Possible to combine smartcard PIN with key password?

adrelanos adrelanos at riseup.net
Mon Dec 23 19:29:45 CET 2013


NdK:
> Il 22/12/2013 04:13, adrelanos ha scritto:
> 
>> Or in other words, is it possible to store an already encrypted
>> (password protected) gpg private keys on a smartcard? So the smartcard
>> never gets to see the plain key?
> That would be really useless: smartcardneeds the key to *do* crypto ops!
> It's not a limited USB stick!
> Since the smartcard is a really controlled execution environment, "we"
> can say it's a "trusted environment".
> 
>> I've learned the hard way (by buying the equipment even with external
>> PIN pad), that when "keytocard" has been used, that only the PIN has to
>> be entered. No password. Unfortunately.
> Luckily. Smartcards are used to avoid exposing key material to an
> untrusted environment, like a PC.

This would be lucky, if one could enter the PIN using an external keypad
(possible) AND a password using the keyboard (not possible).

>> The smartcard has been bought by me to improve security. Not to
>> substitute one security mechanism with another. I believe gpg's software
>> encryption is more trustworthy than a card I got by snail mail. I
>> haven't heard that any cards have been compromised yet, but how do I
>> know if I really received an original (untampered) card in the first place.
> You have to trust the supplier. If you ordered 'em in significant
> quantities, you could ask to have 'em with special keys so that every
> step can be checked.
> Or. more easily, you can buy blank java cards from diffetent
> manufacturers, then compile an upload your carefully checked applet.

Checking the applet is difficult. Only few people are skilled to do. I
am a user of gnupg. I can't be auditor-like type of person for all
projects I am using. And let's say the applet is fine as is. It will be
much more difficult to find out if the smartcard really wipes the key as
soon someone is trying to dismantle the card to directly read its
memory. It is my understanding, that understanding such hardware design
is even harder than understanding the applet. And knowing/searching for
vulnerabilities in the hardware design is an art in itself.

>> In my opinion both attempts, password protection and smartcards, on
>> security are worthwhile. When using smartcards I am trusting hardware, a
>> small group of card designers, producers, post office... And when using
>> gpg's software key encryption, I am trusting the software producers and
>> the programmers actually looking at the code.
> You can do many checks yourself: there are various OpenPGP Java
> implementations around.

Also the hardware design?

>> The idea was to take my chances. If smartcards work, that's great. The
>> key can be abused when a malware infection happened, but at least the
>> key can not be extracted. On the other hand, if I loose my smartcard and
>> smartcards don't do what they promise (i.e. someone ever comes up with
>> some exploit to extract the key), I fall back to gpg's software key
>> encryption.
> And how do you think the card could perform crypto ops on encrypted
> keys? If you lose your card, it could be way easier to revoke the keys
> on card. And that's why many people keep their master key offline, using
> cards/tokens just to safely transport their keys.
> 
>> I am ignorant about the technical details. Maybe there is a technical
>> reason why it's not worthwhile to combine these things? Or are
>> smartcards just too limited at this stage of development to support that?
> No. It's simply impossible to do what you're asking. Unless you replace
> the secret key with a *masked* version, leaving the unmasking key on the
> PC, encrypted by PGP. But that would prevent checking on-card various
> possible attacks, actually weakening the whole system.

Well, the smartcard/pin could protect one "part" of the key and the hdd
could contain the other "part" of the key. By "part" I don't mean split
one key in halves, but rather use two keys. I am proposing, the
signature could only get valid if it got signed by both, the
smartcard/pin key and the password/encrypted/hdd key. Or messages get
encrypted twice, once with key on the smartcard on the smartcard and one
with a key on the hdd.

One could do it manually already. First encrypt a message using the
smartcard and the encrypt the encrypted message again using a
password-protected/encrypted key. And you could tell contacts, "my
signature is only valid if it is signed by both signing keys".

Manually doing so just seems to inconvenient to get it right. Technical
challenges should only be implementing that feature but not conceptual
limitations?






More information about the Gnupg-users mailing list