Increasing Public Key Crypto Security with Handhelds

[Jason Gunthorpe]

On Fri, 26 Nov 1999, Brian Ristuccia wrote:

> What I'm proposing is to do the private key part on the handheld computer.
> GNU Privacy Guard would send only encrypted session keys to the handheld
> computer. The handheld computer would then prompt the user for their

Sounds like you are proposing a scheme like what ssh does with its agent
forwarding. Basically how that works is that when you ssh to a remote
machine it sets up a means for a ssh client on that machine to send a
challenge back to your machine where it can be securely verified and then
relayed back to the final server.

That would be nice (at least for signing..) to be made available under
GnuPG somehow, instead of doing the encryption locally GPG could send the
plaintext back through to the end user machine to be encrypted and send
back and then encoded into the packet. The passwd prompting would be done
out of band on the client machine.

Even better, like ssh, this could provide a generic means the manage your
encryption key outside of an individual session - for example, an X
application could be used to prompt for the password, and once provided it
could hang on to the unencypted key in secure memory untill the user
decides they do not require it anymore and releases it. The concept is
simlar to what Mutt implements already, except IMHO more usefull :>

Moving the encryption agent down into a hardware device like a handheld or
a smartcard would be the eventual ultimate evolution of a system like
this, that IMHO would greatly increase the security of your key if it were
never present on a networked computer and physically removable (and
securable, say in a safe)

Jason