Schneier on Security

Thoth • October 21, 2016 8:07 PM

@all
It is quite sad to see some readers putting themselves in the center thinking that by saying they wouldn’t read @Bruce Schneier’s blog because we posted some long posts and it requires scrolling would be meaningful or helpful.

These people have no idea how much time is spent drafting a long post jam packed with all these useful insights and important development notes released by some of us who are doing practically free and open source security development which not many would be willing to burn their weekends and pull their hairs out over it.

Please be more empathic to how we feel putting the effort to write highly informative information that you won’t find lying around on the Internet and to include progress notes of practical security development we do in our free time vs. that few seconds of frustration while scrolling through the long pages. I believe a few of us are using smartphones to access the contents and have to scroll through the long amount of posts and some of us have to type on tiny little smartphone screens to reply (and sometimes in a long winded fashion out of necessity).

If scrolling is too troublesome, then this is a wrong place to be in. Expect tonnes of scrolling and be more empathic to those of us who have lots to say with important contents to publish.

Thoth • October 22, 2016 12:30 AM

@Markus Ottela
Regarding Yubikeys which you mentioned in your change log:

“No magical crypto dust exists to protect from this so make sure to use strong passphrases and possibly 2FA with something like Yubikey, that remembers a static part of the passphrase”

Nice way of putting it by the way 🙂 .

Now for the Yubikey part, I have an idea how to make some magical crypto dust via some magical crypto token 🙂 … or more of an illusionary one that looks magical …

If you remember how Android OS does it’s Full Disk Encryption with Qualcomm’s QSEE hardware backed Keymaster, the hardware backed Keymaster stores an RSA private key which is used to sign a user entered PIN or Password and the signature is then put through some process to shorten it to whatever key length the Android OS FDE system wants. Essentially the signature is hashed to the key length to put it very simply.

What are the features Yubikeys have:
– HOTP
– PIV (Smart card login)
– FIDO U2F 2FA
– OpenPGP smart card

It now becomes very apparent that there are 3 options that enable smart card based secure key storage of an RSA 2048 bit key inside the smart card chip of a Yubikey. Those are the PIV, FIDO and OpenPGP applets.

The Android FDE technique can be emulated in this context by using either one of these three smart card applet found in a Yubikey token to store an RSA private key that will sign the user derived PBKDF hash and then the 2048-bit signature would be hashed to derive a 256-bit key for use.

It can be represented as:

CryptoKey = Hash(RSA2048Sign(HardwarePrivateKey, PBKDF2(Hash, UserPassword)))

This ensures that a “What You Have” and “What You Know” exist at the same time to provide a strong cryptographic protection. Even if the password is weak, the attacker will need a tamper resistant hardware protected private key to derive the decryption keys.

There are three applets in Yubikey and which of them is the most suitable applet to invoke to get the job done.

PIV applet:
– It is used in Windows login and Governmental stuff but it is rarely used in a normal user setting and is complex if you want to use this stuff. It requires reading thousands of pages of PIV document by NIST FIPS 201 and other accompanying standard linked below to understand how to get this stuff working.

OpenPGP applet:
– This is one of the better choice but the problem is OpenPGP specification only allows a single keyset in it’s applet. Users might want to segregate their email security keys from their TFC security keys.

Due to how OpenPGP works, an OpenPGP keyset is made up of three pieces of keys. One for decryption, one for signing and one for authentication but all of them are simply RSA-2048 bit keys at the end of the day. You can specifically decide to only use one of the keys to perform an RSA operation if you want to but another problem appears which is smart card PIN. In order to execute a security operation, the user have to submit a smart card PIN to operate the RSA keys and now the user not only has to know his weak password, he needs to remember his PIN.

Methods can be used to derive a smart card PIN from the hashed password but that means when a user wants to independently operate the OpenPGP applet from the Yubikey, the user must know how to derive the weak password into the hashed password and then into the smart card PIN which is a pain but this surely provides much better security when compared to the next method I am below.

FIDO U2F 2FA applet:
– You do not need a PIN to operate the FIDO U2F applet because that’s part of the specifications. All you need to do is press the golden button found on the Yubikey to activate the RSA key operation. The reason PINs are not required is it’s primary role as a “What You Have” to complement the already existing “What You Know” and the FIDO U2F does exactly what it was intended very well.

Another plus point is the FIDO U2F applet is allowed to create unlimited amounts of cryptographic keys and the FIDO keys are NOT RSA-2048 but NIST/NSA Suite B ECDSA P-256 keys as per the FIDO standards. Now, someone might be shouting loudly “BACKDOOR SPOTTED” and before yelling that, chill and listen. You have to figure out the P-256 key and you have to be able to reverse the hash function on the signature to be of any use at all from the above algorithm I have given.

The FIDO U2F applet can allow unlimited keys because the U2F specification have a provision for derived or wrapped key offloading where the smart card / Yubikey will house a master secret key to derive or wrap the P-256 key which the garbled P-256 key material would then be exported since it is not a live key anymore. Yubikeys take the path of using it’s internal HMAC-SHA256 algorithm to be combined with unique nonces to derive the unique P-256 key which is much more secure than using AES to encrypt the P-256 key (in my opinion). Linked below includes the Yubikey’s U2F key derivation method. Whatever that is offloaded during the creation of the unique P-256 are actually unique nonces which are by themselves not sensitive unless somehow the Yubikey’s master HMAC key for the FIDO applet can be extracted from the tamper resistant smart card chip inside the Yubikey and the master HMAC key for each Yubikey device is uniquely generated to ensure that the compromise of one Yubikey is not going to affect another Yubikey if the smart card’s tamper resistant barriers and sensors somehow becomes breached and reverse engineered successfully.

Without needing to remember additional PIN (except for a button press on the golden button), the user can use the FIDO applet to create a unique P-256 signing key which during the process will offload it’s unique nonce and public key certificate. You can store the public information together with the encrypted database and if you need so, you can sign the encrypted database and public cryptographic information itself with the P-256 key to detect tampering with the ease of a golden button press on the Yubikey token.

The FIDO U2F smart card APDU protocol (use to connect to the Yubikey applets) are open standards and Yubikey being a FIDO certified device must implement the standards. I have linked the FIDO U2F APDU protocol below and from the protocol, it’s very simple with only 3 request message formats (look for XXXXXX Request XXX under Chapter 6) which are Registration type (key generation operation), Authentication type (signing operation) and Version querying type (theoretically 🙂 ).

Comparing all the options available above, FIDO U2F is the better choice to create a hardware secured private key as part of the “magic sauce” to protect a weak user password from being bruteforced as long as the Yubikey token is secured.

On top of that, I have a couple of spare Yubikeys sitting around, so if you want help for the Yubikey/FIDO portion, you can drop me a message.

Links:
– http://csrc.nist.gov/groups/SNS/piv/standards.html
– https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/
– https://fidoalliance.org/specs/fido-u2f-usb-framing-of-apdus-v1.0-rd-20140209.pdf

Thoth • October 22, 2016 5:34 AM

@Markus Ottela
I was looking through the FIDO documentations and despite the commands being simple, it is difficult to manipulate it’s signing feature for use as a hardware protected brute-force prevention mechanism for the What You Have factor in 2FA.

I decided to spin up my own Smart Card Root Of Trust (SCROT) scheme below that is easily workable on many smartcards available on the market as long as you buy one with AES-256-CBC.

SCROT operates as a hardware-based Root of Trust where it is used in an authentication scheme that requires a What You Know and What You Have. The SCROT contains an AES-256 bit key that is corresponding to the What You Have factor in the form of a Smart Card or Secure Element running JavaCard.

SCROT works with a What You Know factor in the form of a user supplied secret byte string (i.e. hashed passwords or keys) and during the registration phase, the user supplied secret byte string with a limit of 200 bytes would be hashed and stored as a PIN using SHA-256 hashing. A randomly generated AES-256 bit key would be generated and stored nothing exportable.

When a user intends to authenticate, to perform the Root of Trust key mixing operation, the user has to supply the same secret byte string (max of 200 bytes) used when creating the ROT derived key for authentication. During the creation of the ROT master key, the user may set flags to specify whether there will be limitations on failed authentication which will result in CSP wiping or whether to allow unlimited authentication tries. If authentication limitation flag is set to TRUE, user may set the amount of retries in a single connected session before the CSP wipes itself if failure is detected.

The hardware secured AES-256 bit key would be used as an encryption key to encrypt the user supplied secret and padded with zero bytes until it satisfy the block length (16 bytes) for AES and the resulting ciphertext would be SHA-256 hashed to derive a final 256-bit key. The AES cipher mode will be CBC mode of operation with 16 bytes of zeroes as the IV.

Thoth • October 22, 2016 7:19 AM

@Curious
re: Indiscreet Logs: Persistent Diffie-Hellman Backdoors in TLS

Stick to the tried and tested DH groups (MODP/RFC3526 and Oakley) for now. The main problem is getting your browser to detect weak or problematic groups and then weed them out. You don’t really have fine grain control of your own browser and this makes the problem even worst.

The way forward would be to standardize a set of tried and true DH groups for those who are still using DH.

Another method is to have a long term RSA signing key and for a single session, you generate a random pre-master RSA session key and use the long term RSA signing key to sign the session pre-master RSA key. The pre-master RSA key would encrypt 24 bytes of nonce and send to the destination (assuming the destination also sends their signed RSA pre-master session public keys) which they would also encrypt with their own pre-master RSA key to send their own 24 bytes nonce.

Both sides combine the two pieces of 24 bytes nonce into a complete 48 byte nonce and the first 32 byte is used as the session 256-bit encryption key and the last 16 bytes are used as the session 128-bit HMAC key. Once the secure session is finally established, the pre-master RSA keys are discarded (wipe memory buffer) and use have a sort of RSA-based Forward Secrecy scheme (kinda like DH but not DH).

Thoth • October 22, 2016 6:19 PM

@Figureitout
Probably once I have finish implementing the native desktop I/O to bulk read/write the files then it would be more conclusive of the problem.

I sometimes wonder if the actual speed lag might be from the JVM in the card but that is hard to conclude.

The method I am using to measure the milliseconds spent does not include native file I/O by the way. What the timing measures is the total transaction time between the card and the desktop. For every transaction, it would add up to a total transaction timer I set in place.

Thoth • October 22, 2016 8:25 PM

@ab praeceptis

“Those thingies are made to infrequently do some crypto and to transmit a low amount of data”

Indeed. Those shouldn’t take too long though as most of the memory crypto are usually XORs but that just my guess. Each chip uses different methods to encrypt their internal RAM and EEPROM and are kept under multiple layers of red tapes.

“The Infineon chip we talked about would actually be a speed demon for those typical scenarios (like signing a 32 Byte hash)”

Yes. This is indeed true as Infineon chips are one of the fastest I have ever worked with (NXP, Infineon, Samsung). NXP gives pretty decent speeds too.

“When they added USB capability they didn’t do that because they needed more speed but because USB became an omnipresent standard and end customers wanted something to simply plug into their PC.”

That’s correct as most people are ditching the CCID card reader and are doing USB FIDO/PKI tokens and what better than to simply add an additional USB firmware into the chip. I recently bought a small batch of JavaCard USB tokens and they simply out perform any smart card reader + smart card (traditional setup) in terms of speed test. I have not uploaded my GroggyBox applet since the USB smart card token does not support PKCS 5 pad mode natively and that is a major headache so I am giving myself sometime to think of how to handle this situation. I could either implement zero pads and not use PKCS 5 padding mode or I could implement software PKCS 5 pad mode but I am leaning to switching to zero pad mode but breaking compatibility with PKCS 5 pad would also be questionable when it is the industry standard.

“Your usage is just far out of industry bounds, I assume.”

That is correct. Smart cards were never built for bulk encryption like what I have done. The most they were expected to handle were small transactions and wrapping of cryptographic keys and leave the bulk encryption to the host (insecure) computer.

“You have some not fast but “safe” crypto and some “safe” on chip memory and some security gadgets available. That’s a nice basis which quite well supports quite nice approaches. Example: Seeding a good PRNG, drawing some key out of a “magic hat” (the smartcard thingy), etc.”

I guess that sums it up. Pretty much I have to lower the user’s expectation of a fast and safe smart card file encryptor into a slow and safe and friendly smart card file encryptor. To compensate for the slow speed, the only thing I can think of to keep users happy would be to make the GUI much more friendly and usable so that despite the slow speed, the UX would make up for the slow speed and also to lower the user’s expectation on the crypto speed of these tiny security devices.

Thoth • October 23, 2016 1:56 AM

@ab praeceptis
If I were to do native Infineon blobs or any native smart card blobs, I will be (and my applet as well) subjected to:
– NDAs … tonnes of them
– Create the Card OS from scratch which is a pain
– Not able to open source anything

All these would doom the FOSS nature of my project and adds unnecessary cost, legal, resource and time wastage.

I would prefer to use a standardised JavaCard which is fully open platform and thus my applet can be comfortably open sourced without any NDAs, legal, cost, resource or other problems a native applet with native from scratch Card OS brings.

So no, I would not consider another solution that will impact the FOSS nature of my project and which would prevent the ease of running a single applet on multiple platforms (NXP, Infineon, Samsung ..etc..).

Sadly, only JavaCard fits the bill as it is the single most widely adopted Card OS out there only following behind by MULTOS and for MULTOS OS, it uses C but it still have the overhead of a VM like JavaCard and there is only one supplier of MULTOS while JavaCard suppliers can be found across all major smart card suppliers and almost 99% of card development are JavaCard safe for proprietary card development encumbered by red tapes and NDAs.

So the short answer is no, I will only stick to JavaCard for now as it’s the single most widely adopted smart card platform with the most market shares and also the most support and tools.

Maybe you could take some time to pick up JavaCard and buy a small batch of JavaCard enabled smart cards online. It isn’t too hard to pick up JavaCard since the syntax is mostly Java style and you just need to remember your codes cannot do dynamic calls and there is only one software applet package per applet. I picked up most of my JavaCard and smart card APDU skills and settled down within about 1 week plus pretty quickly.

Thoth • October 23, 2016 6:24 PM

@ab praeceptis

I have no idea how to do a verifier in a smart card so I have to spend time reading up before I can decide. Don’t want to introduce too much complexity into it.

Thoth • October 25, 2016 3:31 AM

@Markus Ottela
In my original Root of Trust design above, I did mention that keys are not exportable. Once the user enters the correct secrets into my smart card scheme, it turns into an encryptor assuming you don’t have a ton of things to encrypt since I assume the encrypted database would not be more than 300 KB ?

The smart card can also be doubled as a message encryptor like Project Vault which can be adapted to. The drawback is that smart cards are rather slow encryptors so they are mostly suited for signature checking and unwrapping the KEK.

Thoth • October 25, 2016 9:35 PM

@Markus Ottela

“but I think it’s worth it to store a hash that can verify identities of parties during initial key exchange, e.g. SHA256(“fingerprint” + public key with smaller value + public key with larger value)”

This can be done. Pretty easy.

“You said keys are not exportable. Is this by design or is it possible to control the exportability so that only the hash of public keys is exportable and not the symmetric keys.”

This depends on whoever write the applet codes. If the developer does not include a mechanism to export, there is no way to extract it. If you include a method to export, it can be exported in secure or insecure fashion whichever the developer chooses.

“As long as conversations are not logged on the smart card I don’t think there’s a problem with the limited space.”

Most smart cards have 80 KB EEPROM and that includes the executable. Better to store non-cryptographic stuff or things that do not need smart card protection off the card and use a card’s key to wrap them if necessary.

“Smart cards may be slow but unlike TxM/RxM currently, they don’t have to re-encrypt the entire key database after every message. Just encrypt+sign/auth+decrypt 255-byte string, run the key once through SHA256 and update the hash ratchet counter. That’s all.”

Indeed there is no need to re-encrypt the key database since the smart card already is a secure environment that is also tamper resistant by itself. Hmmm… if you have to re-encrypt your database after every messsagem wouldn’t that mean that your TFC have a significant overhead everytime you send a message since you must re-encrypt key database after every message ?

“Any idea what the performance numbers are on your ChaCha20(-Poly1305?) implementation or AES?”

ChaCha/Poly1305 will be slower than a snail crawling. Better not to go that direction. For AES-256 encryption including I/O to smart card over a 200 byte string, that will take somewhere between 70 to 90 ms. The ciphering is not the lagging part. It is the I/O that is slowing down portion of the scheme. Most ciphering will take from 2ms to 40ms at most and for Infineon chip via SLCOS (COS are the different types of Card Operating System) type cards, it does it around 2ms+ and for FTJCOS type cards it does it around 4+ ms for ciphering a 200+ byte string.

What kind of speed are you looking at and how much bytes you need to encrypt/decrypt/sign/auth/hash depends on the use cases.

Just an idea of the timing used, 1 second is 1000 ms and let’s assume the Smart Card I/O (both ways altogether calculated) + AES ciphering activity + SHA256 hashing takes 90ms which is 0.09 seconds done over a byte string of 200 bytes.

A cautionary note is getting smart cards to encrypt something like a PDF file, images or multimedia, the user might not be patient enough to wait for 345 KB PDF to de/encrypt and hash while thumbing their fingers and waiting for 2.5 minutes via AES-256-CBC-PKCS5-SHA256 scheme. Anything done on smart card should usually be completed within 3 I/O cycles (256 bytes * 3 cycles of I/O) otherwise the user probably would pull their hair out.

Do note that smart cards don’t support Curve25519 since it’s not NIST standardized. These cards usually support RSA-2048 and for the lucky few, RSA-4096 would be supported too if users are willing to pay cash for those kind of security. NIST ECC cruves are expected on most modern cards with key sizes usually up to 256 bits.

My recommendation is to use smart cards for their AES/SHA hardware and to use it to secure critical codes and data (i.e. integrity checksum comparisons for key databases) that you are worried that malwares might attempt to alter, deny or exflitrate since the only practical way into a smart card other than physical decaps and physical attacks is via it’s APDU logical protocol which is easily audited, open standards and controlled by the developer of the applet if you know where and what to look for.

Thoth • October 26, 2016 12:55 AM

@Markus Ottela, Figureitout, Clive Robinson, Nick P
Please do not mention dataShur as a secure device. I remembered I have busted dataShur as INSECURE device on one of the posts somewhere.

You should start reading the dataShur Common Criteria paper and you will be appalled at how insecure it is. If you give the dataShur to @Figureitout, the dataShur becomes dataUnshur !!!

You have some technical backgrounds yourself and you should actually consider experimenting with defeating dataUnshur yourself if you have time and money. The security of dataUnshur is it has no tamper resistance at all. None. It relies on it’s USB microcontroller to accept a PIN and do the security operations and the USB microcontroller can be a PIC chip and there are tonnes of materials in the wild on how PIC chips are NOT security chips. What dataUnshur relies for security is just a bunch of tamper evident epoxy and that’s all.

Too bad I don’t have access to strong acid and all that as you need a chemist license to operate a lab in Singapore otherwise I would have decapped that thing long time ago. How dataUnshur works is PIN and crypto are all bunched into the PIC chip. If you enter the wrong PIN, the PIC chip acts as a hardware router that simply denies USB mounting. If you enter the correct PIN, the hardware based PIC chip router would allow USB mounting and the AES decryption would take place. The worst thing is the PIC chip (not even a security chip of any sorts)

In fact, dataUnshur does not own the technology. They simply licensed the patented technology from Clevx’s Datalock technology which by the way many other licensees of the Clevx Datalock technology (not just DataUnshur but includes Toshiba’s similar spin-off). All products (licensees) of the Datalock patent are vulnerable in the sense it is not truely tamper resistant but marketed as tamper resistant and who knows what other vulnerabilities lies inside including hacking the JTAG and what not.

So what if dataUnshur gets FIPS 140-2 Level 3 … it means nothing because the current FIPS 140-2 standards are considered outdated and easily bypassed. I think Ross Anderson would easily bypass many FIPS 140-2 “HSM” that are not HSMs in any form or way. Those are simply dishonest marketing and a security certification system that is totally busted by many experts and shown to be faulty. Heck, even CC EAL certification is pointless as most part of the CC process is not spent on actually decapping and micro-scoping the chips sent for “evaluation” but mostly spent on reading piles of reports that have to conform to CC certification.

If you want CC EAL 5+ chips, you put a bunch of metal shields and enclose it in epoxy, write a nice report and there you have it. A “smart card” or “secure element” chip. Yes, I am simplifying a ton of stuff here but I just want to put the point across that most secure element, HSMs and smart cards (including TPM) are mildly to moderately tamper resistant or even tamper resistant at all.

I made popular the idea of using smart cards because it separates actual state attackers from script kiddies and smart card are mildly tamper resistant but not strong enough if you are up against nation states. I have been developing a bunch of methodologies which I am finding time to release and write about in future to compensate the mild tamper resistance of these smart card chips. It simply makes attacking harder on the remote level and somewhat harder on the physical level but compared to dataUnshur that does not use any tamper resistant chips (even mildly), dataUnshur is a big door wide open. One other and highly important reason I push for smart card adoption is because of programmability. You can script your JavaCard, BasicCard, .NET Card, MULTOS C card … and in that instance you can obfuscate your codes and executables and for a smart card chip with limited RAM and EEPROM, it will be difficult to hide a malware that de-obfuscate and predicts your execution as the lag will be too apparent and easily detected. Smart cards are also highly available in market and almost every hardware security researcher will at least decap a smart card once and if stuff is hidden, someone would have caught something due to high availability of smart cards and because of it’s high availability, that means hidding backdoors that can be easily measured by researchers becomes harder and plus these smart cards are commodity products in a way where it can be used for virtually anything from payment to transit, governments … backdooring would require too much effort and too large of a scope and also introduces risk in the own governments having the same vulnerability as everyone thus my view the backdooring all the world’s smart cards is likely implausible in whatsoever form and thus my push for use of smart cards as Secure Execution Environments for very critical and weird use cases that the industry never have dreamt off to put them off their guards.

DataUnshur in no form or way is suitable even for HIPAA, FIPS, CC, HSPD, DOD, CESG, EMV, PCI DSS … whatever Government, Financial or Critical Infrastructural use, let alone protection of data security in my opinion due to it’s insecure chip design.

If they want to improve, they must move away from an insecure chip and use something like a smart card controller or a dedicated HSM chip even if it cost money.

Yubikey once used an insecure micrcontroller and was shown to be insecure (one of those old Blackhat of DEFCON videos somewhere in Youtube land) and after the exposure, Yubikeys are now equipped with NXP’s JCOP smart card controller. The Yubikey uses a JavaCard capable smart card chip with CC EAL 5+ rating and technically you can program a Yubikey like any smart card using the JavaCard language but they decide not to release the ISD keys (Card Manager keys) required to authenticate and authorize the programming of the NXP JCOP chip. I have not heard of anymore problems with Yubikeys once they switched to using NXP’s JCOP smart card as the heart of their Yubikey products.

Side Note: Do note that trying to bruteforce the ISD keys (2-Key TripleDES) more than three consecutive failed authentication into the Card Manager applet in any smart card may cause the card to permanently brick itself thus a good way of protecting unauthorized card programming 🙂 . You need to request the 16 bytes of TripleDES keymat into the ISD domain to authenticate and load the executable from whoever issues you the card.

Links:
– http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1873.pdf
– http://www.clevx.com/datalock-fips.html

Thoth • October 26, 2016 1:26 AM

@Markus Ottela

“That’s actually a lot better idea. To store all keys on TxM/RxM and to store one key encryption key on the smart card. The smart card authenticates whatever keys are input before decrypting and using them. More I/O but significantly less space requirements.”

This is how most smart cards applets do. They handle the tiny KEK and the rest is left to the host computer.

“So ~100ms for 255 byte message isn’t a problem but databases might.”

Good to know.

“Is the AES authenticated encryption (e.g. GCM), or is SHA256 MAC required?”

GCM is a very new cipher mode and thus not supported. It is not surprising considering most smart cards are simply tamper resisting legacy CPUs and never meant to be all too updated.

Current Cryptographic Algorithm list for you to select:
– AES_CBC_NOPAD (no padding literally)
– AES_ECB_NOPAD
– AES_CBC_PKCS5 (depends if supplier has PKCS5, currently working on PKCS5 to be hand coded by myself in case PKCS5 is not around)
– AES_ECB_PKCS5 (depends if supplier has PKCS5, currently working on PKCS5 to be hand coded by myself in case PKCS5 is not around)
– SHA_256
– HMAC-SHA_256 (depends on supplier but I have a working HMAC-SHA2 library I hand coded and suppose to work from SHA1 to SHA2 of any variant).
– RSA_NOPAD
– RSA_PKCS1 in Cipher.MODE_ENCRYPT and Cipher.MODE_DECRYPT
– RSA_SHA1_PKCS1 in Signature.MODE_SIGN and Signature.MODE_VERIFY
– RSA_SHA256_PKCS1 in Signature.MODE_SIGN and Signature.MODE_VERIFY (depends on supplier if the SHA256 based PKCS1 is supported but I too have a working hand coded variant)
– ECDH_NIST_P_PLAIN with DHC and DH mode (Allows flexibility of hashing of negotiated shared secret after ECDH event)
– ECDH_NIST_P_KDF_SHA1 with DHC and DH mode (Performs mandatory SHA1 of shared secret as the final secret material after ECDH event thus resulting in 20 byte secret material presented without flexibility).
– ECDSA_NIST_P with SHA1, SHA224 and SHA256 hash as typical offering. SHA384 and above hashes are more rare.

“This is a big problem. Typing 2k/4k RSA public keys isn’t practical, and like Bruce, I don’t think the P-curves are trustworthy. But threat models vary and not every nation state has access to the backdoor. Maybe. So it might be useful addition under some threat models. Hopefully Yubico etc. will build devices that use Curve 25519 for signing and key exchange”

Yubico uses NXP JCOP smart cards as it’s heart. The smart card industry are driven by NIST directives. Sadly, non-NISt curves are in high demands but for now the industry is still crapped up. Better to use symmetric crypto (AES) whenever possible.

One good thing is NXP’s JCOP includes it’s proprietary ECC Curve library where anyone signing an NDA with NXP would be able to implement their own ECC curves (including Curve25519) but the side effect is you won’t be able to port the codes to another platform and NDAs are horrible stuff. It will be nice if Yubico can use it’s relationship with NXP to utilize the ECC Curve library NXP supplies to it’s partners to create an open Curve25519 API but so far I have not heard any news of such initiatives yet. They need to be nudged 😀 .

“It is useful but if RxM is compromised, it might be that whatever native software is authenticating e.g. TFC software with the help of smartcard, might give false-positive answer. I think the best use for smart card under the threat model is to protect the keys and prevent impersonation. But again, the pin code needs a secure input channel and I’m not sure the tech exists yet.”

That would require a dedicated MCU if you are worried. More work but also more security. You can get a bunch of buttons, an OLED display and an STM32 to work on but that’s gonna spend a huge amount of time unless you are going to commit to TFC as your main project for many years to come and even spin a marketable variant for the sake of getting some income, you could consider this route.

You won’t need to spend USD$400 on dubious security stuff that you cannot audit and control by yourself. I would advise you to grab some Arduino, mount a OLED display, get a keypad or something to hook to the Arduino and then do some comms between the Arduino built secure PINpad to talk to your RPis. Also the Arduino can be equipped with an ISO7816 card reader module. I was just browsing a while ago and found a smart card module from Adafruit. You can use a USB module on the Arduino for a USB-CCID interface to the smart card as well and that solves the problem of needing dedicated ISO7816 language since there are tonnes of USB-CCID card readers on the market out there.

Links:
– https://www.adafruit.com/products/101

Thoth • October 26, 2016 6:01 AM

@Wondering
You are referring to JackPair (linked below) ?

You do realize that cryptography and personal security / privacy is frowned upon by “The Powers That Be” ?

Security appliances and equipments have a ton of red tapes on them and that includes both import and export control. Possessing security equipment can mean nasty sentences in certain countries like the Middle East, Pakistan, India and so forth ?

Elites of the society cling onto power and these days we live in the world of digital communication which is a double edged sword. These elites of societies would not want to yield power and so by the means of force and resources, they attempt to deny the use by the commoners.

In the digital world, attacks are easier than defense (quote @Bruce Schneier) and so the defenders have to defend all corners while the attackers attack wherever and whenever they want which makes means you have to spread your defenses equally. Unlike physical battlefields where you have weather, terrain, morale of troops … digital resources are abundant and you can simply DDoS someone whenever and wherever they are as an example.

Link: https://www.kickstarter.com/projects/620001568/jackpair-safeguard-your-phone-conversation/updates

Thoth • October 27, 2016 2:19 AM

@Figureitout

re: OCD
Same here. I can’t stand ports that go lose.

re: VGA or DB9
Those are depreciated but they are still used. Have you seen the Safenet HSM ? You will love the looks of the secure PINPad card reader. Uses screw in ports. Tight stuff. Linked below. The nasty thing is it’s heavy and bulky and looks so squarish and uncool looking. Designers need to make these Safenet Luna HSM PINpads more stylish as well as functional, tight and secure. Not to forget, the idea behind the Safenet Luna HSM is to assume hostile environment and uses a lot of military comms equipment and high durability methods to make the HSM extremely durable and resilient from environment and human factors partly because Safenet used to work (and may still be) with NSA to provide their security stuff. One famous relationship results in the famous Clipper Chip that Safenet built for NSA.

I do prefer Thales’ build of their secure PINpad as Thales (well maybe I am bias) makes it more cool and stylish looking but also functional. A nice looking PINpad for smart cards with a USB connection cable. No more loose USB ports but these are under export controls by the way. Nasty paper works.

I almost forget one thing, anything related to security is export locked down in UK and an example is asking @Clive Robinson to send us a PIC chip with his custom coded firmware of DES encryption, @Clive Robinson would need to seek UK Custom’s agreement to release something insecure like a PIC chip with a lousy DES cipher.

re: PIC chips
Note that those USB “secure” sticks are targeted for important appointments from NATO/UK/US Govt usage to diplomatic, healthcare, banks, finance … all the sensitive organs of society. If they were just selling it as personal security, I wouldn’t be all too critical but maybe I would.

How would you protect a NATO or government official with something not even tamper resistant ?

Linked below is NATO’s IA portal classifying the dataShur as it’s deserving UNCLASSIFIED category which means it can only transport unimportant stuff that wouldn’t be vital to NATO/US/UK decision making plans. To reach at least a RESTRICTED category in NATO, a smart card chip needs to be used and even then more stringent handling are required.

If a product is positioned for handling important documents including security classified documents and they label themselves as tamper proofed when they are only tamper evident, it is false marketing practices and companies like these can easily get away with false marketing and we always wondered why security is so laxed in Governments and around the world. The reason is as @ab praeceptis mentioned a few posts before, the result of greedy and dishonest entrepreneurship.

If someone markets a tamper resistant device, they better make sure it lives up to it otherwise when someone really use one of these mislabeled devices for sensitive stuff and gets into trouble, both the user and the seller would be in for serious consequences from legal and non-legal perspective.

The better way that dataShur should promote themselves should be malware resistance instead of tamper proof solution since they are more malware resistant and not even tamper resistant by any means. This would allow users to make better decisions on purchase.

Basically, do not pretend something is tamper resistant when it is only tamper evident just for the sake of marketing and cash. Dishonest business are bad businesses which will cost their unknowing customers not only trust but their lives as well in cases where lives matter (e.g. diplomats, journalists, military personnel, Govt officials …etc…).

Smart card readers are not meant to be secure anyway. The reader in any threat model are always considered compromised and thus any card developer must ensure card to host communication have a layer of logical encryption unless the card reader is provably secure and trusted thus the reason I asked @Markus Ottela to use Arduino to build a secure PINpad for card reading and PIN entry so that it is much more verifiable despite not with the highest security but better than those proprietary stuff out there which are total blackboxes.

Links:
– http://cloudhsm-safenet-docs.s3.amazonaws.com/007-011136-002_lunasa_5-1_webhelp_rev-a/Content/Resources/Images/dock2_connect_ped_600x367.png
– https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules/general-purpose-hsms/nshield-remote-administration
– https://www.thales-esecurity.com/products-and-services/products-and-services/hardware-security-modules/general-purpose-hsms/~/media/Images/Thales%20e-Security/Global/Products/Remote%20HSM%20NEW/nShieldfrontUSB1JPG.JPG?h=133&w=200
– https://www.ia.nato.int/niapc/Product/iStorage-datAshur_462
– https://www.ia.nato.int/niapc/Product/iStorage-datAshur_462

Thoth • October 27, 2016 10:18 PM

@Clive Robinson
I was planning to talk about this later in the day once I have gathered more information from my sources and friends in the industry but since you posted this agead of me, ai will just be direct that I am getting more worried about NXP if this deal goes through. Reason being now there will be lesser manufacturers of different types of IC chips and we are getting to a point where if his continues, there will be very few chip makers and backdoors becomes easier due to lesser varieties available and my scheme uses varieties of cards and chips as part of it’s security.

Smart cards are still somewhat hard to backdoor even after the merger of NXP and Qualcomm but it moves a step closer theoretically though but not provable as of yet.

As long as there are still varieties and smart card being used as a “commodity security device” of sorts, it is still somewhat hard to implement blanket backdoors without having both technical and practical issues.

There are still chips from Sony (Japan), Samsung (S.K.), Infineon (Germany), ST (France) and other small manufacturers like the Spyrus Rosetta (US), Atmel (US) and so on.

Thoth • October 28, 2016 3:56 AM

@Markus Ottela

“Requiring a password doesn’t prevent decap, but rather expands the scale of required attack.”

Indeed. It is to make someone who have decapped the chip become really frustrated to learn that what they have on hand is mostly useless as well.

“The question is not is it backdoored in advance. It’s, can you use whatever interface RxM would deliver encrypted keys via Arduino to smartcard, to infect the Arduino.”

You need control over the hardware via it’s firmware as the starting point. It acts like a data guard with very small and tight attack surfaces to minimize possibility of infection. Find those kits without any wireless interfaces of any sorts and then move to creating a an open and custom firmware image that makes infection very difficult by having very essential functions and easily inspected.

One example is like having your own ATMega or STM32 and you create a very specific OS to only handle card reading and PIN entry and if a malware tries to attack it has to find a flaw in your restrictive OS image and if you code it very tightly and make the OS very small and easy to debug (~ 2 to 3K LOC of codes), you should be fine.