Thoth • August 5, 2016 7:12 PM

@Banana Republic USA
Just throw Hillary Clinton to jail already for all the deliberate mishandling of nation secrets.

Oh wait … she’s Mrs. President and cannot be violated. Hmmm…. She can do what she wants to do. Including leaking all secrets of USA to Russia and China.

Thoth • August 6, 2016 5:06 AM

@Scott “SFITCS” Ferguson,

The security of keysafe hinges on the strength of the password used to derive the encryption keys for the key shares. Most passwords have low entropy and thus the strength of the password derived key has also the weak entropy. SCRYPT and Argon2 are used to transform a weak entropy password and also make it harder to bruteforce but essentially, the worry is the “What-Ifs” for the encrypted key shares by a weakened entropy password derived key. No matter how the password is delayed and stretched to form the KEK key, it is much to be desired for a stronger and higher entropy key preferrably not derived from a password to be used to wrap the key shares.

My scheme below only does very little modification to keysafe but provides an exponentially higher margin of security and also includes a Two Factor Authentication method to ensure that the KEK key used to wrap the key share is not password derived (weak entropy) and uses a CSPRNG or TRNG.

The modified keysafe scheme assumes that the random sources (/dev/random, /dev/urandom Windows CNG and CAPI or even a cryptographic TRNG dongle) are untainted and provides strong randomness without backdoors.

1.) Generate a 256-bit key from the random source and this key would be the Root Device Key (RDK). The RDK would be stored in encrypted form in a portable device (smartcards, portable HSMs, TPMs, TEEs or even a normal flash drive or MicroSD card). This forms the 2nd Factor in the 2FA as well.

It can be represented as:

RDK = SRAND()

2.) The RDK would be encrypted and MAC-ed with password derived key. The password, representing the 1st factor in the 2FA would be Argon2 transformed to yield the password dervied encryption key. The password derived encryption key (PDK1) would be hashed with SHA-256 to yield the 256-bit HMAC-SHA-256 MAC key (PDK2).

It can be represented as:

PDK1 = Argon2(Password)
PDK2 = SHA-256(PDK1)

3.) The RDK would be encrypted by the PDK1 and then encrypted RDK would be MAC-ed via HMAC-SHA-256 with PDK2. The MAC is stored after the RDK. The encrypted RDK curity terms).

It can be represented as:

BlackRDK = HMACSHA256(RDK2, Encrypt(RDK1, RedRDK))

IsMacAuthenticationOK = HMACSHA256(RDK2, BlackRDK)
If(IsMacAuthenticationOK)
…RedRDK = Decrypt(RDK1, BlackRDK))
Else
…Return False

4.) Keyshares are derived from Shamir Secret Sharing as per the original keysafe.

5.) Every key share is protected by a Key Share Wrapper Key (KSWK) which is used to authenticate whether the key share shard is tampered and also to unwrap the key share shard. Key Share Wrapper Keys are deterministically derived from the RedRDK to bind the RedRDK’s security to the key share shard’s security. This would enable the 2FA necessary to unwrap the keyshare shards residing across different servers.

To derive the Key Share Wrapping Key but also make it hard to determine the RedRDK in the even the Key Share Wrapping Key is compromised (and thus the other different key share groups protected by the RDK), The RedRDK would be SHA-256 hashed and then concatenated with the hash of the keyshare’s name and then hashed with SHA-256 again to produce the KSWK. The hashing of the RedRDk, then hashing of the name and then hashing of both the hash of the RedRDK and the hash of the name is to ensure that working backwords to find the RedRDK is a very difficult task by the virtue of the hashing being cryptographically secured one-way hash.

It can be represented as:

KSWK = SHA-256(SHA-256(RedRDK) || SHA-256(Name))

6.) The KSWK would be used in the raw form as the wrapping key to wrap the key share shards and hashing KSWK with SHA-256 would yield the MAC key to MAC the wrappted key share.

It can be represented as:

ENC-KSWK = KSWK
MAC-KSWK = SHA-256(KSWK)

7.) The wrapping and MAC-ing of the key share shards should be done by first using a symmetric cipher to encrypt the shard and then use HMAC-SHA-256 to MAC the encrypted shard to yield the MAC code which is appended behind the encrypted shard.

It can be represented as:

WrappedShard = Encrypt(ENC-KSWK, Shard) || HMACSHA256(MAC-KSWK, EncryptedShare)

8.) When decrypting and authenticating the shards as untampered, the reverse is done with checking the MAC code of the WrappedShard before decrypting the Shard.

It can be represented as:

IsMacAuthenticationOK = HMACSHA256(MAC-KSWK, EncryptedShard)
If(IsMacAuthenticationOK)
…Shard = Decrypt(ENC-KSWK, EncryptedShard))
Else
…Return False

The above scheme provides much higher cryptographic security than the original keysafe scheme by requiring the possession of the BlackRDK (what you have) and the password (what you know). The BlackRDK is equivalent to a master key of sorts and should never be uploaded online and be carried on person used in a secure environment while the WrappedShards can be highly important keys but are considered “black keys” or “inert” in a sense as they are unusable by the virtue of them being wrapped by a KSWK derived from the RDK.

Thoth • August 6, 2016 10:46 AM

@r

This is where RF shielding and @Clive Robinson’s advises comes into play. User wired connections and use RF shielding for the connection cable and computer.

Thoth • August 7, 2016 4:23 AM

@Nick P, Figureitout
re: eChronos Project

I noticed an irregularity in the project’s statement namely:

“…eChronos project builds and formally verifies, a small, versatile, high-assurance real-time operating system (OS) for embedded micro-controllers. In contrast to other OS work at NICTA, the eChronos RTOS is for tightly constrained devices without memory protection. Current implementations are available for Intel 80251 and ARM Cortex M4 micro-controllers.”

ARM Cortex M4 comes with MPU that has is optionally enabled. It kind of bewilders me why someone would not enable MPU if they know they are doing security critical applications in still not enable MPU.

How to enable MPU in ARM Cortex M4 is linked below and other details of M4’s MPU. I have checked both STMicro’s STM32 and Atmel AT02346 (@Figureitout’s favourite) that are ARM Cortex M4 and both comes with MPU.

Why wouldn’t a security application be enabling MPU on ARM Cortex M4 that allows toggling of MPU ?

When you enable the MPU for the loaded applications, it would lock the memory of the loaded application to the range it is suppose to use and it is better to create the OS to run the native MPU locking and force the enabling of MPU. This would make it much lighter and I am guessing this might be @Figureitout’s concern. I looked at the Github and it’s kinda a wall of things. Not gonna be too easy for the eyes and probably also the mind thus @Figureitout’s knee jerk reactions kinda kicked in.

The eChronos page has a time line that mentions it’s deliverables can be loaded onto STMF32 which is what the Ledger Blue and Nano S are using which immediately got me flipping through the pages and noticed the possible discrepancies in the statements because I remembered that the STM32s have MPU.

Links:
– http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/Cihjddef.html
– http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0553a/BIHJJABA.html
– http://www.st.com/content/ccc/resource/technical/document/application_note/group0/bc/2d/f7/bd/fb/3f/48/47/DM00272912/files/DM00272912.pdf/jcr:content/translations/en.DM00272912.pdf
– http://www.atmel.com/Images/Atmel-42128-AT02346-Using-the-MPU-on-Atmel-Cortex-M3-M4-based-Microcontroller_Application-Note.pdf

Thoth • August 7, 2016 6:21 AM

@Nick P
So far most of the M4 I have seen implemented the entire portfolio which includes MPU which the big fabs made (NXP, ST, Atmel, Texas Instruments) . Most manufacturers would buy the portfolio and implement the entire blueprint they bought into the chip so that they would have all the features available instead of selectively removing certain modules from the blueprint and then making them into silicon and when they need to bring in a feature, going back to drawing and then lithography and all that which is a waste of cash and time.

Since the common Cortex M4 from what I see comes with MPU inside, the baseline is inverse where MPU equipped M4 are the common norm in the industry and market as can be seen from common M4 products like STM32 from ST and LPC family line from NXP/Freescale and TM4C from TI. Due to these 4 companies having the lion’s share in silicon production of ARM chips specifically the Cortex M4 and all of them brings in the MPU in their design, it becomes harder to find someone that does not bring MPU onto M4 chips. If the project is security related, the project implementors do better make damn sure they buy one with MPU.

Gettingan ARM Cortex M4 without MPUs is harder due to most of the big chip makers have implemented MPU into their ARM Cortex M4 products.

Thoth • August 7, 2016 6:30 PM

@Daniel
Properly designed file signature schemes are immune to such attacks especially if sideloading fields are not allowed but as usual with m!cro$oft, anything made by them is crap and hopelessly broken. Even their authenticode digital signature scheme is hopelessly broken by allowing the fields on part of the ACT header to allow bypass by not checking it.

A properly designed scheme and implementation would be more rigid and not allow arbitrary data to escape the signature checking.

This is more of m!cro-crap implementation and design than say signature schemes being insecure.

Thoth • August 7, 2016 9:43 PM

@Dan3264

Yes it’s under maintenance for the HTTPS portion.

Thoth • August 9, 2016 7:01 PM

@Nick P
I am guessing that it is more of people too used to seeing the insecure stuff from their day to day programming with insecure tools and secure verifiable models and tools are still not commonly seen and mostly either for academics and research and probably Governments like NSA’s IAD might simply hire those niche security market leaders like Galois to do the high assurance codes for them while they dish out specifications and test cases.

Thing is such verifiable models and systems need to get out of the “academic” state to a production mode.

Some products as you have pointed have those high assurance verifiable models which is good to know but what is needed is industry effort to drive out the old shadows of insecure models which the industry have been unwilling as no one wants to be held accountable for poor codes they wrote. Most of them just want to code and forget.

Thoth • August 10, 2016 3:00 AM

@all, Nick P, Figureitout

How to use OpenPGP card applet on Windows

No hate spamming on Windows for this documentation.

This is only for documentation purposes as I am experimenting around just in case we have readers here who find Linux not suitable and wants to use Windows with an OpenPGP smart card.

Assumptions:
– Latest build of GPG4WIN
– A Yubikey secure hardware dongle containing PGP capability
– If you do not have a Yubikey or want to use a traditional smart card … you have to meet the below smart card hardware specs
– A smart card supporting JavaCard 2.2.2 and above with RSA-2048-PKCS-1.5 signing and encryption algorithm. Smart card with at least 20 KB of EEPROM or Flash memory and at least 2KB of RAM memory on the safer side.
– You need to know how to find out card reader name via OpenSC (another software) and also know how to use GPShell or GPPro to load your own smart card with the smart card applet downloaded from Yubikey’s repository and the card must be an Open Card (a.k.a OP_READY mode) with the default GP keys 0x40,41,42 … 4E,4F (found in GP manual).
– Windows 7 and above (any desktop or server variant)
– Smart card reader supporting ISO-7816 at the very minimum
– Default card user PIN is 123456 and default card Admin PIN is 12345678 (hard coded defaults needing to be changed upon receiving new card)
– Downloaded smart card applet from Yubikey website (https://developers.yubico.com/ykneo-openpgp/Releases/)

Steps:
1.) Go to %APPDATA%/gnupg
2.) Create scdaemon.conf file
3.) Add lines in the scdaemon.conf file

reader-port
card-timeout 5

4.) Go to Task Manager and stop all gpg… exe processes and scdaemon.exe process.
5.) Open command line and enter “gpg –card-edit” to enter into GPG’s Smart Card Shell
6.) Setup your PIN, Admin PIN and Reset Code
7.) Type “admin” to enter to card admin mode and give them the default admin PIN. It should reply that admin commands are allowed.
8.) Type “passwd” to enter PIN changing mode and select “1” to change normal user PIN.
9.) A popup would ask you for PIN which you type the old default user PIN (above) and then type in your new user PIN twice. It should say PIN changed. Be very careful when entering PIN codes as you have only 3 tries for all the PINs and must destroy the applet or even the physical chip card if the Admin PIN and Reset Code PIN runs to 0.
10.) You should be brought back to the PIN change option selection menu where now you select “3” to change the old default admin PIN (above) to new admin PIN. Use the 8 digit old admin PIN (above) when asked to supply via a popup and then key in a new admin PIN twice.
11.) You are now left with specifying Reset Code which is a code able to reset a blocked user PIN but is not as powerful as the Admin PIN. A scenario is an organisation issuance of smart cards where the Admin PIN is held by the employer and you are issued with a Reset Code in case you block your user PIN out with too many wrong tries.
12.) Select “4” for reset code and use the new Admin PIN to authenticate and then set the Reset Code. If there are simply too many PINs to remember, skip the Reset Code out.
13.) Quit the PIN changing menu by pressing Q.
14.) You may freely explore the card and setup additional card information like the “name” (your name), “login” (login card screen name), “lang” preferred language, “sex” (gender).
15.) To generate your PGP keypair, type “generate” in the main menu.
16.) You will be asked if you want to have off-card backup of encryption key (PGP key) which you select “Y” (Yes) in case you botched it up. You will need to authenticate with your user PIN (a popup) and you will be asked to select validity period of key. Select 0 or simply press the Enter key for infinite validity key period. Confirm infinite validity period for PGP key and you will be asked some information (name, email …) to be stored with the key including comment on the key’s usage. Acknowledge the information.
17.) You will be asked for a password to protect the backup copy of your PGP key on your computer.
18.) You should see something like that after you generated your smart card protected PGP key.
19.) You may use the “verify” command to verify your user PIN from time to time.

gpg: NOTE: backup of card key saved to `C:/Users/Thotheolh/AppData/Roaming/gnupg
/sk_5C65F6B0452E3DE5.gpg’
gpg: key FDF2BE7E marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 7 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 7u
gpg: next trustdb check due at 2016-12-31
pub 2048R/FDF2BE7E 2016-08-10
Key fingerprint = D581 6857 8CBA 5E40 F681 B363 2D83 B277 FDF2 BE7E
uid [ultimate] Thotheolh (PGP SC Code Signing Key) twzgerald@gmail.com
sub 2048R/BCCA4F9D 2016-08-10
sub 2048R/452E3DE5 2016-08-10

20.) You now own a smart card containing a PGP keyset for signing your PGP protected data. Type “list” into the main menu (with your card still connected) to view your card details:

Application ID …: D2760001240102000000000000010000
Version ……….: 2.0
Manufacturer …..: test card
Serial number ….: 00000001
Name of cardholder: Thotheolh
Language prefs …: [not set]
Sex …………..: unspecified
URL of public key : [not set]
Login data …….: Thotheolh SC PGP Code Sign
Signature PIN ….: forced
Key attributes …: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 5
Signature key ….: D581 6857 8CBA 5E40 F681 B363 2D83 B277 FDF2 BE7E
created ….: 2016-08-10 07:43:37
Encryption key….: 2D9D 4A3D EA85 4D1D 09C2 7A12 5C65 F6B0 452E 3DE5
created ….: 2016-08-10 07:43:37
Authentication key: 0C2B 2740 7F31 CECF D075 1326 B6F2 3861 BCCA 4F9D
created ….: 2016-08-10 07:43:37
General key info..:
pub 2048R/FDF2BE7E 2016-08-10 Thotheolh (PGP SC Code Signing Key) twzgerald@gm
ail.com
sec> 2048R/FDF2BE7E created: 2016-08-10 expires: never
card-no: 0000 00000001
ssb> 2048R/BCCA4F9D created: 2016-08-10 expires: never
card-no: 0000 00000001
ssb> 2048R/452E3DE5 created: 2016-08-10 expires: never
card-no: 0000 00000001

21.) You will see the PIN retry counter as 3 3 3 with the first number representing the PIN tries for user, the second for keeping the first PIN try counter in sync and the 3rd PIN try counter is for Admin PIN tries.
22.) Carry the smart card with you whenever possible as it contains your PGP key and do not disclose any PIN information in any way.
23.) To physically destroy a smart card (single chip type) take a scissors and cut across the metal plate contacts in an asterisk shape with all cuts meeting at the center of the metal plate of the smart card as the IC chip is encased directly in the center underneath the metal plate. More careful cutting (as long as the cuts all meet in the center of the metal plate) is most advisable.

Thoth • August 10, 2016 9:31 AM

@Dirk Praet
If you want the Yubikey wih PGP, you need to purchase from them Yubikey 4, 4 Nano and Neo. A note is the Yibikey 4 and 4 Nano are currently under-going FIPS 140-2 CMVP validation program for it’s cryptographic secure hardware certification. They have not yet been certified.

Thoth • August 10, 2016 8:26 PM

@Nick P

“verified theorem provers in theorem provers”

Chicken-and-egg problem. This opens a bigger surface area to attacks vs. hand checked and hand coded nano TCB.

“If underlying LISP is correct, then the method is sound & still awesome result.”

That’s too much trust placed upon LISP’s correctness and also assuming the underlying codes that runs LISP is not subverted by some HSA or Nation State ICs (i.e. NSA, GCHQ, BND, FSB …etc…).

Thoth • August 10, 2016 9:11 PM

@Nick P

“The LISP specs, ISA specs, proof stuff, and prover are all open-source.”

Where do I get the Lisp program and the other stuff necessary ?

“LISP’s that simple are coded by undergrads in spare time all over the world.”

I thought Java, C#, C/C++, Ruby, Python, HTML/JS are the more common stuff people (and students) turn to these days ?

Thoth • August 11, 2016 8:07 AM

@Clive Robinson

re: RSA Key Generation Biasness and Randomness

I have long suspected that as well. As you know I am programming smart cards in JavaCard and I noticed that I can detect different batches of smart cards and IC manufacturer under the same card supplier or even among different card suppliers with different Card OS with very high accuracy by simply looking at the first byte of the public key despite using the smart card boasting to have TRNG features and compliant to AIS-31 for TRNG according to German BSI standard and now widely industry recognized as the go to standard for TRNG ranging from CC EAL to FIPS 140-2.

I sometimes wonder if there is some sort of batch seed of sorts inserted at the factory as the RNG seed with some mixing of some weak TRNG circuit or PRNG circuit in the IC chip and some magic dust formula to make it look random to pass whatever evaluation tests they need to undergo. Noting that smart cards and embedded cryptographic chips are highly reliant on factory set seeds in a bid to prevent collision of seed material to create some illiusion of randomness.

A better method as @Bruce Schneier have already written is to use the Fortuna RNG system he created which aggregates entropy from as many sources and then process the possibly bias or even malicious entropy to spit out more secure entropy.

To protect smart cards and embedded cryptographic devices from problematic randomness, it’s best to use a trusted air-gapped and even energy-gapped system to gather entropy before finalizing a seed and then injecting the seed into the smart card or embedded crypto-processor’s RNG instead of using the default seed that the smart card or embedded crypto-processor might be programmed with.

Thoth • August 12, 2016 1:13 AM

@r

Ouch … goodness … you nailed the problem in it’s head 🙁 .

Hopefully our (me, @Nick P, @Clive Robinson, @Wael, @Figureitout, @Markus Ottela) push for increasing the margin of security would take roots but for now, it’s just us (me, @Figureitout and @Markus Ottela) who are doing practical implementations of some higher assurance projects but if compared to commercial offerings, it is very roughly done.

Thoth • August 12, 2016 11:25 AM

@Nick P

Keep your friends close, keep your enemies closer. Nice move by NATO to try to keep Ankara closer 🙂 . But it boils down whether Ankara would be baited.

Ankara’s only use is to keep “them” out of the Mediterranean sea via the Bosphorus Straits.

Link: http://www.theregister.co.uk/2016/08/12/f35_turkey_rattles_sabre_nato/