Awesome!Why support RSA if the YubiKey will do P-256? Likewise, I don't feel the need to support P-384.
I just question whether there might be situations where a user is required to use one of the other algorithms? I notice that NSA's Commercial National Security Algorithm Suite specifically requires 3072-bit RSA or P-384 (the now-historic Suite B is what the YubiKey's current PIV algorithms correspond to), so supporting P-384 might be beneficial to adoption.
I'm also going to add a tag to the key stub which is the first 32 bytes of the SHA-2 hash of the age-serialized pubkey. The intent of this is to enable rage to detect if the key in a slot has changed and give a useful error message, while being resilient against certificate expiry and reissuance.
2019-12-02 06:16 GMT-05:00 Jack Grigg <m...@jackgrigg.com>:I just question whether there might be situations where a user is required to use one of the other algorithms? I notice that NSA's Commercial National Security Algorithm Suite specifically requires 3072-bit RSA or P-384 (the now-historic Suite B is what the YubiKey's current PIV algorithms correspond to), so supporting P-384 might be beneficial to adoption.We already dropped the AEAD marker, and use ChaCha20, so FIPS compliance is not happening in the first iteration. If people make a lot of noise about it, we can always add modes, but not remove them.
Wondering if we should call the recipient just "yubikey" or "yubikey-p256" at this point. Since it's always going to be the default, even if we add variants down the road, I'm thinking the former.
2019-12-02 06:50 GMT-05:00 Jack Grigg <m...@jackgrigg.com>:I'm also going to add a tag to the key stub which is the first 32 bytes of the SHA-2 hash of the age-serialized pubkey. The intent of this is to enable rage to detect if the key in a slot has changed and give a useful error message, while being resilient against certificate expiry and reissuance.That's a good idea. It can probably be just the first 4 bytes. (Did you mean first 32 bits?)
Can we just make the keys not expire at all?
Now, should we add the tag to the recipient too?
2019-12-02 06:50 GMT-05:00 Jack Grigg <m...@jackgrigg.com>:I'm also going to add a tag to the key stub which is the first 32 bytes of the SHA-2 hash of the age-serialized pubkey. The intent of this is to enable rage to detect if the key in a slot has changed and give a useful error message, while being resilient against certificate expiry and reissuance.That's a good idea. It can probably be just the first 4 bytes. (Did you mean first 32 bits?)Yes, that is indeed what I meant šCan we just make the keys not expire at all?The way it works is that you generate a key, and then create a self-signed certificate for the key and import it. So we can define whatever expressible policy we want on certificates we generate ourselves.Users could also use an existing compatible-algorithm certificate in an existing slot, and the Yubico tools don't let you set no expiry AFAICT, so there might be some that still expire. We can't prevent this, but we could inhibit it by e.g. requiring the Subject Name to contain some age-specific magic?
Now, should we add the tag to the recipient too?I'm inclined to say yes, if we draw comparison to why the tag is present for SSH recipients (there may be recipients for which the key is encrypted). The logic would be that we don't want to be asking the user to enter their YubiKey PIN for every single registered slot and key if they aren't going to be a match. But this does prevent recipient privacy, allowing tracking of recipients across multiple encrypted messages. So... Hmm...
Note that when generating keys, we also get to set the PIN and touch policies (which are set on private key generation and cannot be changed) to some combination of "Never", "Once per USB session / One touch per 15 seconds" and "Every decryption".
I might be wrong, but I expect YK encryption to be more of a local thing, for pass or backups, than a send-over-the-Internet thing. Let's add the tag and see if anyone complains.
Note that when generating keys, we also get to set the PIN and touch policies (which are set on private key generation and cannot be changed) to some combination of "Never", "Once per USB session / One touch per 15 seconds" and "Every decryption".Cool! We need to get the age-keygen CLI right for this, but I'm very very excited about making touch policies more widely available. I am thinking the default should be a PIN of once per session (if set), and a touch policy of every decryption.
One cryptography question: is there anything we can do to make the P-256 E-S ECDH footgun safer? We should at least enumerate what the [r]age software should do to protect the private key implementation. (On curve checks for sure, is there a way to check the correctness of the operation?)
One thing I've discovered: when generating EC keys, the YubiKey returns the pubkeys in their uncompressed encoding (65 bytes for P-256). Additionally, the ring crate I'm using for key agreement requires pubkeys in uncompressed form. For now, my PR uses uncompressed encodings, as I'll need to implement conversion between compressed and uncompressed encodings manually.
One cryptography question: is there anything we can do to make the P-256 E-S ECDH footgun safer? We should at least enumerate what the [r]age software should do to protect the private key implementation. (On curve checks for sure, is there a way to check the correctness of the operation?)Do we know what protections the YubiKey itself implements internally? Ideally it already verifies that the provided public key is on the curve, and is not the point at infinity.
On Mon, Dec 2, 2019 at 8:04 PM Jack Grigg <m...@jackgrigg.com> wrote:One thing I've discovered: when generating EC keys, the YubiKey returns the pubkeys in their uncompressed encoding (65 bytes for P-256). Additionally, the ring crate I'm using for key agreement requires pubkeys in uncompressed form. For now, my PR uses uncompressed encodings, as I'll need to implement conversion between compressed and uncompressed encodings manually.Would love to find somewhere for you to upstream NIST p-curve point compression, if you're interested in implementing it!
One cryptography question: is there anything we can do to make the P-256 E-S ECDH footgun safer? We should at least enumerate what the [r]age software should do to protect the private key implementation. (On curve checks for sure, is there a way to check the correctness of the operation?)Do we know what protections the YubiKey itself implements internally? Ideally it already verifies that the provided public key is on the curve, and is not the point at infinity.I haven't looked into what it offers in hardware... is it a raw ECDH function?If so, it seems like it'd be nice to subject the incoming elliptic curve point to a battery of tests to avoid invalid curve / point attacks.
Why did TLS settle on uncompressed points again? (As opposed to compressed ones, not to negotiation, of course.)
AFAIK: point compression patentsĀThat's weird for TLS 1.3, becauseĀ US 6,252,960 expired in 2018 andĀ US 6,141,420 in 2014
Hi all,Awesome to see work towards hardware-backed keys!I'm not so thrilled that everything is branded as "Yubikey", when actually:- the underlying standard is PIV- Yubikey is the carrier medium- Tony's yubikey-piv is the nice API to itAdmittedly, I'm biased, as I'm working towards a- fully open-source PIV-compatible firmware in Rust,- for my company SoloKey's open-source hardware keys- with eventual client APIs for Rust and Go- and, as main distinguishing feature, 25519 support from the start (as PIV protocol extension)
Therefore, I would love to see- the roles of PIV, P256 and Yubikeys disentangled in this pull request
- extendability for keys with support for more algorithms in mind
For instance, in my case I'd assume I can get by with the normal X25519 recipient line.Here, I'd expect a very similar P256 recipient line.
Whether the recipient has the key stored on a drive or on a key is their private matter,and I'd expect a flag that is passed to `age` on the command line to specify where the key is.