tech-security: Re: cgd and 2-factor keys

Subject: Re: cgd and 2-factor keys
To: NetBSD Tech Security <tech-security@NetBSD.org>
From: Jan Danielsson <jan.danielsson@gmail.com>
List: tech-security
Date: 04/10/2006 01:21:44
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigCE7F4D73BB68C7A68812D0B4
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Daniel Carosone wrote:
>> Could someone explain how to create a 2-factor key for use with cgd?
>>
>> I want to create an encrypted volume that requires two keys to access.=

>=20
> A very quick answer, sorry, hopefully I or others can add more detail
> in later followups:
>=20
> the params file can contain multiple key generation methods, one after
> the other, in which case the keys generated by each are xor'd together
> to produce the final result.  This is used, for example, with -G to
> produce two params files with different passphrases to produce the one
> final key.

   This sounds very much like what I want to achieve. I have done the
following:

$ cgdconfig -g -V disklabel aes-cbc 128 > foo1.cgd

This produces a parameter file as normal. Then I run:

$ cgdconfig -G foo1.cgd > foo2.cgd

   It asks for an "old" password, and then a "new" one. At this point
I'm kind of lost. But it does produce a foo2.cgd anyhow. I'm unsure of
what it is I have got here, and what is expected.

   I assume that the "old" password is the one I would have used if I
had used foo1.cgd to mount a slice, and the "new" one is the key for the
second parameter file.

When I run the second command, I get:

cgdconfig: keygen pkcs5_pbkdf2/sha1 does not need a 'key'

   This sounds informational, and not like an error -- but is it a sign
of that I have done something wrong?

   The confusion about the passwords, the parameter files and the
warning a side; I'm not sure how I would go about mounting a partition
using these parameter files.

Normally, I would run:

# vnconfig vnd0 image.img
# cgdconfig -V re-enter cgd7 /dev/vnd0d foo1.cgd

   But now I have two parameter files to work with. Any tips on how I
actually use my new parameter files?

> depending on what you consider as 'factors', a 2-factor method can be
> built with two passphrases, or by keeping the params file (including
> static key) separate from the disk, say on a usb token, or externally
> using some other solution and the -s argument to cgdconfig to inject
> the final key from whatever other storage and retreival mechanism
> suits your needs.

   Ok, both of those sound interesting. But what I'm trying to figure
out is how to do this:

http://www.onlamp.com/pub/a/bsd/2005/12/21/netbsd_cgd.html?page=3D3

(see the first entry on that page).

--=20
Kind Regards,
Jan Danielsson
Te audire non possum. Musa sapientum fixa est in aure.


--------------enigCE7F4D73BB68C7A68812D0B4
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)

iD8DBQFEOZcL8wBCTJQ8HEIRAvftAJ9/jxXW7rmMDNJGEWsEXiwLSH+yjwCeJXHE
EeKjKp9KrD1LRQr6YYyG9ww=
=ziQD
-----END PGP SIGNATURE-----

--------------enigCE7F4D73BB68C7A68812D0B4--