Re: [gentoo-dev] [RFC] New project: Crypto

[Rich Freeman]

On Tue, Dec 29, 2015 at 8:58 AM, Kristian Fiskerstrand  wrote:
>
> On 12/28/2015 07:35 PM, Rich Freeman wrote:
>> On Mon, Dec 28, 2015 at 10:07 AM, Kristian Fiskerstrand
>>  wrote:
 On 28 Dec 2015, at 15:58, James Le Cuirot 
 wrote:

>
>
>> That concern is hardly unique to phones.  PCs suffer just as much
>> from this problem.  The solution could potentially be the same.
>> For
>
> But here we already have smartcards (that everyone should and _is_
> using... right?)

I imagine that smartcards have about as much support on mobile as they
do on PCs, which is to say not much.

Sure, you can make it work, but software support for signing stuff is
limited in general, let alone support for doing it with smartcards.

>
>> signing it is a straightforward problem since there is nothing to
>> be kept secret except the key material itself (just send the
>> message to the signing device, and return the signature back).  For
>> encryption
>
> for clarity (and what I think you already mean), the message in this
> case is the message to be signed (which is likely a blinded hash or
> something, so much shorter than the original data)

If you don't display the plaintext on the device doing the signing,
then you're vulnerable to a MITM unless you trust your PC, but if you
trusted your PC you wouldn't need the signing device.

The only thing a smartcard does is protects the private key itself.
It doesn't protect you from manipulation of the data to be signed, or
theft of plaintext, etc.

>
> Indeed, but at least the device won't be able to decrypt further
> communication as it'd only have access to the session key of the
> particular message. Loosing control of the private (sub)key is
> substantially worse, so that might actually be ok for the security
> parameters of the users.

I agree, there are degrees of failure.

>
> This already happen in several countries, including Germany and on a
> semi-related variant Norway (its government approved to sign
> electronically using BankID, where the banks does the verification).
> In germany there is even a CA that checks the government ID and
> certify OpenPGP keys based on it.
>

That is at least a step up.  Should we require or at least recommend
government-signed keys for Gentoo in the few jurisdictions that
provide them?  I guess the main concern would be if we wanted to allow
anonymity.

So many problems would be solved if a signature using a secure device
was required for every financial transaction.  Just stick the PIN pad
on the signing device with a small display.  The device is given a
message to sign including the date, amount to be authorized, and who
is getting paid.  The device displays this info on its screen and
prompts for a PIN.  For the problem of payment authorization that
would eliminate almost all forms of fraud that don't involve holding
somebody at gunpoint (and you could have a duress PIN and an encrypted
field in the authorization large enough to hold either a padded all
clear or an under-duress message with the timestamp and GPS
coordinates that only the bank could read).

In the US everybody seems to be afraid of big brother but big brother
has enough big data that he doesn't really need you to use his fancy
signing device anyway.

-- 
Rich

Re: [gentoo-dev] [RFC] New project: Crypto

[Yury German]

I have talked to the YubiKey people at a few shows (BlackHat), and they
told me that they are looking at Bluetooth key store. To work with iPad
and Android.

That would be great, but the problem is programs that can use that.


On 12/28/15 10:07 AM, Kristian Fiskerstrand wrote:
> 
> 
> [Sent from my iPad, as it is not a secured device there are no cryptographic 
> keys on this device, meaning this message is sent without an OpenPGP 
> signature. In general you should *not* rely on any information sent over such 
> an unsecure channel, if you find any information controversial or un-expected 
> send a response and request a signed confirmation]
> 
>> On 28 Dec 2015, at 15:58, James Le Cuirot  wrote:
>>
>> On Mon, 28 Dec 2015 09:42:40 -0500
>> Rich Freeman  wrote:
>>>
> 
> ..
> 
>>> And this would be why I don't bother to sign my emails any longer.
>>> The FOSS world is still stuck in the days when people ran X11-based
>>> MUAs and stored their mail in conventional folders.  I've yet to see a
>>> decent browser-based MUA or Android client which does signing.
>>> Squirrelmail does, but it is really lacking compared to something like
>>> Gmail.
>>
>> I haven't tried the feature myself but K9 Mail, which is highly
>> regarded, does it via APG on Android.
> 
> 
> iirc k9 doesnt support PGP/MIME (RFC3156), but some interesting things 
> happening with OpenKeychain (https://www.openkeychain.org/k-9/ ) in that 
> regard. We actually discussed it a bit during last OpenPGP summit in zurich. 
> 
> The main issue is key storage, though. For signatures you can use a dedicated 
> signing subkey, however you get in problem with encrypted emails as mobile 
> devices are not really secure devices and should never have cryptographic 
> material. What could work in this case is a NFC (or for that matter 
> bluetooth, although it needs to be properly paired etc etc) channel with a 
> separate device with a separate keychain and display so you can verify the 
> request, and never actually expose private key material to the cellphone.
> 
> In the mean time I just include the notice whenever I don't sign, at least 
> some people notice it and gives it another thought.
> 

-- 



signature.asc
Description: OpenPGP digital signature

Re: [gentoo-dev] [RFC] New project: Crypto

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 12/28/2015 07:35 PM, Rich Freeman wrote:
> On Mon, Dec 28, 2015 at 10:07 AM, Kristian Fiskerstrand
>  wrote:
>>> On 28 Dec 2015, at 15:58, James Le Cuirot 
>>> wrote:
>>> 


> That concern is hardly unique to phones.  PCs suffer just as much
> from this problem.  The solution could potentially be the same.
> For

But here we already have smartcards (that everyone should and _is_
using... right?)

> signing it is a straightforward problem since there is nothing to
> be kept secret except the key material itself (just send the
> message to the signing device, and return the signature back).  For
> encryption

for clarity (and what I think you already mean), the message in this
case is the message to be signed (which is likely a blinded hash or
something, so much shorter than the original data)

> you have additional challenges if you want to be able to make any
> use of the plaintext without it getting stolen - once decrypted it
> is only secure as any device that comes in contact with it.  And
> there is no

Indeed, but at least the device won't be able to decrypt further
communication as it'd only have access to the session key of the
particular message. Loosing control of the private (sub)key is
substantially worse, so that might actually be ok for the security
parameters of the users.

> reason that mobile and browser frameworks couldn't talk to such 
> devices with the right standards.
> 
> If it were up to me the government would hand out signing devices
> just as they hand out passports.

This already happen in several countries, including Germany and on a
semi-related variant Norway (its government approved to sign
electronically using BankID, where the banks does the verification).
In germany there is even a CA that checks the government ID and
certify OpenPGP keys based on it.

- -- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWgpGGAAoJECULev7WN52FHM4H/3hRy9UcmNtQ9cXOKR6xvwPy
jso78Adi2EP4rGdMJrczBO7ymG5NSxF3rtVel1UjyYfT8x3MEgPfyyG26yGUOo6X
tyL5dBiZ6dLCDMDAJdc3tTuLkgaRCkyPZFva6qOp3DgHMAez+wQTKTkmzpMGmG8M
UxqrUWOS/7cGx5Dp+GOYWqd6nx+xrzwg63UbZqstwpPGZVp1BzI/Cat0KQv2j+q1
SU7IKvl4B2HmuL7BeZrc1H7Vj4BmUC1bgw5jnaA0E5oAsHvYefVxBQkt6sroxrbJ
8cXm4NGFRrLf4YkO/x7T7CRxnVLcGKdNkrKJDquCcsPHbc9oR44JBiXdO4OaWd4=
=dIzk
-END PGP SIGNATURE-

Re: [gentoo-dev] [RFC] New project: Crypto

[Kristian Fiskerstrand]

[Sent from my iPad, as it is not a secured device there are no cryptographic 
keys on this device, meaning this message is sent without an OpenPGP signature. 
In general you should *not* rely on any information sent over such an unsecure 
channel, if you find any information controversial or un-expected send a 
response and request a signed confirmation]

> On 28 Dec 2015, at 15:58, James Le Cuirot  wrote:
> 
> On Mon, 28 Dec 2015 09:42:40 -0500
> Rich Freeman  wrote:
>> 

..

>> And this would be why I don't bother to sign my emails any longer.
>> The FOSS world is still stuck in the days when people ran X11-based
>> MUAs and stored their mail in conventional folders.  I've yet to see a
>> decent browser-based MUA or Android client which does signing.
>> Squirrelmail does, but it is really lacking compared to something like
>> Gmail.
> 
> I haven't tried the feature myself but K9 Mail, which is highly
> regarded, does it via APG on Android.


iirc k9 doesnt support PGP/MIME (RFC3156), but some interesting things 
happening with OpenKeychain (https://www.openkeychain.org/k-9/ ) in that 
regard. We actually discussed it a bit during last OpenPGP summit in zurich. 

The main issue is key storage, though. For signatures you can use a dedicated 
signing subkey, however you get in problem with encrypted emails as mobile 
devices are not really secure devices and should never have cryptographic 
material. What could work in this case is a NFC (or for that matter bluetooth, 
although it needs to be properly paired etc etc) channel with a separate device 
with a separate keychain and display so you can verify the request, and never 
actually expose private key material to the cellphone.

In the mean time I just include the notice whenever I don't sign, at least some 
people notice it and gives it another thought.

Re: [gentoo-dev] [RFC] New project: Crypto

[Rich Freeman]

On Mon, Dec 28, 2015 at 8:11 AM, Kristian Fiskerstrand  wrote:
>
>
> [Sent from my iPad, as it is not a secured device there are no cryptographic 
> keys on this device,
> meaning this message is sent without an OpenPGP signature. In general you 
> should *not* rely on
> any information sent over such an unsecure channel, if you find any 
> information controversial or
> un-expected send a response and request a signed confirmation]

And this would be why I don't bother to sign my emails any longer.
The FOSS world is still stuck in the days when people ran X11-based
MUAs and stored their mail in conventional folders.  I've yet to see a
decent browser-based MUA or Android client which does signing.
Squirrelmail does, but it is really lacking compared to something like
Gmail.

-- 
Rich

Re: [gentoo-dev] [RFC] New project: Crypto

[James Le Cuirot]

On Mon, 28 Dec 2015 09:42:40 -0500
Rich Freeman  wrote:

> On Mon, Dec 28, 2015 at 8:11 AM, Kristian Fiskerstrand
>  wrote:
> >
> >
> > [Sent from my iPad, as it is not a secured device there are no
> > cryptographic keys on this device, meaning this message is sent
> > without an OpenPGP signature. In general you should *not* rely on
> > any information sent over such an unsecure channel, if you find any
> > information controversial or un-expected send a response and
> > request a signed confirmation]  
> 
> And this would be why I don't bother to sign my emails any longer.
> The FOSS world is still stuck in the days when people ran X11-based
> MUAs and stored their mail in conventional folders.  I've yet to see a
> decent browser-based MUA or Android client which does signing.
> Squirrelmail does, but it is really lacking compared to something like
> Gmail.
> 

I haven't tried the feature myself but K9 Mail, which is highly
regarded, does it via APG on Android.

-- 
James Le Cuirot (chewi)
Gentoo Linux Developer


pgpZQv7sb95B6.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] [RFC] New project: Crypto

[Kristian Fiskerstrand]

[Sent from my iPad, as it is not a secured device there are no cryptographic 
keys on this device, meaning this message is sent without an OpenPGP signature. 
In general you should *not* rely on any information sent over such an unsecure 
channel, if you find any information controversial or un-expected send a 
response and request a signed confirmation]

> On 27 Dec 2015, at 23:49, Andrew Savchenko  wrote:
> 
> Hi!
> 
>> On Wed, 25 Nov 2015 21:21:37 +0100 Kristian Fiskerstrand wrote:
>>> 
...
> 
>> I'm trying to reclaim the #gentoo-crypto channel for now, would be
>> nice to have a place for coordination corresponding to the project
> 
> Any progress here?
> 

Yeah, we have control :)

K_F

Re: [gentoo-dev] [RFC] New project: Crypto

[Kristian Fiskerstrand]

[Sent from my iPad, as it is not a secured device there are no cryptographic 
keys on this device, meaning this message is sent without an OpenPGP signature. 
In general you should *not* rely on any information sent over such an unsecure 
channel, if you find any information controversial or un-expected send a 
response and request a signed confirmation]

> On 28 Dec 2015, at 16:07, Kristian Fiskerstrand  wrote:
> 
> 

> The main issue is key storage, though. For signatures you can use a dedicated 
> signing subkey, however you get in problem with encrypted emails as mobile 
> devices are not really secure devices and should never have cryptographic 
> material. What could work in this case is a NFC (or for that matter 
> bluetooth, although it needs to be properly paired etc etc) channel with a 
> separate device with a separate keychain and display so you can verify the 
> request, and never

This should read pinentry, the existence of a keyring is implicit to the use 
case..

> actually expose private key material to the cellphone.
> 
> In the mean time I just include the notice whenever I don't sign, at least 
> some people notice it and gives it another thought.

Re: [gentoo-dev] [RFC] New project: Crypto

[Andrew Savchenko]

On Mon, 28 Dec 2015 09:42:40 -0500 Rich Freeman wrote:
> On Mon, Dec 28, 2015 at 8:11 AM, Kristian Fiskerstrand  
> wrote:
> >
> >
> > [Sent from my iPad, as it is not a secured device there are no 
> > cryptographic keys on this device,
> > meaning this message is sent without an OpenPGP signature. In general you 
> > should *not* rely on
> > any information sent over such an unsecure channel, if you find any 
> > information controversial or
> > un-expected send a response and request a signed confirmation]
> 
> And this would be why I don't bother to sign my emails any longer.
> The FOSS world is still stuck in the days when people ran X11-based
> MUAs and stored their mail in conventional folders.  I've yet to see a
> decent browser-based MUA or Android client which does signing.
> Squirrelmail does, but it is really lacking compared to something like
> Gmail.

YMMW, but I'm perfectly fine with Claws mail on my phone.

Another problem is that this device lacks reliable RNG and faces
threats of baseband processor data interception (as well as all
other phones I'm aware about). So phones/tablets are not suitable
for cryptography anyway.

P.S. We had a good discussion of this on core, but still have no
summary on dev ML.

Best regards,
Andrew Savchenko


pgp2cyjAVTb6R.pgp
Description: PGP signature

Re: [gentoo-dev] [RFC] New project: Crypto

[Rich Freeman]

On Mon, Dec 28, 2015 at 10:07 AM, Kristian Fiskerstrand  wrote:
>> On 28 Dec 2015, at 15:58, James Le Cuirot  wrote:
>>
>> On Mon, 28 Dec 2015 09:42:40 -0500
>> Rich Freeman  wrote:
>
>>> And this would be why I don't bother to sign my emails any longer.
>>> The FOSS world is still stuck in the days when people ran X11-based
>>> MUAs and stored their mail in conventional folders.  I've yet to see a
>>> decent browser-based MUA or Android client which does signing.
>>> Squirrelmail does, but it is really lacking compared to something like
>>> Gmail.
>>
>> I haven't tried the feature myself but K9 Mail, which is highly
>> regarded, does it via APG on Android.
>
> iirc k9 doesnt support PGP/MIME (RFC3156), but some interesting things 
> happening with OpenKeychain
> (https://www.openkeychain.org/k-9/ ) in that regard. We actually discussed it 
> a bit during last OpenPGP summit in zurich.
>

K9 also doesn't support email tagging as far as I'm aware, and I don't
believe there is a browser version of it either (I do require an MUA
accessible by a browser, as this is how I compose 99% of my emails - I
read this email on androids, and am replying from a browser right
now).  To some extent they can be forgiven for not supporting tagging,
as I don't believe IMAP supports it either, so we need standards as
well as FOSS clients to make it work.

But, it isn't like I'm paying anybody to solve the problem, so we all
make do, either living without features or without signatures as the
case may be.

> The main issue is key storage, though. For signatures you can use a dedicated
> signing subkey, however you get in problem with encrypted emails as mobile 
> devices
> are not really secure devices and should never have cryptographic material. 
> What could
> work in this case is a NFC (or for that matter bluetooth, although it needs 
> to be properly
> paired etc etc) channel with a separate device with a separate keychain and 
> display so
> you can verify the request, and never actually expose private key material to 
> the cellphone.

That concern is hardly unique to phones.  PCs suffer just as much from
this problem.  The solution could potentially be the same.  For
signing it is a straightforward problem since there is nothing to be
kept secret except the key material itself (just send the message to
the signing device, and return the signature back).  For encryption
you have additional challenges if you want to be able to make any use
of the plaintext without it getting stolen - once decrypted it is only
secure as any device that comes in contact with it.  And there is no
reason that mobile and browser frameworks couldn't talk to such
devices with the right standards.

If it were up to me the government would hand out signing devices just
as they hand out passports.  It seems kind of silly in this day and
age that we haven't solved the key-management problem and half of our
commerce involves giving 16-digit numbers to everybody we do business
with and asking them to keep them secret for us.

-- 
Rich

Re: [gentoo-dev] [RFC] New project: Crypto

[Andrew Savchenko]

Hi!

On Wed, 25 Nov 2015 21:21:37 +0100 Kristian Fiskerstrand wrote:
> On 11/25/2015 08:20 PM, Daniel Campbell wrote:
> > On 11/25/2015 09:12 AM, Kristian Fiskerstrand wrote:
[...]
> >> As recently discussed herds are migrating to projects, and in
> >> that connection we've now set up a project[0] for what was
> >> previously the Crypto herd.
> > 
> >> Please consider this an official announcement and request for 
> >> comment related to establishing a new project.
> > 
> >> References: [0] https://wiki.gentoo.org/wiki/Project:Crypto
> > 
> > 
> > Sounds good to me. I have a passing interest in crypto, so where do
> > I sign? :)

+1

> I'm trying to reclaim the #gentoo-crypto channel for now, would be
> nice to have a place for coordination corresponding to the project

Any progress here?

Best regards,
Andrew Savchenko


pgp9WTbtxbjGA.pgp
Description: PGP signature

Re: [gentoo-dev] [RFC] New project: Crypto

[Daniel Campbell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 11/25/2015 09:12 AM, Kristian Fiskerstrand wrote:
> Hi,
> 
> As recently discussed herds are migrating to projects, and in that 
> connection we've now set up a project[0] for what was previously
> the Crypto herd.
> 
> Please consider this an official announcement and request for
> comment related to establishing a new project.
> 
> References: [0] https://wiki.gentoo.org/wiki/Project:Crypto
> 
> 
Sounds good to me. I have a passing interest in crypto, so where do I
sign? :)


- -- 
Daniel Campbell - Gentoo Developer
OpenPGP Key: 0x1EA055D6 @ hkp://keys.gnupg.net
fpr: AE03 9064 AE00 053C 270C  1DE4 6F7A 9091 1EA0 55D6
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWVgoQAAoJEAEkDpRQOeFw96UP/1hM987KB9d5K5iY8vPA9dW4
vmmW3xFruiv7cUqFjsj4o4fVdmeLhQiJoX0oz8vD6Hb2PDzZSq6g69R621V023wu
g0/22U+zhXW7tgdAlEBfs5MUot4PkmmAJAhA2n54nNkgCC/GNQ3+t8P8guwoer4Y
jykEdTfUEDUmabH5gX9Ei4dHWq+wptZEFQBLhn1ysUqtfTkHFaema+W+J530UOgf
s4+WV+Crwu5aJeqElvDRuXJ4Tc5oXM2QDaBdFRnTjxUfZTURgXXGtlbnHePO/vH1
n5hKPzT96LSd8ZieaZSapqugKE95Kp/z0QpRsQVBc92csJcV5+gaG6cnk0f93HWW
YIG0mECIraLPyxl0dNCvq8duREBZTXP/tVGQIRPyDo8yw9MriVJRx/RXmDKMrQJx
8HKhn/RClzu5c+9D5JlrObACbdbOmclHAZEP3fxsjYsrnuVgSJz+my0ZHwPSKgJp
KCCpLvBtnUuwHbfIUvkhjT2HYiCQWBpY7et7d8JkGL1evRE+oOdQql1X1DFxqM8A
9mhcZq4uSBLLsypDAEpWwoxLjwZJc/i8UnKtLKsEnjRx+pGtQOZ1l0K76xFDX4gV
LjOasAdIHM7eLcRnosFEof8nAVYIuVi99qhLIZ3wGeqHVC9XDnT1WYqPbzwB23xl
ixHqW31gIDF7SijfVvo6
=LPnc
-END PGP SIGNATURE-

Re: [gentoo-dev] [RFC] New project: Crypto

[Kristian Fiskerstrand]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

On 11/25/2015 08:20 PM, Daniel Campbell wrote:
> On 11/25/2015 09:12 AM, Kristian Fiskerstrand wrote:
>> Hi,
> 
>> As recently discussed herds are migrating to projects, and in
>> that connection we've now set up a project[0] for what was
>> previously the Crypto herd.
> 
>> Please consider this an official announcement and request for 
>> comment related to establishing a new project.
> 
>> References: [0] https://wiki.gentoo.org/wiki/Project:Crypto
> 
> 
> Sounds good to me. I have a passing interest in crypto, so where do
> I sign? :)

I'm trying to reclaim the #gentoo-crypto channel for now, would be
nice to have a place for coordination corresponding to the project

- -- 
Kristian Fiskerstrand
Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
-BEGIN PGP SIGNATURE-

iQEcBAEBCgAGBQJWVhhNAAoJECULev7WN52FWt8H/Al64Dn04/um+VsrvR4qfrvQ
jx3ESWKvxsGwfbrTUpVUi0T/D1MUcJ0c5O1g/l9Z0EHunK5C4H05mRSnZZcfTDeg
X125nmN8z6YkJj3u69j8OWsbQv/Gs/iKs1NUl+BaRsNxHHbNA+eci3tH7wXMDoVc
haSynpzUkTXuQUtMdtxKZdnV9WlbYhx1jUsRWJHE3ika39/+YcEBha827Ihflybq
/r+MOBCcwap5Cqkx/+fGMIA2hUZrHf48nnHzfN9edlWIoaO1CIMJc2yI3LTicaAh
W+g2MbHADLoWOa4p8mXT6S1Gh7Cc4mGpbC7a7UxJfD5wh0H8Gnbe63x/GubT9kA=
=T9E/
-END PGP SIGNATURE-