Increasing Public Key Crypto Security with Handhelds

Brian Ristuccia brianr at
Sat Nov 27 14:18:20 CET 1999

On Sat, Nov 27, 1999 at 12:51:15PM +0100, Werner Koch wrote:
> Jason Gunthorpe <jgg at> writes:
> > Even better, like ssh, this could provide a generic means the manage your
> > encryption key outside of an individual session - for example, an X
> > application could be used to prompt for the password, and once provided it
> [...]
> > Moving the encryption agent down into a hardware device like a handheld or
> > a smartcard would be the eventual ultimate evolution of a system like
> That is exactly what I have in mind for some time now (and talked
> about it at the Tokyo BOF).  I call it for now the GPA (..Agent).
> In a first step I will do an internal API for GnuPG to separate tasks
> which require the secret key form the other code.

What's done on the handheld would certainly have to be limited to the public
key part, except for very small messages... 

> Someone from gnupg-devel already played with GnuPG and a PalmPilot.
> One problem might be that these handhelds are a little bit slow; some
> specialized hardware for them would be nice.

The Palms all have moderately slow 68k CPU's ranging from 12mhz to 20mhz.
But this hasn't stopped the ISAAC guys from porting SSLeay and using it to
create a SSH application on the palm. Login happens pretty quickly, even
though my machine uses a 1024 bit server key. Even if DSA/ElGamal is 2 or 3x
slower than RSA, I'm sure it'd still be tolerable for the security-paranoid. 

Someone's gotta come up with a method of using hashes to verify a human
readable document summary to make it more difficult for a compromised remote
machine to trick the user into signing an arbitrary document when the
document's too big to send back to the handheld... 

Brian Ristuccia
brianr at
bristucc at
bristucc at

More information about the Gnupg-devel mailing list