Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

[Tony Arcieri]

On Tue, Apr 12, 2016 at 7:26 PM, Ron Garret  wrote:

> This HSM is much more general-purpose than a U2F token.
>

Well, that's true, but it's also hundreds of times bigger than a token in
the Yubikey "nano" form factor, which is actually convenient to keep
permanently in the USB slot of a laptop. Your physical design seems pretty
unwieldy for laptops (see also Yubico's keychain designs).

Yubikey "nano" factor tokens like the NEO-n have also supported more
general purposes than a U2F token (e.g. CCID interface, OpenPGP applets,
see also PIV)

I swear I'm not a paid shill for Yubico, but I'm a fan of small
display-free hardware tokens. While a token like what you've built might
provide Maximum Security under pessimistic threat models, its large size
makes it look rather inconvenient to me.

-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

[Ron Garret]

On Apr 12, 2016, at 5:39 PM, Tony Arcieri  wrote:

> On Tue, Apr 12, 2016 at 8:28 AM, Ron Garret  wrote:
> Some hardware tokens have an input device built in (usually a push button, 
> sometimes a fingerprint sensor) which needs to be activated before the token 
> will operate, but these are still subject to phishing attacks
> 
> Not to rain on your parade, but if you're talking about authentication 
> contexts, U2F solves the phishability problem by deriving domain-separated 
> keys per origin, so it's not possible for an attacker to leverage it for 
> phishing purposes.

This HSM is much more general-purpose than a U2F token.  It could be used as a 
standalone bitcoin wallet a la Trezor.  It can be used to decrypt messages and 
display them on the built-in display so that even an adversary with root 
accesss to your laptop couldn’t read the cleartext.  The firmware doesn’t 
support this yet, but it’s a mere matter of programming :-)

But even U2F tokens can be phished for some value of “phished”.  It’s true that 
you can’t extract the keys, but if an attacker owns your machine and you have a 
U2F token installed, the attacker can log into any site you can log into.  Even 
if the token has a button you need to push to activate it, it’s probably not 
hard to fool most users into pushing the button to authorize an authentication 
for an attacker.

With a display, the token can say, “You are about to authorize…” and describe 
exactly what it is that it is being asked to do so that you know what you’re 
authorizing in a way that an attacker cannot control even with a completely 
compromised client.

rg

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM

[Tony Arcieri]

On Tue, Apr 12, 2016 at 8:28 AM, Ron Garret  wrote:

> Some hardware tokens have an input device built in (usually a push button,
> sometimes a fingerprint sensor) which needs to be activated before the
> token will operate, but these are still subject to phishing attacks


Not to rain on your parade, but if you're talking about authentication
contexts, U2F solves the phishability problem by deriving domain-separated
keys per origin, so it's not possible for an attacker to leverage it for
phishing purposes.

-- 
Tony Arcieri
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography