New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad PIN! when using my gnuk token #2368
Comments
I captured some logs. Here is an extract:
|
Sorry I didn't have time to look at this yet. I have no idea why this could be happening, and the logs unfortunately don't provide any clues. I tested the current version on a gnuk and things worked fine for me, so I don't really have a good way to debug this. :( |
I have changed my keys and PIN and can still reproduce the problem. I'm on vacation and am willing to spend some time debugging this. What can I do please? |
If you build a debug version of openkeychain from current master, there should be a lot more debug output, including a full transcript of communication with the token. Might be able to tell what's going on from there. Note that this output contains potentially sensitive data, please post those logs only for encrypted data and pin codes you don't care about :) |
I got this with the debug version. I don't know what to look for so please tell me if this is not ok:
|
I replaced some hexadecimal numbers with "... SOME DATA..." above as I was not sure if that was leaking any important information. |
So the error that is thrown is Ah, one more thing, what version of gnuk are you using? |
On July 17, 2018 6:26:06 PM GMT+02:00, Vincent Breitmoser ***@***.***> wrote:
So the error that is thrown is `6985`, [...]
Thank you for your explanations
Ah, one more thing, what version of gnuk are you using?
the commit in the master branch from 2 weeks ago
…--
Damien Cassou
http://damiencassou.seasidehosting.st
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
|
To be more precise, I'm on commit b905b4802fe6ae551b3443f531e58854fbcf68e9 of git.gniibe.org/gnuk/gnuk.git. |
I'm still very interested in getting that fixed. Please tell me if I can do anything to help. |
I sent a message to gniibe linking him to this thread, but didn't get a reply. It's possible this is just a bug in the gnuk master, but I don't have enough time to test with that commit right now, sorry :( |
Vincent Breitmoser <notifications@github.com> writes:
It's possible this is just a bug in the gnuk master, but I don't have
enough time to test with that commit right now, sorry :(
which commit are you testing with? I will downgrade my version of gnuk
to the same as yours and report success or failure.
…--
Damien Cassou
http://damiencassou.seasidehosting.st
"Success is the ability to go from one failure to another without
losing enthusiasm." --Winston Churchill
|
I can still reproduce. @Valodim: could you please tell me which version of gnuk you have on your device? |
I'm still interested in solving this issue. |
Does OpenKeychain support KDF-DO described in the OpenPGP Card 3.3 specification? I just experienced the same problem after running kdf-setup on my gnuk token. With the setting disabled it works just fine. |
For what is worth, I have the same issue as reported here with OpenKeychain 5.3 running on Android 8, with a FST-01G token running Gnuk 1.2.13. That token does use the KDF-DO mechanism. |
I have the same issue with a YubiKey 5 NFC that also has KDF enabled for the PIN. The KDF algorithm is quite simple to implement; in case it would help anyone, here's a Python implementation I've contributed to yubikey-manager: Yubico/yubikey-manager#325. I'd be happy to see this adapted into a patch for OpenKeychain (and hereby release the code under the GPLv3 for the convenience of anyone doing so). |
Same issue here on Yubikey 5 NFC, I have changed my pin to number only and 8 characters and still get the 'bad pin' message ... :( |
Well, this has nothing to do with number of characters... It's just that KDF is not implemented in open-keychain. |
Looks straightforward to implement, and we should have the primitives all there to copy most of the things from @emilazy's example above. If anyone is up for it, would welcome a PR on this. |
YubiKey has KDF disabled by default, correct? I'm experiencing this issue on a fresh one? 🤔
|
@zanona You can check if KDF is enabled via |
Thanks for this. 😉 $ gpg --version | head -1
gpg (GnuPG) 2.2.23
$ gpg --card-status | grep KDF
KDF setting ......: off
|
@DamienCassou I think an better title, instead of
could be something like
I can confirm that this does happens also with Yubikey. So @DamienCassou may actually be earlier tester <3! But as soon as this issue drduh/YubiKey-Guide#226 is fixed on drduh/YubiKey-Guide, this point here is likely to be get more people on this issue. But I can confirm that, using the defaults from Yubikey, an user is unlikely to have this issue. Also, I do not fully tested, but configuring the kdf-setup after one already working Yubikey may 100% fully work (e.g. may require a factory reset and restore the GPGs from backup). About KDFFor who is interested here the https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.pdf, see page 18, "4.3.2 Key derived format". In short, it means that if some backdoor is listening to the USB communication (and not keyboard input), instead of the plain password, it will only get the hashed password. So with this, while I think even on this very bad backdoor scenario, while would be possible to log on the smartcard, at least the way the PIN/PUK was stored (if 6/8 numbers or up to 127 complex characters) would not be obvious just by listening to the USB communication. |
I've just got a usb token with gnuk (I replaced neug with gnuk in an FST-01G). I put a keyring on it and things seem to work fine on my computer. In OpenKeychain, I imported the keys from the token in such a way that I get a new entry in "My Keys". Nevertheless, when trying to decrypt a file using the token, I always get "Bad PIN!" error message. The PIN I enter is good. I even cleared the password cache and restarted the phone.
I tried to change the user PIN from gnupg and got the same "Bad PIN!" message after that in OpenKeychain.
I tried to change the user PIN from OpenKeychain and got 3 input fields: 1 for the admin PIN and 2 for the user PIN. When I validated the popup, I got a "Hold Security Token against the NFC…" popup even though my token was inserted already. I unplugged the token and pluged it back and got a "Bad PIN!" error message again.
Your Environment
The text was updated successfully, but these errors were encountered: