How to reset the PIN counter

[Rainer Keller]

Hello,

while trying to setup gpg smart card to be used for SSH authentication the PIN 
retry counter reached 0.

I tried several things using the admin PIN in order to reset the counter:
1. "unblock PIN"
2. "change PIN"
3. Setting a "Reset Code" and using that afterwards
4. Change admin PIN

Unfortunately none of these works. If I now try to "unblock PIN" I get the 
error message "Error unblocking the PIN: Conditions of use not satisfied".

What is the official intended way to reset all PIN counters?

Regards,
Rainer

gpg (GnuPG) 2.0.26

gpg --card-edit
Application ID ...: D276
Version ..: 2.0
Manufacturer .: ZeitControl
Name of cardholder: Rainer Keller
Language prefs ...: de
Sex ..: male
URL of public key : [not set]
Login data ...: [not set]
Signature PIN : forced
Key attributes ...: 2048R 2048R 4096R
Max. PIN lengths .: 32 32 32
PIN retry counter : 0 3 3
Signature counter : 0
Signature key : [none]
Encryption key: [none]
Authentication key: XXX



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Talking about Cryptodevices... which one?

[MFPA]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi


On Friday 6 February 2015 at 11:59:41 PM, in
, Johannes Zarl wrote:



> You're conflating two different threats here.

I was referring to the threat "the host computer might be infected
with malware".



>  A
> smartcard *does* protect you from anyone trying to
> steal your private keys.

If they have control of your computer, do they really need to steal
the private keys? Maybe they can achieve their aims remotely, using
the keys in situ on the smartcard. And, of course, a smartcard is a
physical item that can be stolen.



> It does not prevent an attacker from stealing the pin.

I guess a smartcard reader that can only accept the key via its own
keypad would help here. If we can be sure it cannot be modified to
cache the PIN or accept it via the host computer.



> It does not prevent an attacker from deleting your key.

Always best practice to keep a backup. Even without foul-play it would
be needed if the smartcard was lost or broken.



> It does not prevent an attacker from tricking you into
> signing or decrypting a message.

Or making your system sign/decrypt more than one message at a time,
when you were aware of just the one?



> Under some
> circumstances it does not even protect against key-
> revocation.

As has already been mentioned, an "offline" main key stops this.



> Having said all that, I still think it is a worthwhile
> goal to protect the key-material itself using
> smartcard-like hardware / an HSM.

Protecting the private key material is the goal. Use of smartcard and
reader is an example of a strategy to follow in pursuit of that goal.
Use of an offline main key is another example.



> The protection
> against key-theft does radically decrease your attack
> surface in many cases.

As always, it depends on your threat model.


- --
Best regards

MFPAmailto:2014-667rhzu3dc-lists-gro...@riseup.net

A candle loses nothing by lighting another candle
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJU1ldmXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw9DIH/jd5vIExJcCZcuODT3q+1kGg
v4qYLqGq+bUHVsDLKs6J5cBQtwF1BuSL1ZSBDO1O6HIoyAG116ZAsrKn1hH6VdRG
Gwbtv2PrU6oITj4/nopRigI4xnYno0ucVr4zX0jx9HmCHlfv62rBcPv+lan2qQAb
279aUK5GBXhrOXKfY0q5LghHGDdzSUK+LM4gJXRdXKC64J0XdBZ1cm/K2NSfzUuk
2bEVnvnVIl3WX/sah4ZP7A1O+Ab6s0G8DH1917C/cbF9jZn47Anpq4H9BL2wEsu5
lH1hAI8NbosyYMVOSNQBSFs40tklkEHIdPrvSSaRohXZ3W0UR7sbEub2QGHFKpaI
vgQBFgoAZgUCVNZXbV8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45BxvAQBu7ZiYSsTv1WMS5vpKyDv2mcw3
J0EwXN+R1X3NrOEdbgEA34NCRHoJGud4DSbXZrUFMc4j5dIPDW08L4JDqg97GAc=
=dpIz
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to reset the PIN counter

[Pete Stephenson]

On Feb 7, 2015 6:42 PM, "Rainer Keller"  wrote:
>
> Hello,
>
> while trying to setup gpg smart card to be used for SSH authentication
the PIN
> retry counter reached 0.
>
> I tried several things using the admin PIN in order to reset the counter:
> 1. "unblock PIN"
> 2. "change PIN"
> 3. Setting a "Reset Code" and using that afterwards
> 4. Change admin PIN
>
> Unfortunately none of these works. If I now try to "unblock PIN" I get the
> error message "Error unblocking the PIN: Conditions of use not satisfied".
>
> What is the official intended way to reset all PIN counters?

http://lists.gnupg.org/pipermail/gnupg-users/2013-March/046261.html should
have the info you need.

I save the reset code block to a text file ("reset.txt") and then run "
gpg-connect-agent < reset.txt". Remove and reinsert the card and it should
be back to factory defaults.

It is worth pointing out that this completely nukes any keys on the card.

Cheers!
-Pete
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Key keeps showing unknown trust

[Hugo Osvaldo Barrera]

Hi.

I'm trying to edit one of my key's trust, but it keeps showing unknown even
after changing it:

  $ gpg --edit-key 1BFBED44
  gpg (GnuPG) 2.1.1; Copyright (C) 2014 Free Software Foundation, Inc.
  This is free software: you are free to change and redistribute it.
  There is NO WARRANTY, to the extent permitted by law.

  Secret key is available.

  pub  rsa2048/1BFBED44
   created: 2010-10-07  expires: never   usage: SCA
   trust: full  validity: unknown
  sub  rsa2048/28C61189
   created: 2010-10-07  expires: never   usage: E
  [ unknown] (1). Hugo Osvaldo Barrera 
  [ revoked] (2)  Hugo Osvaldo Barrera 
  [ revoked] (3)  Hugo Osvaldo Barrera 
  [ revoked] (4)  Hugo Osvaldo Barrera (Work Account) 

  gpg> trust
  pub  rsa2048/1BFBED44
   created: 2010-10-07  expires: never   usage: SCA
   trust: full  validity: unknown
  sub  rsa2048/28C61189
   created: 2010-10-07  expires: never   usage: E
  [ unknown] (1). Hugo Osvaldo Barrera 
  [ revoked] (2)  Hugo Osvaldo Barrera 
  [ revoked] (3)  Hugo Osvaldo Barrera 
  [ revoked] (4)  Hugo Osvaldo Barrera (Work Account) 

  Please decide how far you trust this user to correctly verify other users' 
keys
  (by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

  Your decision? 4

  pub  rsa2048/1BFBED44
   created: 2010-10-07  expires: never   usage: SCA
   trust: full  validity: unknown
  sub  rsa2048/28C61189
   created: 2010-10-07  expires: never   usage: E
  [ unknown] (1). Hugo Osvaldo Barrera 
  [ revoked] (2)  Hugo Osvaldo Barrera 
  [ revoked] (3)  Hugo Osvaldo Barrera 
  [ revoked] (4)  Hugo Osvaldo Barrera (Work Account) 

  gpg> save
  Key not changed so no update needed.

  $ gpg --list-secret-keys
  gpg: checking the trustdb
  gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
  gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
  /home/hugo/.gnupg/pubring.kbx
  -
  sec   rsa4096/2B98C0CD 2014-10-22
  uid   [ultimate] Hugo Osvaldo Barrera 
  ssb   rsa4096/F6AB63C3 2014-10-22

  sec   rsa2048/1BFBED44 2010-10-07
  uid   [ unknown] Hugo Osvaldo Barrera 
  ssb   rsa2048/28C61189 2010-10-07

I don't think I'm doing something wrong, but: Am I? Did I miss something?
Thanks,

-- 
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?


pgpiVzFS9ukhM.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to reset the PIN counter

[Rainer Keller]

> I save the reset code block to a text file ("reset.txt") and then run "
> gpg-connect-agent < reset.txt". Remove and reinsert the card and it should
> be back to factory defaults.
Unfortunatly this seemed to brick the card.
"gpg: OpenPGP card not available: Not supported"
Gnupg does not detect the card anymore.

Regards,
Rainer

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to reset the PIN counter

[Duplicity Mailing List]

On 07/02/15 20:45, Rainer Keller wrote:
>> I save the reset code block to a text file ("reset.txt") and then run "
>> gpg-connect-agent < reset.txt". Remove and reinsert the card and it should
>> be back to factory defaults.
> Unfortunatly this seemed to brick the card.
> "gpg: OpenPGP card not available: Not supported"
> Gnupg does not detect the card anymore.
> 
> Regards,
> Rainer

What version was your card? It should work fine on a 2.0 smart card,
but, it's by design made to brick 1.X cards. Pete probably should have
warned you about this first.

Also, if it was a 2.0 smart card, what key was it?

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: How to reset the PIN counter

[Pete Stephenson]

On Feb 7, 2015 10:36 PM, "Duplicity Mailing List" <
duplicitymailingl...@mail.ru> wrote:
>
> On 07/02/15 20:45, Rainer Keller wrote:
> >> I save the reset code block to a text file ("reset.txt") and then run "
> >> gpg-connect-agent < reset.txt". Remove and reinsert the card and it
should
> >> be back to factory defaults.
> > Unfortunatly this seemed to brick the card.
> > "gpg: OpenPGP card not available: Not supported"
> > Gnupg does not detect the card anymore.
> >
> > Regards,
> > Rainer
>
> What version was your card? It should work fine on a 2.0 smart card,
> but, it's by design made to brick 1.X cards. Pete probably should have
> warned you about this first.

In retrospect I should have, but the output of gpg --card-edit Rainer
posted showed he was using a version 2 card so it should be ok. My
apologies for any confusion.
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users