OpenPGP smartcard restore
zvrba at globalnet.hr
zvrba at globalnet.hr
Tue Jun 13 19:47:58 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
On Tue, Jun 13, 2006 at 06:55:17PM +0200, markus reichelt wrote:
>
> I'm not a smartcard user (somehow the concept hasn't been able to
> convince me ... yet), but what you write really sounds rather
> strange. Essentially you're saying: no backup of a private key
> generated on/via a smartcard cannot be exported. Because if it could
> be exported, importing the key(s) in question just works.
>
Modulo more advanced cryptographic modules (not smart-cards!) which allow
export of a wrapped (=encrypted) key to the file or another smart-card.
The mechanisms are complicated; you can look for example at
http://www.ncipher.com for an example of such device. They are both
impractical (large and non-portable) and expensive (in the range of few
thousand EUR).
On the other hand, there are card-management systems (CMS) which generate
private keys in *their own* cryptographic module and import it securely
(over encrypted channel) into the smart-card; CMS saves the backup of
the key in its own database aside (again, protected by some "master key"
stored safely in the cryptographic module). Look at
http://www.globalplatform.org/ for concrete mechanisms.
Granted, the simplistic usage of smart-cards for encryption is a great
opportunity to shoot oneself in the foot.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEjvpOFtofFpCIfhMRA3+pAJ92s9yd6gti+PzvaUF+uh/Wb30R5wCfboSo
3LfSNs5XliN4NTNMendtxW8=
=kmTr
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list