Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to use a separate authentication key? #171

Closed
altsalt opened this issue Jul 29, 2021 · 10 comments
Closed

How to use a separate authentication key? #171

altsalt opened this issue Jul 29, 2021 · 10 comments

Comments

@altsalt
Copy link

altsalt commented Jul 29, 2021

I am attempting to load a new ECC Curve25519 master-key which was generated with GnuPG 2.2.27 using OnlyKey-App 5.3.3 and OnlyKey-Firmware 2.1.1. I then generated three subkeys and assigned the Signing, Encryption, and Authentication functions to each, keeping them separate from each other and from the Certification ability. Finally, I backed up the entire keychain for cold storage, removing the master-key and exporting the root-less key, as well as each individual subkey, with and without the keychain.

None of these files were considered valid by the OnlyKey-App which is likely due to an issue similar to that outlined in #98 and #166 and which will hopefully be addressed by updating OpenPGP.js. However, I could not fully test the suggestion to have "Stored Key User Input Mode" set to "Button Press Required" because when I try to modify this, either via the OnlyKey-App or onlykey-cli, the setting reverts to "Challenge Code Required".

If issues blocking the loading of these subkeys are resolved, then another question will arise about using a separate subkey for Authentication. Currently, the OnlyKey-App only has options for Signing keys and Decryption keys. Hopefully we can work on addressing this before it poses a problem!

Since I'm using a test-key for all of this, happy to share the various files being used if they would be helpful. Thank you for any suggestions and assistance!

@onlykey
Copy link
Collaborator

onlykey commented Jul 29, 2021

We currently only support the three methods of key generation described here which are standard OpenPGP keys - https://docs.crp.to/importpgp.html

GPG has many other options that are not supported by OpenPGP.js or by the OnlyKey app. We don't currently have plans to support every iteration of possible subkey combinations and only support the most common standard OpenPGP keys, like those created by GPG with default settings, Protonmail keys, and Keybase keys.

Authentication keys are essentially signing keys that GPG (or the software) knows to only use for authentication. The restriction to use a key for signing or for authentication purposes is restricted in the software application (GPG). For a hardware device the function of signing (sign this blob of data) and authentication (sign this blob of authentication data) are the same function.

@altsalt
Copy link
Author

altsalt commented Jul 29, 2021

Thank you for your prompt response and for clarifying. I suppose the question remains as to whether, when the current blocking issues are resolved, I may still be able to load this subkey into one of the ECC slots? And if so, whether there will be any particular trouble utilizing it were gpg to ask?

@onlykey
Copy link
Collaborator

onlykey commented Jul 29, 2021

I am not sure what you mean here. There are no blocking issues for OnlyKey its just we don't support those custom mutliple subkey use cases. We don't currently have plans to support every iteration of possible subkey combinations and only support the most common standard OpenPGP keys, like those created by GPG with default settings, Protonmail keys, and Keybase keys.

@altsalt
Copy link
Author

altsalt commented Jul 29, 2021

Maybe I'm confused as to what you mean by support. It was my understanding that keys which do not work with specific OnlyKey features may not load though the OnlyKey-App, but could be added manually. The idea is to store these keys on a secure hardware device. Is that possible?

@onlykey
Copy link
Collaborator

onlykey commented Jul 30, 2021

The keys themselves yes, could be added manually. However, the App only supports parsing standard OpenPGP keys. You would need a way to parse and extract the multiple subkey secret values from this custom PGP key then load those on OnlyKey. I don't know of a tool that would do that, possibly using PGPy. It would be easier to create and load multiple standard PGP keys through the App as that is supported (i.e. load first OpenPGP key and subkey to ECC slots 1 and 2, load second OpenPGP key and subkey to ECC slots 3 and 4)

@altsalt
Copy link
Author

altsalt commented Aug 5, 2021

Thank you for writing the script to achieve this @onlykey . I'm closing the issue, but for anyone looking for breadcrumbs later on, the resolution discussion may be found in #166

@altsalt altsalt closed this as completed Aug 5, 2021
@jonathancross
Copy link

@onlykey :

Authentication keys are essentially signing keys that GPG (or the software) knows to only use for authentication

Does this mean that we need to select "set a signature key" when importing the [A] Authentication subkey?

And this works with a 2048bit RSA subkey?

ok-key

@onlykey
Copy link
Collaborator

onlykey commented Jan 18, 2023

@jonathancross You would need to set as signature key yes, but the advanced add private key tab where you are in the app only works for ECC keys. Is there an error when you try to load the key here on the keys tab?
image

@jonathancross
Copy link

I was getting errors below the tabbed UI, but I don't have a record of them.
I'll try again when I get a chance.

Can you confirm that a 2048 bit RSA key is supported from this "Keys" tab if I select "Signature key"?

PS: I don't know if this is relevant, but I am trying to use 3 subkeys on the device:

ssb>  rsa2048/0xD8578DF8EA7CCF1B [S]
ssb>  rsa2048/0x8E1719FE1E8DA9B9 [E]
ssb>  rsa2048/0x397428FC5BA60C24 [A]

Note: this is a common & recommended setup for people using PGP hardware devices. The primary key is kept offline in case the device is lost/stolen and subkeys need to be revoked without affecting signatures on the primary key UIDs.

@onlykey
Copy link
Collaborator

onlykey commented Jan 28, 2023

Yes RSA 2048 and 4096 are supported. Could you create a test PGP key set up the same way as yours and send to me to test?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants