Problems with 4096 keys on 2.1 card

NIIBE Yutaka gniibe at
Tue Jan 26 02:06:19 CET 2016

On 01/26/2016 08:18 AM, Jorgen Ottosson wrote:
> Can't really confirm that here, generating seem not to work either.
> gpg --card-status

Please note that GnuPG 1.4 supports up to 3072-bit.  This is because
of internal library limitation.

I believe that "gpg" in Ubuntu is GnuPG 1.4.  It is "gpg2" when we
want to use GnuPG 2.0.

> gpg/card> generate
> Make off-card backup of encryption key? (Y/n) n

Besides, generating a key with off-card backup is actually done by two

  * generating a key on host PC
  * importing that key to card

If your choice is "Yes" for the question above, the key for encryption
is not generated on card, but generated on host PC.

> I have several readers but am testing here with SCR335.
> Any way to pin-point my issue in more detail? Is my reader known to not
> support 4096? Info on readers who will? I also have a scr3500 somewhere
> but think I'll have to install drivers for that one to work, the SCR335
> work with internal gpg drivers if I'm not mistaken whereas the 3500 don't
> work when attached as is.

Unfortunately, I don't have specific information (if card reader works
with RSA-4096 or not), either.  I maintain this list for internal

According to this list, SCR3500 works well with the internal driver of

In general, the list by PCSC-lite helps.

Looking the device info, both of SCR335 and SCR3500 work with TPDU
level exchange.  Thus, I believe that both works well for RSA-4096

> I also find it somewhat hard to get info on support for "Extended length"
> in several card reader's product-info pdfs I've looked at.

I think that it's "Extended APDU level exchange"?  There are two level
exchanges; one is TPDU level exchange (lower layer) and another is
APDU level exchange.  For longer APDU with original OpenPGPcard (i.e.,
in the communication of RSA-4096), the reader should support:

    TPDU level exchange


    Extended APDU level exchange with enough dwMaxCCIDMessageLength

If the reader only support short APDU level exchange, original
OpenPGPcard doesn't work well for longer APDU.

More information about the Gnupg-users mailing list