On 02/12/16 20:15, Micah Lee wrote:
On 12/01/2016 04:37 PM, Marek Marczykowski-Górecki wrote:
The tool run by qvm-usb does support alternative device identification
- using product and vendor ID. Also to specify which device to attach.
This isn't exposed by qvm-usb tool, because it may be ambiguous, but may
be useful here. See README for more details:
https://github.com/QubesOS/qubes-app-linux-usb-proxy
I acknowledge that your solution is better in some aspect: it exists and
works :)
It seems, from my brief testing, that all Yubikeys of the same version
have the same product and vendor ids. That still might be preferable to
grepping for "Yubikey" though.
Is communication with YubiKey encrypted, or at least somehow
authenticated? Otherwise malicious USB VM could easily perform some kind
of man in the middle attack and for example sign document you really
didn't want to sign. Or decrypt arbitrary data. It's possible even when
physical confirmation (button) is required - by simply waiting until you
perform *some* operation.
It is authenticated, but unfortunately I don't think in a secure way.
When you use any OpenPGP smart card you have to set a PIN to use it, and
you have to authenticate with the smart card using the PIN. In the case
of Yubikeys, you type the PIN using the gpg pinentry program (some smart
card readers have physical keypads to type the PIN, so software
keyloggers on the computer can't steal the PIN). But I'm pretty sure
that the PIN you type in, in plaintext, gets sent to the Yubikey, so
your usbvm could probably log the PIN the very first time you use your
smart card, and then use it as much as it wants after that without you
knowing.
Also, I'm pretty sure none of the communication is encrypted. To decrypt
a message on a smart card, you send the ciphertext (and a PIN, if it
isn't cached) to the smart card, and it decrypts it responds with the
plaintext. So likely, the usbvm could spy on the plaintext of decrypted
messages.
Unfortunately Yubikeys don't support pressing the physical button for
secret key operations. Those are preserved for 2FA and static passwords.
This is general problem with USB devices, which are hard to solve with
the current USB infrastructure (USB VM can do anything with any device
connected to it). Without some fundamental USB rework - probably at
hardware layer, I think the only alternative is protecting the data at
individual device protocol level (like you do with encrypted USB sticks
for example).
Sad, but reality.
Is it not possible to configure this to having the Yubikey require the
person to press the key button manually/physically?
If not, such a limitation would lie in the software rather than in the
Yubikey, I assume, since the Yubikey support Challenge-Response and such
already? If possible, it is definetely preferable to work around
potential PIN theft and subsequent hidden (mis)use by requiring a
manual/physical action.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/154ed39e-5fb2-484b-17d2-32b8b83239ac%40leeteq.com.
For more options, visit https://groups.google.com/d/optout.
