KDF DO support in OpenPGP card
Testing, NormalPublic

Description

By adding new DO (Data Object) for KDF, the OpenPGP card protocol will be improved, so that host computer can compute hash for passphrase with KDF.

This enhancement to the protocol can lower the risk when the data in a card will be accidentally exposed.

gniibe created this task.May 9 2017, 11:06 PM
gniibe added a comment.EditedMay 11 2017, 4:38 AM

Here is the spec.

KDF algorithm byte: 0 - NONE, 3 - KDF_ITERSALTED_S2K
Hash algorithm byte: 8 - SHA256, 10 - SHA512
Iteration count (4-byte)
Salt bytes for User PIN
Salt bytes for Reset Code
Salt bytes for Admin PIN
Initial PIN hash for User
Initial PIN hash for Admin

When KDF-DO is none, it is equivalent to have KDF-DO of:

KDF algorithm byte:         0 - NONE
Hash algorithm byte:        0 - N/A
Iteration count (4-byte):   None
Salt bytes for User PIN:    None
Salt bytes for Reset Code:  None
Salt bytes for Admin PIN:   None
Initial PIN hash for User:  "123456"
Initial PIN hash for Admin: "12345678"

and here is a concrete example.

KDF algorithm byte:         3 - KDF_ITERSALTED_S2K
Hash algorithm byte:        8 - SHA256
Iteration count (4-byte):   100000
Salt bytes for User PIN:    30 31 32 33 34 35 36 37
Salt bytes for Reset Code:  10 11 12 13 14 15 16 17
Salt bytes for Admin PIN:   41 42 43 44 45 46 47 48
Initial PIN hash for User:
  773784A602B6C81E3F092F4D7D00E17CC822D88F7360FCF2D2EF2D9D901F44B6
  - "123456" hashed by the KDF (with User's salt, SHA256, 100000 iter)
Initial PIN hash for Admin:
  2675D6164A0D4827D1D00C7EEA620D015C00030A1CAB38B4D0DD600B27DC9630
  - "12345678" hashed by the KDF (with Admin's salt, SHA256, 100000 iter)
gniibe triaged this task as Normal priority.
marcus moved this task from KW 19 to KW 20 on the g10code Sprint board.May 15 2017, 10:35 AM
marcus edited projects, added g10code Sprint (KW 20); removed g10code Sprint (KW 19).
marcus moved this task from KW 20 to KW 21 on the g10code Sprint board.May 22 2017, 10:43 AM
marcus edited projects, added g10code Sprint (KW 21); removed g10code Sprint (KW 20).
marcus moved this task from KW 21 to KW 22 on the g10code Sprint board.May 29 2017, 10:16 AM
marcus edited projects, added g10code Sprint (KW 22); removed g10code Sprint (KW 21).
marcus moved this task from KW 22 to KW 23 on the g10code Sprint board.Jun 6 2017, 10:16 AM
marcus edited projects, added g10code Sprint (KW 23); removed g10code Sprint (KW 22).
gniibe added a comment.Jun 9 2017, 4:32 AM

Tag for KDF-DO is assigned as:

F9
gniibe added a comment.Jun 9 2017, 4:57 AM

bit 0 (in smartcard context, we say b1 as it starts from 1) of Extended Capabilities specifies if KDF-DO is supported.

Specification is finished.

jans added a subscriber: jans.Aug 3 2017, 9:21 AM
gniibe added a comment.EditedNov 2 2017, 8:49 AM

Changes for Gnuk is done. It's now testing. It will be in Gnuk 1.2.7.

aa added a subscriber: aa.Nov 2 2017, 5:13 PM
This comment was removed by gniibe.
gniibe added a comment.Nov 7 2017, 3:30 AM

Implemented in a branch: gniibe/scd-kdf-support

gniibe changed the task status from Open to Testing.Dec 4 2017, 2:24 AM
gniibe changed the status of subtask T3823: gpg frontend support to setup KDF DO from Open to Testing.Mar 22 2018, 7:59 AM
gniibe added a comment.EditedMar 30 2018, 4:59 AM

I realized that KDF support may be incompatible to Gnuk's feature of "admin-less" mode.
I'm going to implement compatible KDF support to Gnuk; That is, KDF data which only has a single salt.
In this case, all KDF calculation (user, reset-code, and admin) is done with the single salt.
With single salt, admin-less mode can work with no problem.