[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] adding smartcard support to Tor

Tamper resistance. And the fact that an attacker with access to the machine running Tor can read your encrypted thumb drive (you need to decrypt it at some point to load the key into the Tor process since the encrypted thumbdrive doesn't run crypto algos internally). A smartcard is a small embedded tamper-resistant _computer_ - you never ask it for the key, you ask it to _decrypt_ something for you or _sign_ something for you, you can never extract the key out of the card.

Razvan

--
Razvan Dragomirescu
Chief Technology Officer
Cayenne Graphics SRL


On Sat, Oct 17, 2015 at 9:36 PM, Ken Keys <kenkeys@xxxxxxxxxxx> wrote:
What is the advantage of a smart card over a standard encrypted thumb drive?

On 10/17/2015 11:19 AM, Razvan Dragomirescu wrote:
> Thank you Ivan, I've taken a look but as far as I understand your
> project only signs the HiddenService descriptors from an OpenPGP card.
> It still requires each backend instance to have its own copy of the
> key (where it can be read by an attacker). My goal is to have the HS
> private key exclusively inside the smartcard and only sign/decrypt
> with it when needed but never reveal it. An attacker should not be
> able to steal the key and host his own HS at the same address - the
> address would be effectively tied to the smartcard - whoever owns the
> smartcard can sign HS descriptors and decrypt traffic with it, so he
> or she is the owner of the service.
>
> Best regards,
> Razvan
>
> --
> Razvan Dragomirescu
> Chief Technology Officer
> Cayenne Graphics SRL
>
> On Sat, Oct 17, 2015 at 4:43 AM, Ivan Markin <twim@xxxxxxxxxx
> <mailto:twim@xxxxxxxxxx>> wrote:
>
>Â Â ÂHello,
>Â Â ÂRazvan Dragomirescu:
>Â Â Â> I am not sure if this has been discussed before or how hard it would be to
>Â Â Â> implement, but I'm looking for a way to integrate a smartcard
>Â Â Âwith Tor -
>Â Â Â> essentially, I want to be able to host hidden service keys on
>Â Â Âthe card. I'm
>Â Â Â> trying to bind the hidden service to a hardware component (the
>Â Â Âsmartcard)
>Â Â Â> so that it can be securely hosted in a hostile environment as
>Â Â Âwell as
>Â Â Â> impossible to clone/move without physical access to the smartcard.
>
>Â Â ÂI'm not sure that this solution is 100% for your purposes. But
>Â Â Ârecently
>Â Â ÂI've added OpenPGP smartcard support to do exactly this into
>Â Â ÂOnionBlance
>Â Â Â[1]+[2]. What it does is that it just signs a HS descriptor using
>Â Â ÂOpenPGP SC (via 'Signature' or 'Authentication' key). [It's still a
>Â Â Âpretty dirty hack, there is no even any exception handling.] You
>Â Â Âcan use
>Â Â Âit by installing "manager/front" service with your smartcard in it via
>Â Â ÂOnionBalace and balancing to your actual HS. There is no any bandwidth
>Â Â Âlimiting (see OnionBalance design). You can setup OB and an actual
>Â Â ÂHS on
>Â Â Âthe same machine for sure.
>
>Â Â Â> I have Tor running on the USBArmory by InversePath (
>Â Â Â> http://inversepath.com/usbarmory.html ) and have a microSD form
>Â Â Âfactor card
>Â Â Â> made by Swissbit (
>Â Â Â>
>Â Â Âwww.swissbit.com/products/security-products/overwiev/security-products-overview/
>Â Â Â<http://www.swissbit.com/products/security-products/overwiev/security-products-overview/>
>  Â> ) up and running on it. I am a JavaCard developer myself and I have
>Â Â Â> developed embedded Linux firmwares before but I have never
>Â Â Âtouched the Tor
>Â Â Â> source.
>
>Â Â ÂThere is a nice JavaC applet by Joeri [3]. It's the same applet that
>Â Â ÂYubikey is using. You can find well-written tutorial of producing your
>Â Â ÂOpenPGP card at Subgraph [4].
>
>Â Â Â>
>Â Â Â> Is there anyone that is willing to take on a side project doing
>Â Â Âthis? Would
>Â Â Â> it be just a matter of configuring OpenSSL to use the card (I
>Â Â Âhaven't tried
>Â Â Â> that yet)?
>
>Â Â ÂI'm not sure that it is worth to implement a card support in
>Â Â Âlittle-t-tor itself. As I said, all the logic is about HS descriptor
>Â Â Âsigning. Python and other langs that provide readablity will provide
>Â Â Âsecurity then.
>Â Â ÂI think/hope so.
>
>Â Â Â[1] https://github.com/mark-in/onionbalance
>Â Â Â[2] https://github.com/mark-in/openpgpycard
>Â Â Â[3] http://sourceforge.net/projects/javacardopenpgp/
>Â Â Â[4] https://subgraph.com/sgos/documentation/smartcards/index.en.html
>
>Â Â ÂHope it helps.
>Â Â Â--
>Â Â ÂIvan Markin
>Â Â Â/"\
>Â Â Â\ /Â Â Â ÂASCII Ribbon Campaign
>Â Â Â XÂ Â against HTML email & Microsoft
>Â Â Â/ \Â attachments! http://arc.pasp.de/
>
>
>Â Â Â_______________________________________________
>Â Â Âtor-dev mailing list
>Â Â Âtor-dev@xxxxxxxxxxxxxxxxxxxx <mailto:tor-dev@xxxxxxxxxxxxxxxxxxxx>
>Â Â Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
>
>
>
> _______________________________________________
> tor-dev mailing list
> tor-dev@xxxxxxxxxxxxxxxxxxxx
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev