[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-users
Subject:    Re: [qubes-users] Luks with yubikey + aem
From:       Joe <Joeviocoe () hotmail ! com>
Date:       2018-08-28 17:41:49
Message-ID: 54516264-ed1a-412a-b22f-2d8cb9554609 () googlegroups ! com
[Download RAW message or body]


On Sunday, 17 January 2016 10:51:28 UTC-5, Marek Marczykowski-Górecki  wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On Thu, Jan 07, 2016 at 01:25:10PM +0000, Rusty Bird wrote:
> > Rusty Bird:
> > > - To protect the LUKS key with "something you have" -- the AEM
> > > stick -- we could add a secret.luks.encrypted file, which holds the
> > > actual LUKS passphrase (not usually typed in during boot, only when
> > > unsealing fails due to upgrades), symmetrically encrypted with
> > > another passphrase.
> > 
> > Ugh, this doesn't prevent a multi-stage attack:
> > 
> > 1. the attacker visually captures the disk passphrase during a
> > successful boot
> > 2. later, they take a copy of the encrypted disk and infect the system
> > 3. later, the user attaches the AEM stick and boots; the infected
> > system copies secret.luks.encrypted.sealed somewhere -- cue scary
> > music as STATEFULNESS reveals itself from the shadows yet again; now
> > the user notices the failed unseal
> 
> And this is great thing about YubiKey - you can't easily copy it.
> Otherwise yes, AEM stick could be "something you have" factor (not sure
> if exactly the way you've proposed, but something like this). 
> 
> > 4. the attacker quickly gets to the infected notebook; then reverts it
> > to the original state, and unseals + decrypts the LUKS passphrase
> > 
> > Portable Qubes installations limit the attacker to copying only a
> > couple of megabytes of the encrypted disk data during (3), instead of
> > taking a complete copy during (2); they also make the infection harder.
> > 
> > Or secret.luks.encrypted.sealed could be on a second-stage AEM stick,
> > which the user should connect *after* verifying the OTP... :\
> > 
> > > - To protect the secret from visibility, we could plug in Matthew 
> > > Garrett's TOTP concept via a secret.totp file containing the seed.
> > > And then add a non-default GRUB boot entry to unseal the regular
> > > static secret.{txt,png}, in case the user doesn't have their
> > > authenticator device with them.
> > 
> > The mobile device's TOTP generator would have to be working in a sort
> > of verifier (not prover) mode, simultaneously displaying OTPs for a
> > couple of preceding and following 30-second time steps. Is there
> > anything like that for Android?
> 
> I don't think so...
> 
> - -- 
> Best Regards,
> Marek Marczykowski-Górecki
> Invisible Things Lab
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQEcBAEBCAAGBQJWm7h3AAoJENuP0xzK19csdugH/RV7m3yDqt2nopo1Q5F9X/mJ
> 5JO/IGGCAYjFm+vZChxP0NvU5pfGe1RJEu3UnuG/lQTGppMkT527EzUlzRAQTG23
> z1ioPwu+Y4+iTwdsE1FpeEPsqnZw/yHeBYo0Mo2XcuTuqobe2kEn9ufanovjmFdN
> jbqfTk8UfVdAe7jX7jiEeoU2Oae/btqO0gS8j7W7ktXOSfePeZpXo91eeoAP8bqb
> gR/oXrAtVECEz8QSqwIS4FEUN9Ns8IrcQtRfND/AuApE2JQ2Fs52IHBhMnhBYmCA
> qJtwFGqraarEOuGno8bHpHQ5n0eTP36GQRguAGzLOgwHH/lCAcJZhdTT3sEJaSQ=
> =Lm3q
> -----END PGP SIGNATURE-----

Any further discussion or thought about this?
I want to use AEM, but I am currently using yubikey Chal/Resp for LUKS at boot time \
(https://github.com/the2nd/ykluks).   I am sure installing AEM would conflict in some \
way.  

I would like AEM and ykluks to work simultaneously if possible... or if AEM can use \
the yubikey instead of a USB drive, and still be used as 2nd factor to decrypt the \
multiple LUKS devices.

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-users" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-users+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-users@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-users/54516264-ed1a-412a-b22f-2d8cb9554609%40googlegroups.com.
 For more options, visit https://groups.google.com/d/optout.



[prev in list] [next in list] [prev in thread] [next in thread]