How do I make the private key on a OpenPGP smartcard non exportable ?

NdK ndk.clanbo at gmail.com
Tue Jun 25 12:32:36 CEST 2013


Il 25/06/2013 09:55, Werner Koch ha scritto:

>> First: I trust more the RNG on a card than a SW one
> A card based RNG is often nothing more than a PRNG with a card specific
> seed.  Modern cards seem to have a real hardware RNG.
I'm referring to cards compatible with GlobalPlatform 2.1.1 (minimum),
that is the baseline for MyPGPid applet. That should be "recent enough"
to have a real RNG (if RandomData.ALG_SECURE_RANDOM is implemented).

>  Compared to
> actual hardware RNGs they are very limited and probaly prone to errors.
Shouldn't RNG be subject to the various certifications the card have to
pass for CC and EAL ?

> there is also no way to do extensive power up tests which all other
> hardware RNGs require.
Dedicated applet that only returns random data?

> I consider a good OS supported RNG more reliable.
Might be, but it's prone to a lot of possible attacks, too :)

BYtE,
 Diego.



More information about the Gnupg-users mailing list