tag:blogger.com,1999:blog-8400370148915075091.post2270419271731717808..comments2023-12-12T18:59:45.550+01:00Comments on Security Nirvana: Securing your passw^H^H^H^Hgp private keysecuritynirvanahttp://www.blogger.com/profile/11264687350187854173noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8400370148915075091.post-42821179989722515692012-01-13T13:32:25.952+01:002012-01-13T13:32:25.952+01:00finaly someone explains this! thanks for posting, ...finaly someone explains this! thanks for posting, ive looked everywhere for a good explanationdigital signature FAQhttp://www.arx.comnoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-61284168173573038442011-09-23T11:59:20.609+02:002011-09-23T11:59:20.609+02:00Good postGood postAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-47799905263472540852011-07-09T23:25:24.812+02:002011-07-09T23:25:24.812+02:00When your comment is longer than my blog post, it ...When your comment is longer than my blog post, it probably should have been written as a stand-alone blog post at your own blog James! :-)<br /><br />Anyway; you misunderstood or I didn't explain well enough: there is a Norwegian law for digital certificates. The #BankID system (www.bankid.no) are public/private keys generated for you, you get to set a password for it. The commercial company on behalf of banks and others will keep your keypair (they won't give it to you!), and whenever you use it at some site that uses BankID for authentication, digital signing etc, you enter your OTP (usually through hardware or on paper/plastic) and your personal password.<br /><br />Use whatever-translation-service and look at www.bankid.no. Not that much info available I'm afraid.securitynirvanahttps://www.blogger.com/profile/11264687350187854173noreply@blogger.comtag:blogger.com,1999:blog-8400370148915075091.post-35334421420739516552011-07-09T22:30:24.102+02:002011-07-09T22:30:24.102+02:00I think GPG passwords are likely to be of higher q...I think GPG passwords are likely to be of higher quality than a run of the mill password. Though, for the most part the people that are actively using GPG generally already have better baseline standards for even run of the mill passwords, except for the people that have their private key on google.<br /><br />For physical key security it would be great to have something like the YubiHSM for gpg. (Two factor GPG authentication with Yubikey maybe?) For the current time I keep my key on a usb thumb drive that contains it in an encrypted file system using cryptsetup/LUKS. (This format, software, etc. are 100% open source and even have a windows implementation but wouldn't recommend using windows for something like your GPG private key.) Additionally, I keep a backup in an encrypted container at home and an offsite backup of that encrypted container which has a 3rd layer of encryption.<br /><br />Any active use of my key falls under my standard policy for my home directories that are encrypted containers: wipe key from memory for anything more than a bathroom trip at the office. I don't suspend/hibernate my laptop, when I am finished using it then it either gets powered off or the home directory container is closed (if leaving it running at home.) Leaving for work means closing my home directory container for my workstation at home and I unlock my home directory container when I arrive at work. For an added bonus swap gets a new key at every system boot. <br /><br />Newer versions of cryptsetup/LUKS have a very useful option: luksSuspend and luksResume. These actually allow you to close the container and securely wipe the key from memory *without* having to close all your apps but I have not had the time to explore them enough to switch my current policy. This option also should allow being able to change to a fixed key for swap and do a hibernate or suspend that wipes the keys from ram prior to dumping the hibernate file and then prompts for unlocking the key on resume. I guess I need to add encrypted disk usage to my things to blog about list and will stop hijacking your blog and my response now ;)<br /><br />I would suspect that once people have made their awesome password that they are even less likely to change it than other passwords. I doubt most people even change passwords unless required to. I also doubt most gpg users actually do a proper keyspace and entropy calculation on the password they create.<br /><br />As a related aside I did a search for "BEGIN RSA PRIVATE KEY" filetype:pem and that looks to be an area for further study. The format is anything from SSL certs to ssh keys to a lot of other things. Older ssh versions store the private key (id_rsa/id_dsa default names) using 3DES (112-bit effective security) and the new versions use AES. I already planned to do a blog post on ssh re-keying to get people to stop having default 1024-bit DSA or RSA keys that are years old and in some cases not that old. Also, I'm going to write about re-keying in the sense of moving off of the 3DES construction for the private keys.<br /><br />Norwegian law when it comes to banking, certs/private keys, phone registration, etc. is just plain weird to me. So your bank generates some SSL style certificate pair for you and you get to put a password on the private key but you never get your private key? Are there write ups about this technology in English and/or google translate at least gives me some clues?James Nobishttps://www.blogger.com/profile/11994803884031686939noreply@blogger.com