Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Sharing gnupg keyring among computers



On 9/25/2017 3:57 PM, Chuck Anderson wrote:
> YubiKey isn't simply a writable USB mass storage device.  It is
> purpose-designed to store secrets securely.  They also make a NFC
> version.

It's purpose-designed to store secrets separately from the computers
using them except for when they are being used. It's an important
distinction. The secrets stored on a YubiKey can be extracted verbatim
by any program on a computer with a YubiKey plugged into it.

Regardless, the fact that they are writable makes them a potential
vehicle for distributing malware. Which to me means that the only places
I will use USB fobs like this is on computers owned by the fob issuers
for the purpose of issuer-related tasks which require the fobs.

Because...

> If you don't trust the computer you are typing into, they none of 
> what we are discussing can help.

More generally:

If the computer is not compromised then the YubiKey adds nothing to the
security of the system. It just makes the system more inconvenient to
use. If the computer is compromised then the bad actor can pull the keys
out of memory after they're loaded from the YubiKey. Either way the
YubiKey provides no practical security in this regard. GnuPG version 2
itself does things to make extracting keys from RAM difficult but
difficult != impossible.

NB: this is using a YubiKey as an OpenPGP smartcard. Using a YubiKey as
part of an n-factor or n-step authentication system is a different
kettle of fish.

-- 
Rich P.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org