1024-3072 bit OpenPGP cards

Werner Koch wk at gnupg.org
Fri Jul 17 11:26:21 CEST 2009 

Hi,

I talked with David about the new OpenPGP card and how to solve a
surprising behaviour.  A little background:

The new v2 specification of the card explicitly allows different key
sizes for the card.  It is even possible to change the key size from the
factory default (this deletes an existing key).  This is an optional
feature announced through the card's capabilities mechanism.  It is a
boolean flag telling whether changing the key size is possible.

What the card doesn't tell is the range of the allowed key sizes and how
the keys are internally represented; if you select an invalid size or
bad parameters the card will simply reject it.  Thus before changing the
key size you need to check with the vendor what sizes are supported.

I recently enhanced the "keytocard" command to change the key size of the
card to match the size of the key to be written to the card.  That is a
nice and much desirable feature.  In the past, if you tried to use the
"keytocard" command, it failed if the sizes didn't match.  So far so
good.  Now for the surprise:

If you later generate new keys (gpg --edit-key; admin, generate) these
keys are created with the current key sizes of the card.  For example:
if you recently wrote a 1024 bit authentication key to the card, you
would create 3 keys: 2048, 2048 and 1024).

David suggested to always ask the user for the key size (in case the
card supports changing the key size at all).  The problem is that we
don't know what key sizes the card supports: The one card implementation
currently available supports 1024 to 3072bit RSA [1].  We know that but
we can't tell without looking at the specs of the concrete card.  There
are a few other vendors which may support other key sizes or the chip of
the card is replaced and with that the supported key sizes; it is
entirely possible that you are restricted to certain sizes, e.g. 1024
and 2048 but no 1536 or any other odd number.  If we would always ask
for the key size the user would be surprised as well if he selects a
certain size and finally ends up with an error message that the key
could not be created.

Note that we don't have a way to figure out a default size and set the
card back to that before keys are generated.

I see a few possibilities:

 1) Keep it as it is.  This will work without surprises unless the user
    once wrote different sized keys to the card.

 2) Always ask for the key size and use as default the current size.
    Show a warning notice if the user entered a different size.

 3) Same as 2 but do this only with --expert.

 4) Add a new command "keysize" to manually set the keysize for each
    key.  Print a warning notice before key generation if the key sizes
    of the card are not all the same and tell the user about the keysize
    command.
    
 5) Other suggestions?

  

Salam-Shalom,

   Werner




[1] Actually 4096 but due to internal data structure limitations in
    GnuPG it is currently limited to 3072.

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

More information about the Gnupg-devel mailing list