multiple cards per key, each has a unique subkey (code signing!)

applications

NFC option: here be dragons easy integration with Openkeychain in Android/IPhone

NFC option: here be dragons easy integration with Openkeychain in Android/IPhone keys need to be generated by the user

NFC option: here be dragons easy integration with Openkeychain in Android/IPhone keys need to be generated by the user only supports a 2048 bit key

deploying 450 (thousand?) of these things.

Entropy. GPG relies on kernel, not userland entropy. - Flying Stone FST01 from the FSF store! - RTL digital TV dongle and a tractor paper copy of phrack

Open not included... Red Hat Enterprise Linux 7 does not include opensc GnuPG

y tho... NFC user fatigue. not all NFC devices are great at picking up NFC lack of a yubikey might cause lack of communication.

destroyed cards... try not to trigger a SO/Reset pin lock!! to reissue or reset?

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback