OpenPGP Paper Backup

openpgp-paper-backup I’ve been using OpenPGP through GnuPG since early 2000’. It’s an essential part of Debian Developer’s workflow. We use it regularly to authenticate package uploads and votes. Proper backups of that key are really important. Up until recently, the only reliable option for me was backing up a tarball of my ~/.gnupg offline on a set few flash drives. This approach is better than nothing, but it’s not nearly as reliable as I’d like it to be. [Read More]

Don't store TOTP in Bitwarden for your online accounts!

Since I’ve started working in Information Security space, I’ve been talking to a lot of people about the topics related to protecting ones’ identity online. Basically, trying to answer the question: What does it take to sufficiently secure my online accounts? Of course, the meaning of sufficiently is very subjective here, but I’ve always kept it vague to gauge what it means to them specifically. I did make sure to talk people of various backgrounds – from deeply technical all the way to not technical at all. [Read More]
TOTP  MFA 

Unattended Upgrades Debian

Unattended Upgrades in Debian Feels like since forever have I been using unattended-upgrades package to automate the Security upgrades on my various Debian Stable based machines. Default Settings By default unattended-upgrades will install only Security updates. It also will not send any email reports. That is not surprising – well, you have to have email delivery configured and unattended-upgrades needs to know, what email address to send those reports to. [Read More]
Debian 

Playing with NitroKey 3 -- PC runner using USBIP

I’ve been wanting to use my brand new NitroKey 3, but TOTP is not supported yet. So, I’m looking to implement it myself, since firmware and tooling are open-source. NitroKey 3’s firmware is based on Trussed framework. In essence, it’s been designed so that anyone can implement an independent Trussed application. Each such application is like a module that can be added to Trussed-based product. So if I write a Trussed app, I’d be able to add it to NK3’s firmware. [Read More]

Automating Let's Encrypt certificates with Gandi LiveDNS

As a Debian Developer I have a discount on using Gandi and I’ve been using it for quite a long time and have been very happy with it. I’ve been using it for registering domains. For example this blog’s domain is managed by my Gandi account. Using publicly registered domain in private-only setup In addition to using this DNS registrar for public stuff, like a blog, one can also use it for a domain accessible only within a private network. [Read More]

How does Google Authenticator work? (Part 3)

Part 3 is the last part in this short cycle. Here I’ll explain all the details around Time-based One-Time Password algorithm. I’ll finish up by also elaborating on things common to both, HMAC-Based One-Time Password algorithm: QR Codes used to easily transfer secrets from the server to the Authenticator app Base32 algorithm – used to store non-printable secret in a URI (effectively stored by the QR Codes mentioned above). TOTP One way to avoid the problems with lack of feedback between server and the app would be to shift from using a counter that is increasing with every authentication attempt to a counter based on, for example, a time stamp. [Read More]
MFA  TOTP 

How does Google Authenticator work? (Part 2)

Authenticator apps like Google Authenticator use 2 authenticaion protocol centered around What you have paradigm. Those algorithms are: HOTP (HMAC-based One Time Password), and TOTP (Time-based One Time Password). They obviously are different, but both are centered around the same basic idea: using a rolling hash value, that is predictable only to the server and the authenticator app. Additionally, both are using HMAC-SHA-1 for generating those hash values. In my previous post I explained the gist of the approach used in both algorithms. [Read More]
HOTP  MFA 

How does Google Authenticator work? (Part 1)

When you’re accessing services over the WEB – let’s pick GMail as an example – couple of things have to happen upfront: The server you’re connecting to (GMail in our example) has to get to know who you are. Only after getting to know who you are it’s able to decide what resources you are allowed to access (e.g. your own email inbox, your Calendar, Drive etc.). Step 1 above is called authentication. [Read More]
HOTP  TOTP  MFA 

Debian on TrueNAS Core under bhyve

Installing Debian/GNU Linux under bhyve on TrueNAS Core I got myself a TrueNAS Mini X+ couple of months ago. I have it running TrueNAS Core based on FreeBSD. In that system you can run VMs under FreeBSD’s native hypervisor, bhyve. Since there are a couple of quirks around running Debian specifically, I decided to write up a quick article about setting up Debian-based VM there. The quirks The ones I’ve stumbled upon were: [Read More]

Authentication in an Enterprise

I’d like to shed some light at the process of Authentication since it’s a fundamental building block in creating secure tools that need to communicate with other actors over the network. When tools and/or users interact with one another – e.g., through a web browser – both ends of the interactions need a way to make sure, they’re communicating with the right party. Some bad actor might for example create a web page that looks like your bank’s online banking portal. [Read More]