[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 1660

File: 1475206944303.png (127.72 KB, 300x300, key.png)


this is a $60 HSM thats openPGP compatible and works with NFC devices.

You need it.

also PGP/GPG thread. Pic related: device handles encryption, signature, and authentication subkeys. how do you use PGP?


File: 1475207070178.png (4.9 KB, 200x60, Yubico-logo-website.png)


YubiKey devices post Neo are no longer open hardware.


File: 1475247336833.png (842.3 KB, 200x150, JfelRWf.gif)

to clarify, The YubiKey NEO is a two-chip design. There is one “non-secure” USB interface controller and one secure crypto processor, which runs Java Card (JCOP 2.4.2 R1). There is a clear security boundary between these two chips.

The OpenPGP applet for the YubiKey NEO was (and still is) published as open source. have you tried the NEO developer program, where you can write custom applet development and key distribution? otherwise no, firmware is locked on the yubikey by a random key assigned to every yubikey.

if you have an issue with the open hardware, the issue is Common Criteria EAL5+ certification and the NDA's surrounding secure chip manufacturers. No smartcard manufacturer offers open source hardware specifications for the chip.

even the fellowship card has a closed-source chip.


you couldn't re-flash it anyway, so how do you know you're truly running what they say they are?


should buy one, one of these days.

there is also nitrokey if you want the open hardware, haven't decided which one i want yet.


File: 1475428389370.png (2.96 MB, 200x113, 1469741738506.webm)

other things to consider:

the yubikey provides open source OTP that allows you to run your own server.

NEO keys only support 2048 bit keys and hence may only be appropriate for signatures, not necessarily at-rest encryption.

cards are cheap enough that owning 1+ isnt prohibitive.


File: 1476645787228.png (1.4 MB, 200x134, serveimage.jpeg)

>asking here as did not want a new thread...

What is best encryption to use for file transport?
I just lost a 32gb usb key that had fuarrrk knows what on it!!!!
I did not encrypt because i'm a lazy muppet!
Thing is I get files from normal people using Macs PCs and I use linux... is there somthing i can use to encrypt a key without having to install some software on clients computers? - is the OPs pic the only way to go or is there a software solution? also i use fat32 cus macs/pc/linux read/write.


>What is best encryption to use for file transport?

gpg can do symmetric encryption.

Ideally you'd just put everything in a LUKS container but god knows how a Mac/Windows computer would read that.


Is buying a yubikey 4 for daily use worth it? I'm looking to purchase something similar to this for managing my GPG and SSH keys. I feel as though using a 4096 bit key over a 2048 bit key would be better, however I am worried about the proprietary nature of the firmware.


i have 2!

1 for daily driving, and a backup in case the first one gets lost


There's really no benefit to using RSA 4096 over 2048 even though it's tempting to believe otherwise. And besides, you'll more than likely switch to a different flavor of encryption for GPG keys well before 2048 is considered "deprecated" or "unsafe", etc.[1,2]

[1] https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096
[2] https://www.yubico.com/2015/02/big-debate-2048-4096-yubicos-stand/


i know nothing of mac but i know windows asks only to format the USB key if it has a luks volume. otherwise, you cannot use it.


Can someone explain this thing to an idiot like me. It's used for 2 factor auth? so i first enter my password then i use the usb key? Does it work for every site/application or just some?



Thinking about it I may as well use FAT32 and pile everything inside a 7zip encrypted AES 256 file... I think this will cross all 3 platforms without too much fuss and will be secure... shoot me down if this is not a sound idea for file trasport.


yeh ok 2GB file limit with FAT32 - means I will have to split files!


File: 1477962806564.png (29.46 KB, 152x200, 1450643336055.jpg)

depends on how you set it up

if you've got pam support, you can use h/otp 2fa to log into your computer, or use the pgp keys and gpg-agent to login as well

alternatively it an just shit out the same 36 character password every time it get's pressed


just having a terminal open and hitting the button on it soykafs out a different 36 char password by default. it's schway. also, checked. quads are schway.

I'm gonna be setting up 2fa on my personal server with SSH stored on the yubikey this week when I'm home. will bump with updates. my server runs ubuntu 14.04.whatever the latest point release is.

Idiots can't understand most things, so there's really no way to "explain something to me like I'm an idiot." Read the wikipedia page on the standards involved, and if you don't understand something, read the linked wikipedia page. BFS is guaranteed to terminate, so you'll learn eventually.


>you need it

If you haven't noticed by now, PGP will never catch on.


>Jaba Gard


What do you mean it will never catch on? PGP has already caught on amongst the people who need to use it; in fact, I'd estimate it to be overwhelmingly the most used program for message encryption and data verification.


Just read this article: http://arstechnica.com/security/2016/12/op-ed-im-giving-up-on-pgp/?comments=1

Maybe because I didn't do so much work with my keys I don't feel as bad about getting them compromised. I would just revoke my keys create new ones and meet up with the people that would sign my keys.


I thought it was 4GB


It seems like a lot of security people are giving up on PGP recently, for example the article linked here >>2865 . Apparently they're opting for Signal and similar apps.

Does anyone else think this is really shortsighted? Especially the fact that you need a phone number to identify yourself to other contacts. While that's fine or even optimal for IRL contacts, it's a severe violation of privacy for a lot of people. I'm not trading my phone number with some anon on the web because he refuses to use PGP.

I'm not a security guy and I only understand the basic and obvious things like using HTTPS, not identifying yourself or running javascript when using Tor, putting up a firewall on my VPS, that sort of stuff. But this just seems ridiculous to me.


To add to my point, the article here:

His best point IMO is that companies like Signal and WhatsApp are vulnerable to coercion from authorities and also to losing to their competition. Email isn't affected by the market, and it's harder to subvert an open standard like PGP.



Great article. The author makes a lot of excellent points, especially regarding researchers who bitch about purported PGP problems that are actually email problems.


I used to work with people who needed to use pgp. I could never explain it to them in a way they could understand. These same people were non-technical activists who were able to learn Aircrack well enough to email me (pgp encrypted too) asking advanced questions after I had shown them the basics.

pgp is a soykaf.

>Does anyone else think this is really shortsighted? Especially the fact that you need a phone number to identify yourself to other contacts. While that's fine or even optimal for IRL contacts, it's a severe violation of privacy for a lot of people. I'm not trading my phone number with some anon on the web because he refuses to use PGP.

two things:

1.) The next billion Internet users do not have an email address, but they have a phone number, because they access the Internet on their mobile devices only. Sad but real. Phones are prole. Laptops aren't anymore.

2.) If you're l33t you can set up signal with google voice and just use an anonymous google voice account (piss and moan about ~g00gle botnet~ but if you're really l33t it shouldn't matter).


> pgp is a soykaf
you're right, and this is a significant problem. Non-techy activists shouldn't just use PGP without help simply because it's difficult -- they should use something easier but that's therefore less likely to compromise them. Tox was very close to getting this right.

But as a guaranteed method of communicated with forward secrecy, that doesn't rely on the product of a single company, that's well known and supported, what's the alternative?

> The next billion internet users do not have an email address

This is partially true, but not completely. I'd say that the overwhelming majority of college campuses require that their students use email; and email is still the most common method I've seen to register and auth yourself for online services.

> anonymous google voice account

It's not truly anonymous right? Is it possible to properly register for a google voice account over tor? Doesn't it require compromising cookies or some soykaf to auth yourself?
I'm not >l33t so I'd be interested to know.


I have a Pentium 4 rig, soon to be airgapped and maybe even deblobbed



File: 1487438195060.png (13.99 KB, 200x161, concern.jpg)

doesnt support pgp yet, has a lot of weird comparisons between yubikey that might not be true. seems like the developer himself is still learning HSM PGP.


I know the FSF sells a TRNG that can be used to make strong passwords. I kinda want it, but not sure what I'd do with it beyond using it for gpg stuff occasionally.


i bought one! its actually two, one is usb, the other is mmc. theyre noisy, so you hear them on your soundcard of course. the product is the FST-01 (flying stone 01)

check out what you can do with a DTV receiver:

also fst01 for the thread:


>The next billion Internet users do not have an email address
I see what you're saying, about phones being ubiquitous, BUT: the next billion internet users WILL have at least one GMail address apiece.


So what is the preferred way to use a Yubikey to store PGP keys?


> The next billion Internet users do not have an email address, but they have a phone number, because they access the Internet on their mobile devices only

So you don't need email to register for the usual internet nonsense like FB anymore? I guess if you can register on FB with only a phone number you register with everything after that with your FB. Yes, I am this far out of touch with normal people.


>You need it.
fuarrrk off wage slave. I don't need a stick that puts my infosec into the field of physical sec, which I know nearly nothing about.