Basic Communications Security Part 2 - password-store

When we last spoke about encryption, I covered nonrepudiation and the subject of signing.  Today, I will be showing a little less theory and more practical usage of GPG -- keeping your passwords safe.  I will be covering the use of our fancy new encryption key with pass (https://passwordstore.org).  My example machine today will be a shiny new OpenBSD 5.9 box, however the process is largely the same in Linux, et. al.

$ doas pkg_add -v password-store
doas (peter@devenv.my.domain) password:
Update candidates: quirks-2.197 -> quirks-2.197
quirks-2.197 signed on 2016-02-26T22:06:23Z
password-store-1.6.5:base64-1.5: ok
password-store-1.6.5:colortree-1.7.0: ok
password-store-1.6.5:xclip-0.12p0: ok
password-store-1.6.5:gnugetopt-1.1.6: ok
password-store-1.6.5:pwgen-2.07p2: ok
File /etc/bash_completion.d/pass-bash-completion.sh could not be installed:
        No such file or directory
password-store-1.6.5: ok
Extracted 375880 from 377728

That would be roughly equivalent to a 'sudo yum install pass', 'brew install pass', etc.  Now that pass is installed, we will go ahead and initialize it with our key:

$ pass init 86F22317

Password store initialized for 86F22317

Now pass has created a simple file structure for us, and will store passwords inside GPG encrypted files within this file structure.  Let's start by creating a directory or two to categorize passwords, then we'll generate couple:

$ mkdir .password-store/websites
$ mkdir .password-store/ssh
$ pass
Password Store
|-- ssh
`-- websites
$ pass generate websites/facebook 26
The generated password for websites/facebook is:
D#)y=[fehkr`BRZJcrHFbA^8"Y
$ pass generate ssh/peter@example.com 32
The generated password for ssh/peter@example.com is:
S_=zXyt}:5Y`VX|7al&FVTyG^jXGH`L3
$ pass
Password Store
|-- ssh
|   `-- peter@example.com
`-- websites
    `-- facebook

Password-store has now generated two passwords for us called facebook in the websites category, which is 26 characters long, and one called peter@example.com in the ssh category, which is 32 characters long (neither of these are my real passwords).

These passwords are stored, as mentioned above in GPG encrypted files:

$ ls -lR .password-store/
total 8
drwxr-xr-x  2 peter  peter  512 Apr 14 16:05 ssh
drwxr-xr-x  2 peter  peter  512 Apr 14 16:05 websites

.password-store/ssh:
total 4
-rw-------  1 peter  peter  611 Apr 14 16:05 peter@example.com.gpg

.password-store/websites:
total 4

-rw-------  1 peter  peter  605 Apr 14 16:05 facebook.gpg

The passwords can then be retrieved to either STDOUT or the clipboard (by adding the -c flag) using your GPG key:

$ pass websites/facebook

You need a passphrase to unlock the secret key for
user: "Peter Ezetta "
4096-bit RSA key, ID 647AF373, created 2016-04-04 (main key ID 86F22317)


D#)y=[fehkr`BRZJcrHFbA^8"Y

Notice that the encryption subkey is used here, not the main key, which I keep offline on a USB stick.  

Another great feature of pass is it's built in git integration, allowing for easy team sharing of password stores, distributing and keeping passwords in sync between multiple machines:

$ pass git init
Initialized empty Git repository in /home/peter/.password-store/.git/
[master (root-commit) d1daf83] Add current contents of password store.
 Committer: Peter Ezetta

 3 files changed, 1 insertion(+)
 create mode 100644 .gpg-id
 create mode 100644 ssh/peter@example.com.gpg
 create mode 100644 websites/facebook.gpg
[master bd983ce] Configure git repository for gpg file diff.
 Committer: Peter Ezetta

 1 file changed, 1 insertion(+)

 create mode 100644 .gitattributes

Password-store is more than capable of adding git remotes and the like, but I will leave that as an exercise to the reader.  Much more information is available from the project website at https://passwordstore.org.

In the next part of this article, I will be discussing the web of trust and key signing procedures.  Stay tuned!

A Few Words About Nonrepudiation

Standard disclaimers apply.  I'm not a lawyer, this isn't legal advice.  My opinions don't represent my employer.  It's not my fault if you do something stupid and get in trouble.

In my previous post, I discussed getting a GPG keyring set up.  I intend to continue in that vein, and explain email crypto/signing, the web of trust, document protection, and a few other fun topics around communications security -- but first, I want to stop and take a moment to discuss nonrepudiation.

According to techtarget.com:

Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated.

GPG provides us with nonrepudiation via document signing.  Document signing is a fairly simple process.  Briefly, when a document is signed, a hash is taken of it's contents.  A hash is a "one-way" mathematical algorithm that will take (generally) text data as an input, and return a unique string of letters and numbers.  This algorithm will always generate the same output, given the same input.  Changing even one character of the input will result in a different output.  Hashes are "one-way" algorithms, in that there is no process (other than brute force) to derive the original document from the hash.  For example, here is a SHA256 hash of this blog-post thus far:

228b9c49367a740073866f77ff09363ff3dbf62eda194b2b8a5660fe5bb5802e

If you were to copy everything from the disclaimer at the beginning of the post through the ":" at the end of the last paragraph, and pass it through shasum -a 256, you should receive the same long string of numbers and letters that I pasted above.   After a hash of the document being signed is taken, it is encrypted with the author's private key.  This means that anyone who possesses the author's public key can decrypt the hash.  We have now accomplished two things:

1. The hash proves that the document has not been modified in any way since it was signed.
2. The ability to decrypt the hash with the author's public key proves that the document was signed by an individual possessing the author's private key.

This all seems great, so back to nonrepudiation -- I hate it when someone tries to say they never told me something when I have evidence that they did.  Let's look at an illustrative example.

Alice sends an (unsigned) email to Bob, approving a new project.  Bob begins work on the project, but ultimately fails to deliver.  The business questions Bob as to why he "wasted" company funds on his failed project, so he produces the letter from Alice approving it.  The business then approaches Alice, who immediately denies sending the email.  We are now in a position of he-said/she-said.  Bob claims Alice sent the email, Alice claims that Bob forged it.

If Alice had signed the original email, GPG would have provided nonrepudiation -- Alice could have no longer denied that she sent the email to Bob.

Many sources (the manual linked in the previous article, for instance) recommend signing all emails all the time.  I would, however, encourage the reader to think about their own situation before deciding to sign all emails all the time.  In a business setting, it may be appropriate to implement a policy mandating that all emails are signed.  In a professional setting, we are expected to be accountable for what we say.  There are other situations, however, in which nonrepudiation may not be desirable.

Nonrepudiation is a double-edged sword.  By demanding signing of others, you gain assurances that they are, indeed, the author of what you are reading.  By signing documents yourself, you are irrefutably certifying that you wrote them.  It all boils down to one thing, really -- don't sign anything you wouldn't want to say under oath.  In the event your communications came before a court, it would be almost impossible to claim that you weren't the author.  This is especially true if there was continued use of the key after the communication was sent, as this shows that the key was under your control, and you had no suspicion of compromise (or else you would have issued that revocation certificate we made last article!).

To conclude -- mean what you say, say what you mean, and think before you sign documents.

Basic Communications Security - Part 1

I've recently been helping a friend get set up with GPG.  Also, I've been switching my password management over to pass.

Through this process, I have found GPG to be fairly straight forward, but it may be a bit daunting for some without prior crypto experience.  In this short series, I am going to cover basic setup of GPG for encryption and signing.  This keypair will consist of subkeys with an offline private master.  Once we have a working and secure GPG setup, I will move on to cover password management with pass, as well as GPG based authentication, and ultimately using hardware GPG tokens.

Hopefully this series will be useful to some.  As always, I welcome comments, questions, and corrections.

Part I - Key Generation

Note:  The example text was sourced from several different key operations on several different keys.  The key IDs and fingerprints in the example text may or may not correspond to valid and active keys.  My key can be retrieved from sks-keyservers, and it's ID is 86F22317.  Please use this key if you need to contact me.

For the sake of paranoia, I will be generating a master key on removable storage.  This key will be used to create subkeys for encryption, signing, and authentication, and it will be stored on removable storage in a safe.  To begin, you will need some clean removable media.  I am using OS X, so my media will be mounted at /Volumes/UNTITLED\ 1/.  Feel free to correct this path as appropriate for your environment.

First we will generate the key on the USB storage:

$ gpg --homedir /Volumes/UNTITLED\ 1/ --expert --gen-key

I use expert in this case to open up the option of setting custom capabilities for my keypair.  By default, GPG will generate a key that can sign and certify with a separate subkey that can encrypt.  I chose to create a master key that could only certify with subkeys that could encrypt and sign:

$ gpg --homedir /Volumes/UNTITLED\ 1/ --expert --gen-key
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1/'
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/Volumes/UNTITLED\ 1/secring.gpg' created
gpg: keyring `/Volumes/UNTITLED\ 1/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 4y
Key expires at Tue Apr  7 11:05:27 2020 PDT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: Peter H. Ezetta
Email address: protocall7@sdf.org
Comment:
You selected this USER-ID:
    "Peter H. Ezetta "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.................+++++
.+++++
gpg: /Volumes/UNTITLED\ 1/trustdb.gpg: trustdb created
gpg: key 86F22317 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-04-04
pub   4096R/86F22317 2016-04-08 [expires: 2020-04-07]
      Key fingerprint = E1D3 330D 0107 8360 5417  C337 33D5 14D6 86F2 2317
uid                  Peter H. Ezetta

At this point, I have generated a new certify only key pair that exists only on the USB stick.  Now I will edit the key to add UIDs and subkeys for encryption and signing:

$ gpg --homedir /Volumes/UNTITLED\ 1 --edit-key protocall7@sdf.org
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/DDC547B9  created: 2016-04-08  expires: 2020-04-07  usage: C
                     trust: ultimate      validity: ultimate
[ultimate] (1). Peter H. Ezetta

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta "
4096-bit RSA key, ID DDC547B9, created 2016-04-08

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Apr  8 11:12:15 2017 PDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
............+++++
.........................+++++

pub  4096R/DDC547B9  created: 2016-04-08  expires: 2020-04-07  usage: C
                     trust: ultimate      validity: ultimate
sub  4096R/3BCD5DA0  created: 2016-04-08  expires: 2017-04-08  usage: E
[ultimate] (1). Peter H. Ezetta

gpg> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta "
4096-bit RSA key, ID DDC547B9, created 2016-04-08

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Apr  8 11:12:43 2017 PDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
.............+++++

pub  4096R/DDC547B9  created: 2016-04-08  expires: 2020-04-07  usage: C
                     trust: ultimate      validity: ultimate
sub  4096R/3BCD5DA0  created: 2016-04-08  expires: 2017-04-08  usage: E
sub  4096R/A5FA0D33  created: 2016-04-08  expires: 2017-04-08  usage: S
[ultimate] (1). Peter H. Ezetta

gpg> adduid
Real name: Peter H. Ezetta
Email address: protocall7@gmail.com
Comment:
You selected this USER-ID:
    "Peter H. Ezetta "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta "
4096-bit RSA key, ID DDC547B9, created 2016-04-08


pub  4096R/DDC547B9  created: 2016-04-08  expires: 2020-04-07  usage: C
                     trust: ultimate      validity: ultimate
sub  4096R/3BCD5DA0  created: 2016-04-08  expires: 2017-04-08  usage: E
sub  4096R/A5FA0D33  created: 2016-04-08  expires: 2017-04-08  usage: S
[ultimate] (1)  Peter H. Ezetta
[ unknown] (2). Peter H. Ezetta

gpg> save

Now that the key has been generated on the USB stick, I create a revocation certificate just in case the key is lost of compromised.  This certificate should be closely guarded, as it will render the key useless, however you should maintain more than one copy of it in case it is necessary to use it.  A paper copy is recommended.

gpg --output /Volumes/UNTITLED\ 1/86F22317-revocation.asc --home /Volumes/UNTITLED\ 1 --gen-revoke protocall7@sdf.org
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'

sec  4096R/DDC547B9 2016-04-08 Peter H. Ezetta

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> Revocation certificate generated at time of key creation.  If this certificate is in use, it is likely I have lost access to the secret key.
>
Reason for revocation: No reason specified
Revocation certificate generated at time of key creation.  If this certificate is in use, it is likely I have lost access to the secret key.
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta "
4096-bit RSA key, ID DDC547B9, created 2016-04-08

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

The revocation certificate and key-pair exist only on the USB stick.  At this point, we need to import the secret subkeys to the local machine (leaving the secret key on the USB stick for safe keeping).  This can be done by exporting the secret subkeys, then importing them without --homedir:

$ gpg --homedir /Volumes/UNTITLED\ 1 --export-secret-subkeys protocall7@sdf.org > /Volumes/UNTITLED\ 1/secretsubkeys.gpg
$ gpg --homedir /Volumes/UNTITLED\ 1 --export protocall7@sdf.org > /Volumes/UNTITLED\ 1/publickey.gpg
$ gpg --import /Volumes/UNTITLED\ 1/publickey.gpg
gpg: key DDC547B9: public key "Peter H. Ezetta " imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
$ gpg --import /Volumes/UNTITLED\ 1/secretsubkeys.gpg
gpg: key DDC547B9: secret key imported
gpg: key DDC547B9: "Peter H. Ezetta " not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ gpg -K
/Users/peter.ezetta/.gnupg/secring.gpg
--------------------------------------

sec#  4096R/DDC547B9 2016-04-08 [expires: 2020-04-07]
uid                  Peter H. Ezetta
uid                  Peter H. Ezetta
ssb   4096R/3BCD5DA0 2016-04-08
ssb   4096R/A5FA0D33 2016-04-08

From this, we see that the local copy of GPG has our secret subkeys in it's ring, but the secret key itself is missing (this is evidenced by the # after 'sec').  With the subkeys in place, encryption and signing still work just fine, but if a key needs to be created, revoked, or signed, the USB stick will have to be mounted up and --homedir will need to be added to gpg to point into the backup copy.  For demonstration purposes, here is the secret key output using the USB stick.  Notice that the secret key is present on this one:

$ gpg --homedir /Volumes/UNTITLED\ 1 -K
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-04-07
/Volumes/UNTITLED\ 1/secring.gpg
----------------------
sec   4096R/DDC547B9 2016-04-08 [expires: 2020-04-07]
uid                  Peter H. Ezetta
uid                  Peter H. Ezetta
ssb   4096R/3BCD5DA0 2016-04-08
ssb   4096R/A5FA0D33 2016-04-08

In the next part of this series, I will discuss the web of trust and key signing, then introduce Pass, "the UNIX default password manager".  Pass is backed by GPG encryption to keep your passwords safe, so now that keys have been set up, we can start using it.

Interesting Reading:

The GNU Privacy Handbook
Into The Void - Creating a new key with subkeys
Debian Wiki - Subkeys