Re: Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage

2015-11-21 Thread NdK 
Il 21/11/2015 12:07, Peter Lebbing ha scritto:

> Personally, I don't really see yet why the latter is so important;
> however, gaining the ability to issue OTP's by simply inserting my own
> OpenPGP card with my own PIN seems serious? Do I misunderstand it? Or is
> it not part of the threat model because the attacker is unable to
> extract the key used for OTP generation?
I didn't look at the code (so this could be completely wrong and I'd be
happy!), but if the OTP key is decrypted using a key in the chip after
verifying that the card accepts the PIN, then it's even worse, since
that master key is in cleartext somewhere outside the smartcard. So,
with some efforts and a good lab the OTP keys can be extracted.

> Anyway, thanks for all your work on the Nitrokey series! I think it's
> great you put so much effort into creating these nifty devices.
Nifty, indeed. Too bad PGP-card spec lacks decryption key archiving (so
that you can change your DEC key every year but keep using the same card
year after year).

BYtE,
 Diego

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: backing up keys

2015-11-21 Thread Peter Lebbing 
On 21/11/15 13:09, Peter Lebbing wrote:
> GnuPG outputs both a "Secret-Key Packet" as well as all UID's and
> binding signatures. It might output all certifications by others on the
> key as well; I'm going to write a separate mail about this.

Okay, it turns out it was a weird issue with my keyring. In fact, GnuPG
would seem to always output all certifications with
--export-secret-keys, and it does not honour --export-options
export-minimal or export-clean.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: scdaemon lockup with Yubikey NEO

2015-11-21 Thread Lance R. Vick 
This happens to me constantly as well. I my case I frequently need to kill
and restart gpg-agent to get things working again on both Arch Linux and
Gentoo.

On Sat, Nov 21, 2015 at 4:41 AM, the2nd  wrote:

> Hi Ben,
>
> We have a similar Problem since we've upgraded from Ubuntu 15.04 to
> 15.10.  When starting gpg-agent with --log-file the log show the following:
>
> 2015-05-30 13:49:36 gpg-agent[3600] error accessing card: Conflicting use
> 2015-05-30 13:49:36 gpg-agent[3600] smartcard signing failed:
> Conflicting use
> 2015-05-30 13:49:38 gpg-agent[3600] error getting default authentication
> keyID of card: Conflicting use
>
> I've asked the list serval times about this issue but got now answer yet.
> So i dont have a solution but it may be interesting if your problem is the
> same...
>
> Regards
> The2nd
>
>
>  Ursprüngliche Nachricht 
> Von: Ben Warren
> Datum:11.20.2015 16:26 (GMT+01:00)
> An: gnupg-users@gnupg.org
> Betreff: scdaemon lockup with Yubikey NEO
>
> Hi,
>
> I’ve noticed several other problem reports that seem similar, hopefully
> they’re all related and there’s a simple fix.
>
> The problem:
>
> After an indeterminate amount of time (sometimes minutes, sometimes
> hours), any GPG operation that uses my Yubikey NEO device hangs.  The two
> most common operations are SSH authentication and git signing.  The
> following sequence gets things going again:
>
> $ killall -SIGKILL scdaemon
>
> $ gpg2 —card-status
>
> System particulars:
>
>
>- Host OS is OS-X Yosemite, although it is also present on Mavericks
>(haven’t tried El Capitan yet)
>- GPG 2.1.5
>- Using the Yubikey’s authentication subkey to login to remote Linux
>hosts
>- Using the Yubikey’s signing subkey for git signing operations, both
>local and remote
>- Using gpg-agent for forwarding both GPG and SSH (great features,
>BTW!)
>
>
> GPG configuration file:
>
> $ cat ~/.gnupg/gpg-agent.conf
>
> default-cache-ttl 1
>
> ignore-cache-for-signing
>
> no-allow-external-cache
>
> max-cache-ttl 1
>
> extra-socket ${HOME}/.gnupg/S.gpg-extra-agent
>
> debug-all
>
> log-file ${HOME}/.gnupg/mygpglogfile.log
>
> enable-ssh-support
>
>
> I’ll be happy to help debug this, but need some guidance.
>
>
> thanks,
>
> Ben
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>


-- 
Lance R. Vick
__
Cell  -  407.283.7596
Gtalk -  la...@lrvick.net
Website   -  http://lrvick.net
PGP Key   -  http://lrvick.net/0x36C8AAA9.asc
keyserver -  subkeys.pgp.net
__
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage

2015-11-21 Thread Jan Suhr 
Hi Malte!

Am 20.11.2015 11:26, schrieb Malte:
> Hi,
> 
> very nice!
> 
> Two questions/remarks, though:
> 
> On Thursday 19 November 2015 22:37 Jan Suhr wrote:
>> The firmware and hardware of Nitrokey Storage have already been 
>> verified
>> by Cure59, a professional third-party security auditor.
> 
> How do you deal with the findings of the audit?

All serious findings are fixed already. Look for the "Note" at the end
of each issue description.

> (https://cure53.de/pentest-report_nitrokey.pdf and
> https://cure53.de/pentest-report_nitrokey-hardware.pdf, for the
> inclinded reader. And yes, it is
> cure53.)
> 
> 
>> Nitrokey is made entirely in Germany […]
> 
> Can we _please_, for the love of all that is dear to us, stop 
> advertising with
> nation-states as quality property? It might sell more sticks, but it 
> fosters a
> sense of trust where there must be none.

This can be a hard requirement for enterprises and government
institutions. So it makes sense to inform about it. Whether this matters
to personal users is up to each individual decision.

Regards,
Jan

> 
> Sincerely,
> 
> Malte
> 
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Crowdfunding USB Security Key for Email- and Data-Encryption - Nitrokey Storage

2015-11-21 Thread Peter Lebbing 
On 21/11/15 09:00, Jan Suhr wrote:
> All serious findings are fixed already. Look for the "Note" at the end
> of each issue description.

I suppose by "serious" you mean "defined as 'Critical' in the pentest"?
There are unfixed issues with severity "High":

Firmware:
NK-01-008 OTP can be unlocked by replacing Smart Card (High)

Hardware:
NK-02-006 Micro SD and Smartcard Slots lack ejection switch (High)

Personally, I don't really see yet why the latter is so important;
however, gaining the ability to issue OTP's by simply inserting my own
OpenPGP card with my own PIN seems serious? Do I misunderstand it? Or is
it not part of the threat model because the attacker is unable to
extract the key used for OTP generation?

Anyway, thanks for all your work on the Nitrokey series! I think it's
great you put so much effort into creating these nifty devices.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

AW: scdaemon lockup with Yubikey NEO

2015-11-21 Thread the2nd 
Hi Ben,

We have a similar Problem since we've upgraded from Ubuntu 15.04 to 15.10.  
When starting gpg-agent with --log-file the log show the following:

2015-05-30 13:49:36 gpg-agent[3600] error accessing card: Conflicting use
2015-05-30 13:49:36 gpg-agent[3600] smartcard signing failed: 
Conflicting use 
2015-05-30 13:49:38 gpg-agent[3600] error getting default authentication keyID 
of card: Conflicting use

I've asked the list serval times about this issue but got now answer yet. So i 
dont have a solution but it may be interesting if your problem is the same...

Regards
The2nd 

 Ursprüngliche Nachricht Von: Ben Warren 
 Datum:11.20.2015  16:26  (GMT+01:00) 
An: gnupg-users@gnupg.org Betreff: scdaemon lockup with 
Yubikey NEO 
Hi,

I’ve noticed several other problem reports that seem similar, hopefully they’re 
all related and there’s a simple fix.

The problem:

After an indeterminate amount of time (sometimes minutes, sometimes hours), any 
GPG operation that uses my Yubikey NEO device hangs.  The two most common 
operations are SSH authentication and git signing.  The following sequence gets 
things going again:

$ killall -SIGKILL scdaemon

$ gpg2 —card-status

System particulars:

Host OS is OS-X Yosemite, although it is also present on Mavericks (haven’t 
tried El Capitan yet)
GPG 2.1.5
Using the Yubikey’s authentication subkey to login to remote Linux hosts
Using the Yubikey’s signing subkey for git signing operations, both local and 
remote
Using gpg-agent for forwarding both GPG and SSH (great features, BTW!)


GPG configuration file:

$ cat ~/.gnupg/gpg-agent.conf

default-cache-ttl 1

ignore-cache-for-signing

no-allow-external-cache

max-cache-ttl 1

extra-socket ${HOME}/.gnupg/S.gpg-extra-agent

debug-all

log-file ${HOME}/.gnupg/mygpglogfile.log

enable-ssh-support



I’ll be happy to help debug this, but need some guidance.



thanks,

Ben___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users