PGP and Smartcards?
Felix E. Klee
felix.klee at inka.de
Fri Jul 22 23:42:39 CEST 2005
At Fri, 22 Jul 2005 22:19:22 +0200,
Werner Koch wrote:
> > OpenPGP cards with 2048 bit keys don't seem to be available at all.
> > However, ordinary ISO 7816-4 compliant smart cards are available
> > through online outlets. For example CryptoFlex and CyberFlex cards
> > can be
> Good luck getting a secure and fast 2k RSA card.
Your wording implies that the cards I mentioned aren't both secure and
fast. Any pointers?
> > A simpler solution, though, would probably be porting code for
> > accessing an Axalto CryptoFlex 32k to GnuPG, or helping fork a
> > "clean" PKCS#11 library from OpenSC and interfacing it to GnuPG.
> > But before thinking
> We won't support pkcs#11 becuase it is not a standard
I know that the PKCS are more or less standard suggestions. IMHO this
isn't that interesting, though. The point is that AFAICS PKCS#11
clearly defines an API, and perhaps it may become an ISO standard in the
future (as other PKCS have done). If GnuPG would provide an interface
to PKCS#11, then the user would have the choice among all crypto devices
for which free software PKCS#11 implementations are available. Aside
from OpenCS there are other PKCS#11 libraries such as the MUSCLE
Framework or openCryptoki (unfortunately those two feature GPL
incompatible licenses but who says that this won't change?).
> but a way to interconnect proprietary applications using proprietary
> extesions to pkcs#11.
Well I guess one doesn't have to use those unless one interfaces with
proprietary libs (which is not an option due to licensing issues).
> > The thing is: All that I need is a card that can securely store a
> > (private) RSA key and that can encrypt and decrypt data with this
> > key.
> Well, I am using that for a long time now and the latest gpg releases
> work pretty well. However it you want 2048k RSA I have no instant
Perhaps I'll indeed buy two of those because everything else seems to be
like too much hassle. I may limit my new master key's life time to two
years, and then see if other devices are around.
> OTOH the card is for sure not the weakest link and 1024 RSA is still
> far out of scope of any attack.
About the weakest link: For a master key the length of the key may well
be the weakest link if the master key is stored away in a safe place and
if it is only used once in a while on reasonably tamper proof systems
not connected to a network.
Felix E. Klee
More information about the Gnupg-users