BlackBox (Security) Archiv

Forwarded from cRyPtHoN™ INFOSEC (DE)

📺 Error 451: Unavailable for leagl reasons - Jetzt im Livestream - Gulaschprogrammiernacht 19

Die GPN ist ein vom Entropia e. V. – Chaos Computer Club (CCC) veranstalteter Kongress, der sich als eine Hackveranstaltung mit dem Fokus auf Programmieren, Basteln und kreatives Schaffen versteht. Während die KonferenzteilnehmerInnen an ihren Projekten arbeiten und Ideen austauschen, können sich interessierte Gäste in lockerer Atmosphäre über diese informieren und die Vorträge besuchen. Der Schwerpunkt liegt im Bereich IT/Technik, aber auch andere Themenbereichen wie Gesellschaft, Kunst oder Philosophie werden angesprochen. Der Name ist Programm: Es wird Gulasch in großen Mengen gereicht.

📺 Error 451 #CCC #Video #Livestream

https://streaming.media.ccc.de/gpn19/medientheater

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

31 views14:42

22:02

📺 The Dark History of the Minimum Wage

There’s something strange about the idea of a minimum wage. It’s one of those subjects that everyone has a strong opinion about, even if they have no idea what makes actual economic sense. But perhaps the most surprising thing of all is that the minimum wage has a dirty secret that most economists don’t want you to know about. Today we explore The Dark History of the Minimum Wage.

📺 https://www.corbettreport.com/the-dark-history-of-the-minimum-wage/
#corbettreport #why #video #podcast

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

149 viewsedited 20:10

3:59

Audit-Protokoll-Analysis with Palantir Gotham

📺 https://archive.org/details/youtube-i4f381YNQdQ

#BigData #surveillance #police #eu #palantir #software #gotham #peterthiel #ebay
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

977 viewsedited 12:49

Two keys for all eventualities - Nitrokey (Part1)

1. increased safety requirements

The protection of digital identity is more important today than ever. Stolen online accounts can cause considerable damage if they are stolen and left in the wrong hands. At the same time, the number of data breaches is rising steadily - hardly a week goes by without at least one database of stolen accounts (user name and password) appearing somewhere on the Internet. In the worst case, the provider concerned did not protect the user passwords used or only inadequately protected them with a (cryptographic) hash function that was considered insecure.

Too often secret information falls into the wrong hands and the checking system cannot recognize whether Hildegard Müller is actually Hildegard Müller or whether her account data is being misused by a third party. A remedy against account misuse is to check additional properties or information via two-factor authentication (2FA), which is also controlled by so-called security tokens.

Security tokens or USB security sticks (Security Keys), however, offer other functions in addition to the 2FA that can contribute to increasing (personal) security. Among other things, the private key for e-mail or hard disk encryption can be securely stored on the stick. Such and other application scenarios are presented in the article series "Nitrokey" using the Nitrokey as an example.

2nd Nitrokey

Nitrokey is an open-source USB stick that enables secure encryption and signing of data, among other things. Depending on the Nitrokey version, such a USB stick supports different application scenarios:

👉🏼 S/MIME email and disk encryption (X.509, PKCS#11)
👉🏼 OpenPGP/GnuPG Email Encryption
👉🏼 Login or authentication via two-factor authentication
👉🏼 One-Time-Password (English)
👉🏼 Universal Second Factor (U2F) via FIDO-Standard
👉🏼 Integrated password manager
👉🏼 Encrypted storage space on the USB stick (+Hidden Volumes)
👉🏼 Possibility to update the firmware

The Nitrokey variants also differed in the supported cryptosystems, key lengths and Co..:

👉🏼 RSA key lengths from 1024 - 4096 bits
👉🏼 ECC key length from 192 - 521 bit
👉🏼 Number of key pairs that can be stored on the stick 3 / 38
👉🏼 Elliptical curve algorithms NIST P, Brainpool, Curve25519 and SECG/Koblitz

⚠️ Advice:
Only the Nitrokey Start controls the elliptical curve Curve25519, which is one of the SaveCurves - the only curve where the choice of curve is completely transparent and therefore back doors can practically be excluded.

The purpose of such a nitrokey is, apart from the 2FA, the secure storage of the secret or private (RSA) key. This is protected against loss or theft by a tamper-proof smartcard (+user pin). In practice, this means that the private key does not leave the secure environment and all crypto operations (encryption, decryption, authentication, etc.) using the private key are performed on the smart card or stick. Ideally, the private key cannot be read by malware and can even withstand physical attacks.

Both hardware and software of the Nitrokey are open source. The keys are supported by Windows, Linux and macOS.

2.1 Nitrokey Storage 2 and Nitrokey FIDO U2F

For this article series I use two Keys:

👉🏼 Nitrokey Storage 2 (16 GB)
👉🏼 Nitrokey FIDO U2F

Why two Keys? Because so far only the Nitrokey FIDO U2F supports the 2FA via FIDO U2F, which I would like to introduce in the article series as well. For most users a combination of Nitrokey Pro 2 and Nitrokey FIDO U2F will be sufficient. In case of doubt you should check again which application scenarios are suitable for you and then purchase the appropriate key(s).

2.2 YubiKey vs. Nitrokey

Nitrokey is located in Germany, Berlin. YubiKey was originally founded in Sweden in 2007 and is now based in Silicon Valley, USA. Unlike the Nitrokey, the hardware of the YubiKey is not open source. This does not mean per se that YubiKeys are generally insecure or not trustworthy, but it does mean:

188 views14:43

👉🏼 no independent check of the source code / implementation possible
👉🏼 thus only limited possibility to check for rear doors or security gaps

According to my understanding of IT security, I would not entrust highly sensitive information such as the private, secret (RSA) key to any proprietary hardware if possible - if alternatives are available. And these are available, because the Nitrokey is based on open source software and hardware. The YubiKey's advantages include its lower purchase price and the ability to communicate wirelessly via NFC. However, when it comes to security issues and the relatively small price differences, the cost argument should not play a serious role. The possibility to communicate via NFC may be practical, but personally I see it as a possible attack vector.

If one compares the websites of both providers with Webbkoll, the following picture emerges:

👉🏼 YubiKey website: 11 cookies, 37 external requests to 21 different third party sources

👉🏼 Google Doubleclick (Advertising)
👉🏼 Google Analytics (Tracking)
👉🏼 Hotjar (Analytik)
👉🏼 Google Fonts (Fonts)
👉🏼 ...(....)

👉🏼 Nitrokey website: 3 cookies, 1 request to a third party source
👉🏼 Bootstrap (font)

If someone advertises a service or product in the area of IT security / data protection / privacy etc., but already puts his own website in the sand like YubiKey, then this does not leave a good impression. The responsible persons do not seem to be aware of the risks for the security and privacy of a visitor, which can be associated with the integration of externally hosted content such as JavaScript code. I would even go so far as to say that there is simply a lack of competence and awareness here. The external image of the company is of course only one thing and ultimately this does not have to have a negative effect on the YubiKeys themselves. However, the external image is also a kind of business card and YubiKey doesn't look good here.

Ultimately, of course, everyone has to decide for themselves which manufacturer they trust and which application scenarios should be implemented in practice. Personally, I have opted for Nitrokey's open source solution, which I have been using for years.

E-mail encryption:
Using OpenPGP/GnuPG, it is possible to encrypt or sign e-mails. For this purpose, an RSA key pair (4096 bit) is created and the advantages and disadvantages of key generation directly on the nitrokey are also discussed. The Nitrokey is then integrated into the Thunderbird e-mail client.

OpenSSH public key authentication:
The newly created RSA key pair can also be used for authentication for SSH access to a root server. The public part of the keys is stored on the server and both client and server are configured.

Secure web login via two-factor authentication (2FA):
Authentication on web pages / services is possible via an additional factor using various procedures. Common are one-time passwords (OTP / TOTP) and FIDO U2F. The website USB-Dongle-Auth lists services that support OTP, FIDO U2F or new methods like FIDO2. I will present OTP and FIDO U2F as part of the article series.

Android connection:
The Nitrokey can also be used in combination with an Android smartphone. This requires a USB OTG enabled Android device and a USB OTG cable to connect the Nitrokey to the device. For this scenario I have purchased a USB OTG cable for my Android test device and will demonstrate how email encryption using OpenPGP/GnuPG is done using OpenKeychain and K-9 Mail - the private key should never be placed in the context of the insecure smartphone environment.

⚠️ Advice:
Maybe I will present further application scenarios (hardware-encrypted mass storage, password manager). At the moment the four mentioned scenarios are planned.

149 views14:43

4. conclusion

Securing your online accounts through (reasonable) two-factor authentication (2FA) is an essential contribution to protecting your digital identity. This is possible, for example, with the Nitrokey Security Stick, which also supports a whole range of other application scenarios. Unfortunately, there is currently no Nitrokey that offers the functions of a Nitrokey Pro 2 and also combines FIDO U2F / FIDO 2 in a single key.

In the next part of the article series we will put the Nitrokey Storage 2 (alternative Nitrokey Pro 2) into operation for the first time and generate a 4096-bit RSA key pair, which we can later use for different application scenarios such as e-mail encryption or OpenSSH public key authentication.

Source and more info:
https://www.kuketz-blog.de/zwei-schluessel-fuer-alle-faelle-nitrokey-teil1/

#Nitrokey #SecurityKeys #usb #guide #kuketz #part1
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

140 views14:43

Prevent the Online Ad Industry from Misusing Your Data - Join the #StopSpyingOnUs Campaign

Liberties has organised a series of complaints across Europe to call the attention of national data protection offices to the risks of the behavioural advertising industry. Join us and send your complaint to defend privacy of Europeans together.

https://www.liberties.eu/en/campaigns/stop-spying-on-us-fix-ad-tech-campaign/307

#StopSpyingOnUs
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

247 views14:59

16:15

📺 The Adtech Crisis and Disinformation - how real-time bidding works

Dr Johnny Ryan's speech at the European Data Protection Supervisor's 2019 conference on disinformation

📺 https://vimeo.com/317245633 #adtech #disinformation #video #podcast

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

262 views17:57

0:40

Videos show police violence at Vienna Climate Demo

The policemen are said to have carried out a mock execution - a method of torture that causes the victim mortal fear. In fact, the videos show a person almost being run over by a police car.

The arrested person is fixed by two policemen. They then push him under an emergency vehicle - the head only a few centimetres away from the left rear wheel of the car.

Shortly afterwards, the car leaves. The policemen pull the person out under the vehicle at the last second. Not much is missing and the head of the person lying on the ground would have been rolled over.

http://www.tagesschau.de/faktenfinder/polizeigewalt-113.html

https://mobile.twitter.com/florianklenk/status/1135947374306705410

https://www.welt.de/politik/ausland/article194794581/Oesterreich-Videos-zeigen-Polizeigewalt-bei-Wiener-Klima-Demo.html

#vienna #police #violence #climate #demo
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

252 viewsedited 12:16

2:09

AVARE - Tamed Data Octopuses

The consumer, often unintentionally, becomes a data source. Researchers from Karlsruhe have developed software that gives users control over their personal data.

Download and more info:
https://avare.app/
https://projects.aifb.kit.edu/avare/Avare_App_Installation.pdf

GitHub:
https://github.com/privacy-avare/PRIVACY-AVARE

#avare #userdata #privacy #protection #android #app #opensource #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

1.09K viewsedited 14:40

35:51

Error 451 - Analyzing the eMail Tracking Ecosystem

Online tracking is not exclusive to websites, but also widespread in eMails. We built an open platform to detect eMail tracking, and we'd like to show some results and invite you to participate.

These days, tracking on websites is old news - we all know that it is happening, and we have our established defenses like ad blockers. However, website-based tracking tells only half the story, because many companies also track their eMails to see if you open them, and if you click any links. This area of online privacy has been mostly overlooked in the past, and not a lot of defenses exist.

📺 Error 451 #CCC #eMail #tracking #Video
https://media.ccc.de/v/gpn19-59-analyzing-the-email-tracking-ecosystem

📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

1.01K views10:16

1:00

Critical Flaws Found in Widely Used IPTV Software for Online Streaming Services

Security researchers have discovered multiple critical vulnerabilities in a popular IPTV middleware platform that is currently being used by more than a thousand regional and international online media streaming services to manage their millions of subscribers.

Discovered by security researchers at CheckPoint, the vulnerabilities reside in the administrative panel of Ministra TV platform, which if exploited, could allow attackers to bypass authentication and extract subscribers' database, including their financial details.

https://research.checkpoint.com/we-decide-what-you-see-remote-code-execution-on-a-major-iptv-platform/

#iptv #vulnerabilities #remotecode #poc #video #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

211 views11:06

Stable Strategic Order

Sunday Wire

🎧 INTERVIEW: Emmy Butlin discusses Julian Assange’s critical situation

This past week the world learned how Julian Assange failed to appear for an extradition hearing in London due to his deteriorating health conditions, as he continues to serve a 50-week sentence in London’s super-max Belmarsh prison. According to Assange’s Swedish defense lawyer, Per Samuelson, “it was not possible to conduct a normal conversation with him.” A disturbing tale of states and institutions – all colluding to abuse an award-winning journalist still being held arbitrarily as a political prisoner.

📻 https://21stcenturywire.com/2019/06/05/interview-emmy-butlin-discusses-julian-assanges-critical-situation/

#FreeAssange #podcast
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

120 views13:30

0:25

SandboxEscaper today discloses a second zero-day exploit that apparently bypasses Microsoft's patch for a Windows EoP vulnerability (CVE-2019-0841)

https://thehackernews.com/2019/06/windows-eop-exploit.html

Polarbearrepo
https://github.com/SandboxEscaper/polarbearrepo/tree/master/ByeBear

#SandboxEscaper #Polarbearrepo #ZeroDay #exploit #microsoft #poc #video
📡@cRyPtHoN_INFOSEC_DE
📡@cRyPtHoN_INFOSEC_EN
📡@cRyPtHoN_INFOSEC_ES
📡@FLOSSb0xIN

222 viewsedited 11:00

GnuPG Key Generation and Smartcard Transfer - Nitrokey (Part2)

1. key material

Depending on the version, a Nitrokey supports different application scenarios. In this article of the article series "Nitrokey" I describe the commissioning of a Nitrokey under GNU/Linux and the following GnuPG key generation. An (RSA) key pair is a basic requirement for the two application scenarios OpenPGP/GnuPG e-mail encryption and OpenSSH public key authentication.

The procedure described for creating a (RSA) key pair and then transferring it to the smart card of the Nitrokey should also be transferable to other security tokens such as the YubiKey.

2. start-up: Nitrokey

The start-up of a security token differs depending on the Nitrokey variant and operating system. On the Nitrokey website you will find installation instructions for each key and operating system. In the following I will describe the setup of a Nitrokey storage under Debian GNU/Linux - the instructions can also be transferred 1:1 to the Nitrokey Pro.

2.1 Installing Necessary Packages

For Debian GNU/Linux to access the Nitrokey smartcard, the libccid library must be installed:

apt-get install libccid

The Debian package sources also provide the Nitrokeys management program:

apt-get install nitrokey-app

2.2 Changing the User and Admin PIN

After installing these two packages you should first change the user and admin PIN. The user PIN will be requested if you open an encrypted e-mail within Thunderbird, for example, which will then be decrypted using the secret key on the smartcard. You will need the admin PIN for various operations, such as transferring key material or resetting the nitrokey. In short: You should change the default settings "123456" (user PIN) and "12345678" (admin PIN) for your own protection.

Open the Nitrokey app and navigate to Menu -> Configure -> Change User PIN and Change Administrator PIN:

3. (RSA) key material

A necessary prerequisite for OpenPGP/GnuPG e-mail encryption and other application scenarios is the public key encryption method. In this concept, a user generates a key pair consisting of a secret part (private key) and a non secret part (public key). Anyone wishing to exchange encrypted e-mails based on GnuPG with other participants must first generate a key pair.

We can generate this key pair either directly on the nitrokey or on a trustworthy computer. The key generation on the nitrokey has the advantage that the secret, private key can never leave the smartcard. However, this also means that no backups of the keys can be made. If the nitrokey is lost or defective, the keys on it are inevitably lost - decryption of e-mails, for example, is then no longer possible. All in all, generating the key pair directly on the Nitrokey is the safest option, but also the one that does not allow backup of the key material. The key generation directly on the Nitrokey is explained in detail in a manual on the Nitrokey website.

Personally, I recommend to do the GnuPG key generation in a "secure" environment or computer instead of generating it directly on the Nitrokey. This means not only more flexibility, but also a backup of the keys. Therefore I will explain in the following how to create an RSA key pair on a GNU/Linux system.

⚠️ Advice
If you have already created a GnuPG key pair, you should create a backup of the keys and then jump to the number "5. transfer to the nitrokey".

3.1 Master key and subkeys: Purpose of use

An RSA key pair always consists of a public and secret (primary) key. The primary, secret key (master key) must be specially protected. If it is lost, an attacker can create new identities (UIDs), revoke valid keys, and completely impersonate the original owner.

128 views09:34

Subkeys can be derived from a primary master key. They behave like normal keys, but are bound to the master key pair. A subkey can be used for signing, encrypting, or authenticating. The advantage of subkeys is that they can be revoked and stored separately from the master key. Subkeys are like a separate key pair, but they are logically linked to the master key pair.

Let's take a look at the different uses and capabilities of private keys:

Certification:
The certification function is normally bound to the master key. Among other things, it is used to create new identities (UIDs) or to change existing key data. It can also be used to authenticate other public keys or confirm their authenticity. The background is the Web of Trust to check the authenticity of a key.

Encrypt:
A key with this capability can decrypt messages that have been encrypted with the appropriate public key. The private key is used in email encryption, for example, where someone uses your public key to encrypt a message to you. Since only you have the appropriate private key (trapdoor function), you can undo the encryption.

Sign it:
A key that has this capability can generate digital signatures of messages. This digital signature can be attached to an e-mail, for example. The sender can thus prove beyond doubt that a message originates from him. Prerequisite: The recipient has already checked the authenticity of a key or the sender in advance.

Authentication:
This function is used as part of the challenge-response protocol and is used, for example, for OpenSSH public key authentication. A key with this capability is therefore used to authenticate one's own identity.

In general, it is an advantage if you familiarize yourself with the concept of asymmetric encryption or OpenPGP/GnuPG before using your key pair in practice. In this article, I have only touched on a little of the elementary basic knowledge.

3.2 Sichere Umgebung

Die initiale Erzeugung eines RSA-Schlüsselpärchens sollte innerhalb einer »sicheren« Umgebung erfolgen. Im Idealfall ist dies ein Rechner, der nicht mit dem Internet verbunden ist. Mein Vorschlag beinhaltet folgende Komponenten:

USB stick (from 8 GB) with tails:
Tails is a suitable system environment for generating the key pair. In the Tails Wiki you will find instructions on how to install Tails on a bootable USB stick. The installation instructions also describe in an optional step 6 how to create an encrypted, persistent memory. This storage area on the USB stick is encrypted and additionally protected by a password. It serves the following purposes:

👉🏼 Storage of sensitive data
👉🏼 Additional Software
👉🏼 Storage of encryption keys

USB stick as backup:
storage of generated master keys, subkeys and revocation certificate

After creating the bootable Tails USB stick, the system is booted from a computer that is not connected to the Internet or any other network - i.e. completely "airgapped". The persistent storage area is then created (optional step), where the keys are then generated.

Depending on your personal threat model, the creation of a RSA key pair can also be done under different conditions - in the end you have to decide for yourself. For comparison: On a Windows XP gaming computer that has all kinds of software installed and is also connected to the Internet, you can of course also create the RSA keys. However, you also run a considerably higher risk that the key will be compromised or read by third parties during the creation process.

4. GnuPG key generation

For the RSA key generation you need GnuPG (from version 2.0.22). You can use a command line to check which version is pre-installed:

gpg --version

Output:

gpg (GnuPG) 2.2.12
libgcrypt 1.8.4
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

4.1 Key generation

By default, GnuPG generates a master key with the functions:

111 views09:34

👉🏼 Certification and Signing
👉🏼 including a subkey with the Encrypt function.

We will keep that, but add another subkey with the function Authentication via the expert mode. Let's start with the guided key generation:

gpg --full-generate-key --expert

Output:

gpg --full-generate-key --expert

Please select the type of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign/certify only)
   (4) RSA (sign/certify only)
   (7) DSA (use adjustable)
   (8) RSA (use adjustable)
  (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (use adjustable)
   (13) Existing key
Your choice? 1
RSA keys can be between 1024 and 4096 bits long.
What key length do you want? (3072) 4096
The required key length is 4096 bits.
RSA keys can be between 1024 and 4096 bits long.
What key length do you want for the subkey? (3072) 4096
The required key length is 4096 bits.
Please select how long you want the key to remain valid.
         0 = Key never expires
        = Key expires after n days
      w = key expires after n weeks
      m = key expires after n months
      y = Key expires after n years
How long does the key remain valid? (0) 3y
Key expires Mo 06 Jun 2022 09:01:58 CEST
Is this right? (y/N) y

GnuPG creates a User ID to make your key identifiable.

Your Name ("First Name Last Name"): Mike Kuketz
Email address: nitrokey@kuketz.de
Comment: 
You have chosen this User-ID:
    "Mike Kuketz <nitrokey@kuketz.de>"

Change (N)ame, (K)ommentar, (E)-Mail or (F)ertig/(A)break? F
We have to generate a whole lot of random values.  You can do this
by e.g. doing something in another window/console.
type, use the mouse or use any other program.

The selection summarized:

[1] RSA and RSA:
Keys for both the master key and the subkeys are generated on the basis of the RSA cryptosystem.

[4096] Key length in bit for master key:
The master key should have a size of 4096 bits. This corresponds to about a 140-bit key space. For comparison: RSA-2048 bit has a key space of approx. 112 bit and RSA-3072 has a key space of approx. 128 bit.

[4096] Key length in bits for subkeys:
We also select a 4096-bit key length for the subkeys.

[3y] Validity of keys:
For security reasons, keys should always have an expiration time. This ensures that keys will become invalid at some point - e.g. if the secret key is no longer accessible for any reason. You can extend the expiration time later, even if the keys have already expired.

[Mike Kuketz] Name:
A name or pseudonym.

[nitrokey@kuketz.de] E-mail address:
The email address you have that you would like to use later to encrypt emails with other participants. You can later add more email addresses to which you want the keys to be valid.

[] Comment:
The specification is not mandatory or purely optional.

[F] Finish:
The F entry completes the process and generates the keys.

During the process, a popup will appear on the screen prompting you to enter a password. Please choose a "secure" password here - if the keys get lost, they are at least protected by the password.

We have now generated a master key with the function Certify / Sign and a sub key with the function Encrypt:

gpg: key 206C95DB985E7CC0 is marked as ultimate trustworthy
gpg: revocation certificate was saved as '/home/mike/.gnupg/openpgp-revocs.d/E83AB97F53CAE4AAE858BD06206C95DB985E7CC0.rev'.
Public and secret key generated and signed.

pub rsa4096 2019-06-07 [SC] [expires: 2022-06-06]
      E83AB97F53CAE4AAE858BD06206C95DB985E7CC0
uid Mike Kuketz <nitrokey@kuketz.de>
sub rsa4096 2019-06-07 [E] [expires: 2022-06-06]

I would like to briefly discuss a few attributes:

pub:
The pub attribute identifies the master key that is capable of the two functions [S] (signing) and [C] (certification).

sub:
The sub attribute marks the subkey that supports the [E] (Encrypt) function.

uid:
Your user ID resp. the UID

112 views09:34

Revocation certificate:
A revocation certificate is also generated during the process. If the private key is compromised or lost, the key with the revocation certificate should be marked as invalid. Other participants will then be informed when the key is updated that the key has been revoked or is no longer valid. A revoked key can still be used to verify old signatures or decrypt emails - if the private key is still accessible. However, new emails can no longer be decrypted with this key.

4.2 Adding subkeys

For the OpenSSH Public Key Authentication application scenario, it is necessary to add an additional subkey with the Authentication function. With the --edit-key command, the key already created is called and can then be extended or changed:

gpg --edit-key --expert nitrokey@kuketz.de

Output:

Secret key is present.

sec rsa4096/206C95DB985E7CC0
     generated: 2019-06-07 expires: 2022-06-06 Usage: SC  
     Trust: ultimate Validity: ultimate
ssb rsa4096/966F11EA5DF244EA
     generated: 2019-06-07 expires: 2022-06-06 Usage: E   
[ ultimate ] (1). Mike Kuketz <nitrokey@kuketz.de>

In the interactive mode of GnuPG we can call a lot of functions. If you want to get an overview, you should first enter help.

With the command addkey another subkey can be added:

gpg> addkey
Please select the type of key you want:
   (3) DSA (sign/certify only)
   (4) RSA (sign/certify only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (use adjustable)
   (8) RSA (use adjustable)
  (10) ECC (sign only)
  (11) ECC (use adjustable)
  (12) ECC (encrypt only)
   (13) Existing key
Your choice? 8

Possible processes of an RSA key: Sign Encrypted Authentication 
Currently permitted processes: Sign Verschl. 

   (S) Switching the signature usability
   (V) Switching the Encryption Utility
   (A) Switching authentication usability
   (Q) Exit

Your choice? S

Possible processes of an RSA key: Sign Encrypted Authentication 
Currently allowed operations: Verschl. 

   (S) Switching the signature usability
   (V) Switching the Encryption Utility
   (A) Switching authentication usability
   (Q) Exit

Your choice? V

Possible processes of an RSA key: Sign Encrypted Authentication 
Currently permitted operations: 

   (S) Switching the signature usability
   (V) Switching the Encryption Utility
   (A) Switching authentication usability
   (Q) Exit

Your choice? A

Possible processes of an RSA key: Sign Encrypted Authentication 
Processes currently allowed: Authentication 

   (S) Switching the signature usability
   (V) Switching the Encryption Utility
   (A) Switching authentication usability
   (Q) Exit

Your choice? Q
RSA keys can be between 1024 and 4096 bits long.
What key length do you want? (3072) 4096
The required key length is 4096 bits.
Please select how long you want the key to remain valid.
         0 = Key never expires
        = Key expires after n days
      w = key expires after n weeks
      m = key expires after n months
      y = Key expires after n years
How long does the key remain valid? (0) 3y
Key expires Mo 06 Jun 2022 10:36:29 CEST
Is this right? (y/N) y
Really generate? (y/N) j
We have to generate a whole lot of random values.  You can do this
by e.g. doing something in another window/console.
type, use the mouse or use any other program.

The selection summarized:

[8] RSA (use adjustable):
We would like to add the authentication function. This only works via the menu item [8].

[S] Switch the signature usability:
The function Sign and Encrypt is displayed in the output under "Currently permitted processes". However, the new subkey should not be able to do either. Therefore, the Sign function is deselected first.

[V] Switching the encryption usability:
We also do not need the Encrypt function and therefore deselect it.

[A] Switching authentication usability:
However, the new subkey should support the Authenticate function, which is why it is activated.

[3y] Validity of keys:
The validity of the subkey is again set to 3 years.

This is followed by the following output:

101 views09:34