Category Archives: Open Question

Alexander Leidinger » FreeBSD 2012-11-25 07:37:52

The recent security incident triggered a discussion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a crypto card. I did some research for suitable crypto cards and found one which is called Feitian PKI Smartcard, and one which is called OpenPGP card. The OpenPGP card also exists in a USB version (basically a small version of the card is already integrated into a small USB card reader).

The Feitian card is reported to be able to handle RSA keys upto 2048 bits. They do not seem to handle DSA (or ECDSA) keys. The smartcard quick starter guide they have  (the Tuning smartcard file system part) tells how to change the parameters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it supports RSA keys upto 3072 bits, but there are reports that it is able to handle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to handle that big keys on the crypto card). It looks to me like the card is not handle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card reader. It seems a class 3 one (hardware PIN pad and display) would be the most “future-proof� way to go ahead. I found a Reiner SCT cyberJack secoder card reader, which is believed to be supported by OpenSC and seems to be a good balance between cost and features of the Reiner SCT card readers.

If anyone reading this can suggest a better crypto card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA  support), or a better card reader, or has any practical experience with any of those components on FreeBSD, please add a comment.

Share

One-Time-Passwords for Horde/IMP?

I search a way to use one-time-passwords for Horde/IMP on FreeBSD. I do not want to use PAM (local users on the machine). Currently I use the authentication via IMAP4 (link between the IMAP4-server and postfix via MySQL, to have the same PW for sending and receiving), and I expect that not all users of Horde/IMP will use OTP if available, so the problem case is not that easy. I can imagine a solution which tries to authenticate via OTP first, and if it succeeds gets a password for the login to the IMAP4 server. If the OTP-auth fails, it could try the entered password for the login to the IMAP4 server. Migrating existing users to a new solution can be done by telling them to enter the password from the machine of the person doing the migration. The solution needs to automatically login to the IMAP4 server, entering a password for the IMAP4 server after the OTP-login to Horde is not an option.

Oh, yes, sending the passwords over SSL is not an option (that is already the only way to login there). The goals are to have

  • an easy to remember password for an OTP app on the mobile to generate the real password
  • the password expire fast, so that a stolen password does not cause much harm
  • not the same login-password for different services (mail-pw != jabber-pw != user-pw)

Share/Bookmark

One-Time-Passwords for XMPP/Jabber?

I search a way to use one-time-passwords for jabber/XMPP (ejabberd) on FreeBSD. I do not want to use PAM (local users on the machine). Currently I use the internal authentication, and I expect that not all users of the jabber server will use OTP if available, so the problem case is not that easy (migrating existing users to a new solution can be done by changing the password myself and then telling them to change their password, but there needs to be a way to let them change the non-OTP password).

I assume that OTP is not foreseen in the XMPP protocol, so where could I ask to have something like that considered as an extension (if such a place exists at all)?

Oh, yes, sending the passwords over SSL is not an option (that is already the only way to login there). The goals are to have

  • an easy to remember password for an OTP app on the mobile to generate the real password
  • the password expire fast, so that a stolen password does not cause much harm
  • not the same login-password for different services (mail-pw != jabber-pw != user-pw)

Share/Bookmark