Chipdrive SPR 532 and OpenPGP Card with 4096Bit RSA Keys

Peter Lebbing peter at digitalbrains.com
Sat Apr 5 13:08:15 CEST 2014 

On 03/04/14 14:42, Florian Wolters wrote:
> Has anyone this combination up and running and could point me into the
> right direction to get this working?

It works for me. I have an SPR 532 with firmware v5.10, and I'm running Debian
testing x86_64. I'm using GnuPG's internal CCID driver.

I couldn't generate a 4096-bit key on the card, but I could transfer one with
"keytocard". At that point, the key length mentioned in --card-status was
already set to 4096 bit by the failed generation attempt; that might have made a
difference.

It went along these lines:

------------------8<-------------->8------------------
peter at tweek:~$ gpg2 --expert --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
[...]
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 42048
[...]
peter at tweek:~$ gpg2 --expert --edit-key 40AF7983
[...]
gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8
[...]
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
[...]
[...irrelevant part skipped...]
peter at tweek:~$ gpg2 --expert --edit-key 40AF7983
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  2048R/40AF7983  created: 2014-04-05  expires: 2014-04-12  usage: SC
                     trust: never         validity: unknown
sub  4096R/80369970  created: 2014-04-05  expires: 2014-04-12  usage: A
[ unknown] (1). Test 4k

gpg> toggle

sec  2048R/40AF7983  created: 2014-04-05  expires: 2014-04-12
ssb  4096R/80369970  created: 2014-04-05  expires: never
(1)  Test 4k

gpg> key 1

sec  2048R/40AF7983  created: 2014-04-05  expires: 2014-04-12
ssb* 4096R/80369970  created: 2014-04-05  expires: never
(1)  Test 4k

gpg> keytocard
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]

Please select where to store the key:
   (3) Authentication key
Your selection? 3

sec  2048R/40AF7983  created: 2014-04-05  expires: 2014-04-12
ssb* 4096R/80369970  created: 2014-04-05  expires: never
                     card-no: 0005 0000106E
(1)  Test 4k

gpg> Save changes? (y/N) y
peter at tweek:~$ gpg2 --card-status
[...]
Key attributes ...: 4096R 4096R 4096R
[...]
Signature key ....: [none]
Encryption key....: [none]
Authentication key: D39E 61C2 8678 7B4B A1CD  84A2 4529 4317 8036 9970
      created ....: 2014-04-05 09:35:02
General key info..: pub  4096R/80369970 2014-04-05 Test 4k
sec   2048R/40AF7983  created: 2014-04-05  expires: 2014-04-12
ssb>  4096R/80369970  created: 2014-04-05  expires: 2014-04-12
                      card-no: 0005 0000106E
peter at tweek:~$ ssh-add -l
4096 88:a5:ad:f8:a9:33:75:2f:08:7d:c0:ad:7e:97:cd:c3 cardno:00050000106E (RSA)
2048 bc:8d:69:cf:45:aa:ea:c3:df:8d:e4:f4:a4:9e:c6:08 /home/peter/.ssh/id_rsa (RSA)
peter at tweek:~$ ssh-add -L
ssh-rsa AAAAB3NzaC1yc2[...]ao3lYk5DHJk0EkW6Q== cardno:00050000106E
ssh-rsa AAAAB3NzaC1yc[...]PRw/seKuoX2PANuDWQ== /home/peter/.ssh/id_rsa
------------------8<-------------->8------------------

I added the card public key to an authorized_keys file and could log in with
that key without any problems.

I have updated the firmware to v5.10 a long time ago. I think I used Windows XP
for that.

So it can work. I hope that bit of information helps in your quest for 4k
authentication :). Or you could create a shorter key. Auth keys can be changed
relatively easily, though not as easily as signature keys. More importantly,
they don't protect any secret data (just a random challenge), so I don't think
there's any reason to go beyond, say, 2048 bits.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list