Storage on a pocket device

Janusz A. Urbanowicz alex at bofh.net.pl
Thu Jan 27 23:42:07 CET 2005


Mikhail Sobolev wrote:

> Hi
> 
> I asked this question:
> 
> On Thu, Jan 20, 2005 at 10:14:51PM +0300, Mikhail Sobolev wrote:
> 
>>This might be a strange question. I'd like to keep my secret keys on a
>>pocket device (Zaurus, iPAQ).  Is it possible to somehow implement this?
> 
> However nobody followed up.  Does it mean that idea is just not
> reasonable at all?

It is reasonable, to some extent.

You want to use PDA as cryptographic token.

> Let me describe the use case a bit better.  I have something on my Linux
> PDA.  All my secret keys is stored on the PDA.  When I start to work on
> my workstation, the PDA is connected somehow to it (USB, Bluetooth).
> Whenever an operation involving the secret key is required, this
> operation is performed on the PDA.  How does it sound?

There are two problems with the approach.

1. You assume to connection between PDA and the 'big' machine is very 
transparent for the application, opaque for other applications and 
authenticated. Which is quite difficult to do properly.

2. The keys are stealable with the device. Usually, crypto tokens are 
made in a way that makes it supposedly impossible to retrieve the keys 
from the device. For general-purpose devices employed in the function of 
tokens this is done by keeping the keying material in encrypted blob 
which is very carefully decrypted after authentication of the operation 
by user. The carefullness is to avoid leaking of sensitive information 
to public-accessible memory of the device - in gnupg on a 'big' machine 
this is why the memory is mlock(2)ed - so the keys won't leave trace in 
swap. Again, this can be done but it is difficult.

> Is it possible to implement it using current tools (gnupg, gnupg agent)?

I don't think so.

I once thought about the same but for PalmOS device. But the security 
gain for everyday use is not that much and this solution is not as 
convenient as it looks at first sight. OpenPGP smartcard has most of the 
pros while lacking most of the disadvantages.

Alex



More information about the Gnupg-devel mailing list