-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2016-12-02 18:50, Leeteqxv wrote: > On 02/12/16 20:15, Micah Lee wrote: >> On 12/01/2016 04:37 PM, Marek Marczykowski-Górecki wrote: >>> The tool run by qvm-usb does support alternative device identification >>> - using product and vendor ID. Also to specify which device to attach. >>> This isn't exposed by qvm-usb tool, because it may be ambiguous, but may >>> be useful here. See README for more details: >>> https://github.com/QubesOS/qubes-app-linux-usb-proxy >>> I acknowledge that your solution is better in some aspect: it exists and >>> works :) >> It seems, from my brief testing, that all Yubikeys of the same version >> have the same product and vendor ids. That still might be preferable to >> grepping for "Yubikey" though. >> >>> Is communication with YubiKey encrypted, or at least somehow >>> authenticated? Otherwise malicious USB VM could easily perform some kind >>> of man in the middle attack and for example sign document you really >>> didn't want to sign. Or decrypt arbitrary data. It's possible even when >>> physical confirmation (button) is required - by simply waiting until you >>> perform *some* operation. >> It is authenticated, but unfortunately I don't think in a secure way. >> When you use any OpenPGP smart card you have to set a PIN to use it, and >> you have to authenticate with the smart card using the PIN. In the case >> of Yubikeys, you type the PIN using the gpg pinentry program (some smart >> card readers have physical keypads to type the PIN, so software >> keyloggers on the computer can't steal the PIN). But I'm pretty sure >> that the PIN you type in, in plaintext, gets sent to the Yubikey, so >> your usbvm could probably log the PIN the very first time you use your >> smart card, and then use it as much as it wants after that without you >> knowing. >> >> Also, I'm pretty sure none of the communication is encrypted. To decrypt >> a message on a smart card, you send the ciphertext (and a PIN, if it >> isn't cached) to the smart card, and it decrypts it responds with the >> plaintext. So likely, the usbvm could spy on the plaintext of decrypted >> messages. >> >> Unfortunately Yubikeys don't support pressing the physical button for >> secret key operations. Those are preserved for 2FA and static passwords. >> >>> This is general problem with USB devices, which are hard to solve with >>> the current USB infrastructure (USB VM can do anything with any device >>> connected to it). Without some fundamental USB rework - probably at >>> hardware layer, I think the only alternative is protecting the data at >>> individual device protocol level (like you do with encrypted USB sticks >>> for example). >> Sad, but reality. >> > Is it not possible to configure this to having the Yubikey require the person > to press the key button manually/physically? > If not, such a limitation would lie in the software rather than in the > Yubikey, I assume, since the Yubikey support Challenge-Response and such > already? If possible, it is definetely preferable to work around potential > PIN theft and subsequent hidden (mis)use by requiring a manual/physical > action. >
As Marek explained above, requiring a manual/physical button press doesn't solve the problem: "Is communication with YubiKey encrypted, or at least somehow authenticated? Otherwise malicious USB VM could easily perform some kind of man in the middle attack and for example sign document you really didn't want to sign. Or decrypt arbitrary data. It's possible even when physical confirmation (button) is required - by simply waiting until you perform *some* operation." - -- Andrew David Wong (Axon) Community Manager, Qubes OS https://www.qubes-os.org -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJYQo5OAAoJENtN07w5UDAwADMQALNqWqC2Z+BVz8Zfd0gKG2an U36zDNGJUM7ymj92AZqJw7gKQMHk46V4e3CPAQ1fCuuWG538nQzrhdkgMT5b242l Anc14DdfHpHC58ZhtHL8BFPS89ApuiqgEW0QMxqp751rIry53s9ox+eO/MpVlCrE X0RU7WKabBNP/lIxDtC9mf3yAtyhA9d4iHwyuRM+oARPe6MYxJJjKgz4HBYoRqOu SFDfs+rZ577fJSr6kvn/vNBtaXeWCldPXnIoCToTWoihO5F8qr3uLvMVWFj+wF3Q lnMv8W5192zDTcsEZGWWVPDAQ/VBF4LoEOBsUJyPYITOFong85fPYN0cGK1QOesH DWPxfTcTfIKLLnDnpPnkvRJGiT9ovilWyb9MK01KxLaQ2Ix1dsgrGvdDXntWHleg jGp4P/KT8U11omYJVDleWUv+1LSspHVVBPrbwn05WyPi4qN0uWphlFU2KoQtvDLs cCjV8uNpdDh6xKndTyrJibvcTNSigr5tvYpOySuMt/iO7LPGhDdOZ9zMY9KSo1cE p2Q5TdO1a6otB30+vphkn53XQlrXsvtOKIF1if2u7B5R1PyOxjKpz/7QN61913o3 roLxaSSYEF/6DWi289JayVsYutbXbxlnhzgqg8ac3ibmdgRNlSoT1EP4jmMPtReH LMj8MpxMuBq4I12wlr+R =2myJ -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/39351458-901b-4706-7875-ac9d888fbc38%40qubes-os.org. For more options, visit https://groups.google.com/d/optout.
