Re: Yubikey announces v4 with PKCS#11 smart card features

On Tue, Nov 24, 2015 at 1:19 PM, Erik Anderson <eanders@pobox.com> wrote:

> Speaking as someone who works in the "financial industry" who also
>>> attended the W3C's WebCrypto Next Steps workshop, PKCS#11 has a
>>> design which is hostile to usage in browsers, particularly around
>>> providing a meaningful user experience and easy-to-understand
>>> interaction flows for user consent.
>>>
>>
> Yubikey only exposes the PKCS#11 to the soft card module/PIV Applet, not
> to the browser JavaScript.


However, U2F's origin-bound certificates are exposed to the browser,
because they are designed for use in a browser, and can be used to sign
documents, credentials, or what have you with JavaScript (with cryptography
performed on a hardware token and authenticated by whatever UI the hardware
device provides).

Public/Private keys isnt the right answer. You might want to take a look at
>
> 1) 2013 President Obama tells the world the US Government must stop
> sabotaging public cryptography. NSA has been sabotaging the general public
> cryptography for decades.
>   page 22 of
> https://www.whitehouse.gov/sites/default/files/docs/2013-12-12_rg_final_report.pdf
> 2) August 2015 - NSA tells the world don't trust the security Bitcoin was
> built on. ECC (Elliptical Curve Cryptography) is very susceptible to
> quantum computing attacks.
>   - https://www.nsa.gov/ia/programs/suiteb_cryptography/
>   - ECC vulnerabilities  https://eprint.iacr.org/2015/1018.pdf   (Pay
> particular interest to this one)
>
> We need to move away from using public/private keys as the form of
> identity. Its definitely not a credential that's bound to the individual.


Your argument is "public key cryptography doesn't work"?

#2 in particular is complete FUD. The NSA's actual recommendations were to
move away from a 128-bit security level and had nothing specific to say
about ECC that they didn't say about symmetric ciphers and hash functions.
Koblitz published a paper around the same time talking about attacks on
"verifiably random" elliptic curves such as the NIST curves and Brainpool,
however he specifically calls out the process used for next generation
elliptic curves by the IRTF's CFRG as being a way to solve attacks on weak
curves (by explicitly selecting strong curves). Matt Green also had a blog
post speculating the NSA may have broken ECDLP somehow, but it's little
more than a guess on his part.

Don't get me wrong, I love using symmetric cryptography as much as
possible, but for problems like TLS token/channel binding public key
cryptography is the only solution, because that's what TLS uses to
authenticate principals in a key exchange.

In the meantime until someone builds a large quantum computer or makes some
mathematical breakthrough algorithms like RSA (using proper public
exponents, padding, etc) and ECC (using modern elliptic curves like the
CFRG curves) are fine and the only option for authenticating peers with TLS.

The past problems with public key cryptography have been with things like
cross-origin certificates and the <keygen> tag. These things were
ill-specified and not well designed for the browser ecosystem, and
therefore did not work well in a browser environment (just like PKCS#11).
These problems are remedied by the origin-bound certificates supported by
token binding as described on http://www.browserauth.net/

-- 
Tony Arcieri

Received on Tuesday, 24 November 2015 22:16:51 UTC