Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-14 Thread Jan Just Keijser 

Hi,

On 13/01/21 19:29, Илья Шипицин wrote:



ср, 13 янв. 2021 г. в 22:01, Jan Just Keijser >:


Hi,

On 13/01/21 17:20, Илья Шипицин wrote:
> Hello,
>
> if user save password, it might be stolen from well known location
> (there are popular password stealers).
>
> in theory, is it possible to keep password in tpm ? will it prevent
> password from being stolen ?
>
in theory, yes, but as always, it depends on the circumstances.

With TPM 1.2 you can only store a very limited amount of data in
the TPM
chip; the (open source) implementation I have seen (tss, trousers)
store


I meant openvpn-gui + user/password authentication + password is kept 
in registry encrypted by data protection api (not clear text, but 
might be decrypted and stolen easily).


trousers is linux, right ?

ah yes, indeed, trousers is Linux; I guess I defaulted to Open source 
software for an open source VPN ;)


As for storing any old password in a TPM: yes that seems possible in 
Windows 10 (with the right TPM support, I presume). For example, this

https://superuser.com/questions/1527685/how-to-remove-webauthn-credentials-from-onboard-tpm-on-win10-device?rq=1

posts that someone wants to *get rid* of edge/chrome authn details 
stored in the TPM.
Could be that support for this is also present in chromium, which means 
you should be able to find the source code that does this.


HTH,

JJK
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-13 Thread Selva Nair 
Hi,

The blob stored in the registry is encrypted by DPAPI and requires access
to the user's session to decrypt. No matter where the blob is stored, if an
attacker has access to the session, anything the GUI can read can be read
by the attacker too.

That said, if there is a well-defined API for protecting data using a
non-exportable key in TPM, respecting security boundaries, we could use it.
The blob has to be still stored in registry or Windows password store
(which also stores it in registry). TPM is useful for storing
non-exportable private keys. For exportable data, if at all possible and
space permits, I see little point in putting it in TPM.

DPAPI supports an app-specific salt, and we could have it wrapped by TPM to
add some extra protection but I would be wary of inventing our own schemes
like that.

Storing the certificate private key in TPM makes sense.

Selva

On Wed, Jan 13, 2021 at 1:31 PM Илья Шипицин  wrote:

>
>
> ср, 13 янв. 2021 г. в 22:01, Jan Just Keijser :
>
>> Hi,
>>
>> On 13/01/21 17:20, Илья Шипицин wrote:
>> > Hello,
>> >
>> > if user save password, it might be stolen from well known location
>> > (there are popular password stealers).
>> >
>> > in theory, is it possible to keep password in tpm ? will it prevent
>> > password from being stolen ?
>> >
>> in theory, yes, but as always, it depends on the circumstances.
>>
>> With TPM 1.2 you can only store a very limited amount of data in the TPM
>> chip; the (open source) implementation I have seen (tss, trousers) store
>>
>
> I meant openvpn-gui + user/password authentication + password is kept in
> registry encrypted by data protection api (not clear text, but might be
> decrypted and stolen easily).
>
> trousers is linux, right ?
>
>
>> a key in the TPM to scramble other data with; thus, you can encrypt a
>> private key or password with a key stored on the TPM and only if you
>> have the TPM will you be able to decrypt it.
>> I've never been particularly impressed with the security of this setup,
>> however, as trousers seems to suggest to store the actualy decryption
>> key in an environment variable...
>>
>> With TPM 2.0 you can store more data in the chip, including a full
>> private key. This makes it behave more like a regular PKCS#11 device,
>> where you store the private key, not the user password on it. Of course,
>> it will/should also be possible to store a user password on it.
>>
>> cheers,
>>
>> JJK
>>
>> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-13 Thread Arne Schwabe 


Am 13.01.2021 um 17:20 schrieb Илья Шипицин:

Hello,

if user save password, it might be stolen from well known location 
(there are popular password stealers).


in theory, is it possible to keep password in tpm ? will it prevent 
password from being stolen ?


Ilya


Password storage in TPM is flawed anyway. Since it a symmetric secret. 
If you want TPM security you should go certificate anyway which should 
be doable by using a TPM as a smart card.


Arne



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-13 Thread Илья Шипицин 
ср, 13 янв. 2021 г. в 22:01, Jan Just Keijser :

> Hi,
>
> On 13/01/21 17:20, Илья Шипицин wrote:
> > Hello,
> >
> > if user save password, it might be stolen from well known location
> > (there are popular password stealers).
> >
> > in theory, is it possible to keep password in tpm ? will it prevent
> > password from being stolen ?
> >
> in theory, yes, but as always, it depends on the circumstances.
>
> With TPM 1.2 you can only store a very limited amount of data in the TPM
> chip; the (open source) implementation I have seen (tss, trousers) store
>

I meant openvpn-gui + user/password authentication + password is kept in
registry encrypted by data protection api (not clear text, but might be
decrypted and stolen easily).

trousers is linux, right ?


> a key in the TPM to scramble other data with; thus, you can encrypt a
> private key or password with a key stored on the TPM and only if you
> have the TPM will you be able to decrypt it.
> I've never been particularly impressed with the security of this setup,
> however, as trousers seems to suggest to store the actualy decryption
> key in an environment variable...
>
> With TPM 2.0 you can store more data in the chip, including a full
> private key. This makes it behave more like a regular PKCS#11 device,
> where you store the private key, not the user password on it. Of course,
> it will/should also be possible to store a user password on it.
>
> cheers,
>
> JJK
>
>
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-13 Thread Jan Just Keijser 

Hi,

On 13/01/21 17:20, Илья Шипицин wrote:

Hello,

if user save password, it might be stolen from well known location 
(there are popular password stealers).


in theory, is it possible to keep password in tpm ? will it prevent 
password from being stolen ?



in theory, yes, but as always, it depends on the circumstances.

With TPM 1.2 you can only store a very limited amount of data in the TPM 
chip; the (open source) implementation I have seen (tss, trousers) store 
a key in the TPM to scramble other data with; thus, you can encrypt a 
private key or password with a key stored on the TPM and only if you 
have the TPM will you be able to decrypt it.
I've never been particularly impressed with the security of this setup, 
however, as trousers seems to suggest to store the actualy decryption 
key in an environment variable...


With TPM 2.0 you can store more data in the chip, including a full 
private key. This makes it behave more like a regular PKCS#11 device, 
where you store the private key, not the user password on it. Of course, 
it will/should also be possible to store a user password on it.


cheers,

JJK



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] is it possible to store saved password in tpm instead of registry ?

2021-01-13 Thread Илья Шипицин 
Hello,

if user save password, it might be stolen from well known location (there
are popular password stealers).

in theory, is it possible to keep password in tpm ? will it prevent
password from being stolen ?

Ilya
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel