Storage on a pocket device
Janusz A. Urbanowicz
alex at bofh.net.pl
Thu Jan 27 23:42:07 CET 2005
Mikhail Sobolev wrote:
> I asked this question:
> On Thu, Jan 20, 2005 at 10:14:51PM +0300, Mikhail Sobolev wrote:
>>This might be a strange question. I'd like to keep my secret keys on a
>>pocket device (Zaurus, iPAQ). Is it possible to somehow implement this?
> However nobody followed up. Does it mean that idea is just not
> reasonable at all?
It is reasonable, to some extent.
You want to use PDA as cryptographic token.
> Let me describe the use case a bit better. I have something on my Linux
> PDA. All my secret keys is stored on the PDA. When I start to work on
> my workstation, the PDA is connected somehow to it (USB, Bluetooth).
> Whenever an operation involving the secret key is required, this
> operation is performed on the PDA. How does it sound?
There are two problems with the approach.
1. You assume to connection between PDA and the 'big' machine is very
transparent for the application, opaque for other applications and
authenticated. Which is quite difficult to do properly.
2. The keys are stealable with the device. Usually, crypto tokens are
made in a way that makes it supposedly impossible to retrieve the keys
from the device. For general-purpose devices employed in the function of
tokens this is done by keeping the keying material in encrypted blob
which is very carefully decrypted after authentication of the operation
by user. The carefullness is to avoid leaking of sensitive information
to public-accessible memory of the device - in gnupg on a 'big' machine
this is why the memory is mlock(2)ed - so the keys won't leave trace in
swap. Again, this can be done but it is difficult.
> Is it possible to implement it using current tools (gnupg, gnupg agent)?
I don't think so.
I once thought about the same but for PalmOS device. But the security
gain for everyday use is not that much and this solution is not as
convenient as it looks at first sight. OpenPGP smartcard has most of the
pros while lacking most of the disadvantages.
More information about the Gnupg-devel