Problems with 4096 keys on 2.1 card

NIIBE Yutaka gniibe at fsij.org
Tue Jan 26 02:06:19 CET 2016 

On 01/26/2016 08:18 AM, Jorgen Ottosson wrote:
> Can't really confirm that here, generating seem not to work either.
> 
> gpg --card-status

Please note that GnuPG 1.4 supports up to 3072-bit.  This is because
of internal library limitation.

I believe that "gpg" in Ubuntu is GnuPG 1.4.  It is "gpg2" when we
want to use GnuPG 2.0.


> gpg/card> generate
> Make off-card backup of encryption key? (Y/n) n

Besides, generating a key with off-card backup is actually done by two
steps:

  * generating a key on host PC
  * importing that key to card

If your choice is "Yes" for the question above, the key for encryption
is not generated on card, but generated on host PC.

> I have several readers but am testing here with SCR335.
> 
> Any way to pin-point my issue in more detail? Is my reader known to not
> support 4096? Info on readers who will? I also have a scr3500 somewhere
> but think I'll have to install drivers for that one to work, the SCR335
> work with internal gpg drivers if I'm not mistaken whereas the 3500 don't
> work when attached as is.

Unfortunately, I don't have specific information (if card reader works
with RSA-4096 or not), either.  I maintain this list for internal
driver.

    https://wiki.debian.org/GnuPG/CCID_Driver

According to this list, SCR3500 works well with the internal driver of
GnuPG.

In general, the list by PCSC-lite helps.

    https://pcsclite.alioth.debian.org/ccid/supported.html

Looking the device info, both of SCR335 and SCR3500 work with TPDU
level exchange.  Thus, I believe that both works well for RSA-4096
keys.

> I also find it somewhat hard to get info on support for "Extended length"
> in several card reader's product-info pdfs I've looked at.

I think that it's "Extended APDU level exchange"?  There are two level
exchanges; one is TPDU level exchange (lower layer) and another is
APDU level exchange.  For longer APDU with original OpenPGPcard (i.e.,
in the communication of RSA-4096), the reader should support:

    TPDU level exchange

    or

    Extended APDU level exchange with enough dwMaxCCIDMessageLength

If the reader only support short APDU level exchange, original
OpenPGPcard doesn't work well for longer APDU.
--

More information about the Gnupg-users mailing list