On 28/08/2019 00:41, Chris Narkiewicz via Gnupg-users wrote: > This is not true. Many crypto systems are designed to perform damage > control and recovery in such cases.
Damage control in the case of GnuPG would be using a smartcard: while you are using the smartcard, so can the attacker, but once you pull the smartcard and no longer use the compromised system, the attacker no longer has access to the key. In this scenario it makes sense to have an offline primary key: while the attacker can issue data signatures and decrypt your files, they cannot change your key, e.g., add another signing subkey to be used later when the smartcard is no longer available to the attacker. Recovery... well, damage control already implied there was damage, and recovery even more so. Stefan asked for a "best strategy for using OpenPGP [...]". I did not interpret that as asking for how to limit damage, but rather to avoid it. Whether a compromise is game over depends on your scenario. However, what is quite often asked for here is some way to use a compromised system without compromising confidentiality of encryption or without enabling an attacker to issue data signatures. These things cannot be done on a system where the attacker has control over the whole computer (root access, in *nix parlance, or hypervisor access). If you can show me an example where the attacker has full access to a computer and a user can still do decryption and issue signatures *on that computer* while maintaining confidentiality and signature integrity, I'd love to hear about it. However, I've heard many wrong solutions, so in actuality I don't think I would love to hear about it, because it sounds like a waste of time. Here are two obviously wrong ones. "Provide explicit confirmation of each signature issued by a smartcard with an external button". Attacker's solution: pretend something went wrong, and make the user do the actions again. Nothing actually went wrong, the user issued two signatures. Social engineering to the rescue. Or, demise. When they're sending an e-mail, simply make it look like the mail client crashed just after they confirmed the signature, for instance. The confirmation button doesn't ensure signature integrity, it is damage control. "Provide explicit confirmation of decryption with smartcard". Whenever user decrypts something, store the decryption key in a database. When the user decrypts the same file twice, use the stored decryption key and decrypt that interesting file the attacker wants to read instead. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
