Am 13.05.21 um 23:03 schrieb Damien Goutte-Gattat: > On Tue, May 11, 2021 at 02:03:21PM +0000, mailinglis...@posteo.de wrote: >> I´m not that familiar with the TPM in general > > Me neither. > > >> is the TPM owner (and SRK) password safe against brute force attacks? >> Or do you need a complex password for the TPM? > > My understanding is that the TPM offers the *possibility* to protect > against brute force attacks (through the “dictionary attack lockout > reset” mechanism), but I am not sure whether that protection is enabled > by default or if the tpm2daemon (the new component within GnuPG in > charge of using the TPM) makes use of it. > > Until I know more, I use with my TPM stronger PINs than what I normally > use with my OpenPGP tokens, just in case. :)
Your concerns are true, TPM protected keys, created by GnuPG are not brute force protected, a quote from James Bottomley: "The TPM includes what’s called dictionary lockout protection, so if too many incorrect passwords are entered, it will enter a dictionary attack timeout phase before it lets you try a new one. The TPM owner can set the timeout parameters for this. Note that you can defeat this by specifying the NODA flag in a TPM key, which means “don’t use dictionary attack protection for this key”. GnuPG keys are currently created with this flag set, so you need strong passwords for them" I wonder, if the dictionary protection can be enabled at a later point of time.... it would greatly ease the use of the key if you just need a short PIN. Another point is, you can´t set an owner password for the TPM, if you do so, GnuPG can´t access the TPM and you can´t use the keytotpm command. According to James, GnuPG currently has no mechanism to ask for a possibly set TPM owner password. After all, the whole things works, but still requires some fine tuning here and there, but TPM protected gpg keys really is a great thing and fun to play with. Finally the TPM is something good for in a Unix box ;-) (besides using the hardware RNG which I already did before) best regards _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
