Every time I have to register to a website using a password, I grow more annoyed. Passwords were fine when you only had one, to log in to your corporate mainframe. But these days, computers are better at cracking passwords than humans at remembering them.
It only gets worse with the more sites you maintain profiles. You shouldn’t use the same password all over. If it was hacked, your entire online identity could be compromised. And nobody can remember good strong passwords for every site he visits. Password managers are no solution. You need to have them with you all the time. They are protected by a master password. So if an attacker can get hold of your database and your master password, which is easily attainable with a trojan, then good luck. He even gets a list of sites to visit.
OpenId and OAuth are a step in the right direction. In theory, you could maintain your identity with a central entity, and use it as a proxy to authenticate you. You have to choose that central entity that manages your identity well, as is can now track your every move. Hence, It would be best, if you could host it yourself. But it is usually still only protected by a password. Since you now only have to remember one, it’s easier to choose a strong one. But again, if an attacker gets hold of your password, he can impersonate you.
So, we need hardware based two factor authentication (something you have and something you know). For about one and a half years I’ve been using a CryptoStick for said two factor authentication. It works great for email, files, ssh, package signing, full disk and disk image encryption, but I couldn’t figure out so far how to use it for web authentication. They mention a service for a SmartCard backed OpenId. That would be just what I want, but I couldn’t figure out how to make it happen.
Some pages support other types of two factor authentication, which I don’t like too much. YubiKey is an USB token that emulates a keyboard to enter a one time passphrase. As I understand it, the receiving service needs to communicate to their servers everytime. Google Authenticator is a software solution that also works with one time passphrases that are sent to or generated on your smartphone. Many security experts consider the smartphone a weak link. Both solutions increase the security over simple passwords, no doubt. But the schemes remind me of a man in the middle attack, and both companies are US based. At least since the Snowden leaks, everybody should know what that means.
Last month, I searched the internet once more, looking for a solution to use my OpenPGP SmartCard for web authentication. no-passwd.net offered some new ideas, that I didn’t know or consider before. Specifically, I started looking at EnigForm and mod_openpgp. The idea is compelling, and it looks great. It was developed in 2008 by an Argentinian. The only thing I still don’t understand is, why it is not widely used by now, if it has been around for five years.
EnigForm is a FireFox plugin that is simply installed through the FireFox plugin manager. You have to configure your key id, which was a stepping stone for me. As the whole thing is concerned with authentication, I naturally assumed that I have to specify the authentication sub key from my SmartCard to EnigForm. Only after reading the source, it became obvious, that I have to provide the signature sub-key, as the http headers are digitally signed as a proof of identity.
mod_openpgp is an apache module, whose installation is less straightforward. The documentation on buanzo’s wiki is precise and easily understandable, but it’s just a lot to do. So, I started wrapping the whole thing into a debian package. It’s not finished, but you can find the current state on launchpad in my ppa.
wp-enigform-authentication is a wordpress plugin that uses mod_openpgp as backend and handles the authentication for wordpress. It failed on my wordpress installation, and I have no idea why. The main reason, I wanted the wordpress plugin, is that wordpress also acts as an OpenID provider. My hope was that I could use the wordprss OpenID to log into other sites, while authenticating against wordpress with my SmartCard through gpg, EnigForm and mod_openpgp. It hasn’t to be through wordpress though, it would just be convenient since I have a wordpress installation already.
I didn’t get the wordpress plugin to work. Maybe it interfered with the openid plugin. So, I figured, it would be easier to have it separate from wordpress anyway. So I started to design something based on an example of python-openid. It’s on GitHub, but I didn’t get very far. Other things required my time, and so the project has been at rest for longer than I wanted to.
In the meantime, I ordered a YubiKey NEO, that also includes a JavaCard Java applet that emulates an OpenPGP SmartCard. The documentation states that it can only generate the private keys on card, but that key import would follow soon. I couldn’t test it yet, as it is not recognized as a smartcard on my air gapped machine that holds the master private key. I still consider the CryptoStick more secure than the YubiKey, but the form factor is so much more convenient.
There is also an open source implementation for an openid server for the yubikey. You can run it on your own server, and the installation is fairly simple. Althought to get it running, I had to slightly edit some source files. It only offers one factor authentication. So If somebody gets hold of your YubiKey, he can probably find out where you have your openid server running. Then he can log into some sites and impersonate you. That is only until you realize that your hardware token is gone. So, I consider it better than passwords, but still not the real deal. I hope, I will find the time to make something based on EnigForm…