1

I'm wondering whether it would be a good practice to make sure the keys are generated in a safe environment, like a live Linux distribution, instead of just generating them in a day-to-day environment that could be potentially compromised already.

I know the private key will probably be generated only inside the FIDO hardware, but is it enough even in a compromised environment, or are there other possible ways the keys could be compromised during its generation?

luislhl
  • 111
  • 2
  • So a private key is generated on a separate device deemed secure. But how would you know you are adding *your* public key to other servers? – anx May 26 '23 at 15:41
  • Even if you are in a live Linux environment, are you sure that your EFI has not been compromised? Where do you want to set the cutoff for a completely secure setup? – doneal24 May 26 '23 at 18:55
  • 1
    This theoretical question is probably better suited for [security.se]. – Gerald Schneider May 27 '23 at 06:57

1 Answers1

2

Nothing is secure in a compromised environment.

As pointed out in comments your host might be compromised at the UEFI level, making live CDs useless. If your host is secure but your target isn't, the deployed public key might be tampered with. Assuming you're interesting enough, China could have tampered with your FIDO hardware etc.

Security is mainly about adopting practices that mitigate risks identified during your risk assessment so they are within acceptable levels given your threat model. A "normal" person, a political activist, a corporation and a government will have wildly different threat models and acceptable levels of risk. You just have to determine yours.

Using an inadequate threat model with exceedingly cumbersome or complex mitigations usually leads to poor management of those measures and an overall worse security than proper mitigations which address the actual risks.

Ginnungagap
  • 2,595
  • 10
  • 13