GPG smartcard
- Offline master key
- Subkeys
- Encryption
- Signing
- Authentication
GPG smartcard
Encryption
- Mail
- Passwords file (the old school password manager)
- …
GPG smartcard
Signing
GPG smartcard
Authentication
SSH agent → GPG agent
❤
2 factor authentication (2FA/MFA)
HOTP/TOTP
HMAC (RFC 2104)
Keyed-hash message authentication code
Verify the data integrity and authentication of a message
$\textit{HMAC}(K, m) = H \Bigl( (K' \oplus opad) \;||\; H \bigl( (K' \oplus ipad) \;||\; m \bigr) \Bigr)$
HOTP (RFC 4226)
HMAC-based One-time Password
$\textit{HOTP}(K, C) = \textit{Truncate}(\textit{HMAC}(K, C)) \land {0x7FFFFFFF}$
$\textit{HOTP-Value} = \textit{HOTP}(K, C) \pmod {10^d}$
TOTP (RFC 6238)
Time-based One-time Password
$TC = \textit{floor}((\textit{unixtime}(\textit{now}) − \textit{unixtime}(\textit{T0})) / \textit{TS})$
$TOTP = \textit{HOTP}(K, TC)$
$\textit{TOTP-Value} = TOTP \pmod {10^d}$
Challenge-response
Phishing and MitM protection
Application-specific keys (avoid user's tracking)
Application-specific keys (avoid user's tracking)
Device cloning detection
Pluggable authentication module
Go passwordless o/ || Strong authentication
PIV interface
I don't use it, but:
- Built in support in Windows > 7
- Code signing
- SSH through PKCS11
- Docker Content Trust
- Secrets hard to compromise
- Always with you
- Easy to use
Questions?