Primary and Signing Key on Different Smart Cards

[Peter Lebbing]

On 20/11/16 22:48, Anton Marchukov wrote:
>> Which version, GnuPG 2.0 or 2.1? I think you can use 2.1 to reach the desired
>> outcome without difficulty, even if it might be a bit non-standard.
> 
> I have 2.1.11

Ah! I don't have time right now, but once I do, I'll try to see to write
up some instructions...

> Ok. So I am using 2.1 and I have read the referenced threads and the
> both options assume that you either generate key of the card or
> maintain a copy of that. Anybody was able to do that with generating
> keys on the card always and not extracting them from the card as the
> copy either?

With 2.1, maybe it's possible. I'm curious to try it out. It might work.
It might not.

>> rather trust GnuPG's random number generator than the one on a cheap smartcard
>> (or any smartcard for that matter). So I would recommend to not use the on-card
>> key generation feature anyway.
> 
> That's quite an interesting point that I have not thought about. Do
> you have any references to the papers that I can read on this subject?

No, but I remember Werner Koch saying he'd rather not use the on-card
RNG. I tried to find this, but the best I could find was his statement
that you don't want regular DSA on smartcard[1]. As I understand it,
that is because of the risk of a failing RNG. Signature generation in
DSA requires a good quality random number, otherwise it might be
possible to reconstruct the private key through signatures. In the time
since that post, GnuPG gained deterministic DSA, which no longer
requires randomness for signature generation.

> But same time I find it a
> kind of overkill over key generation on the card for my use cases.

That is of course your choice. However, people have done analysis of
large amounts of public keys on keyservers before. If someone discovers
a way to exploit a weakness in the OpenPGP Card on-card RNG, they might
be able to analyse massive amounts of public keys and put the results on
the internet for everyone to see. Just to show they can, and win the
internets. Even if you don't suspect adversaries who target you
specifically, you might be caught in a massive untargeted sweep. I'm
just thinking out loud here, it's just something that came to mind. It's
your decision, I'm just trying to help you make it an informed decision.
Maybe you think I'm being overly paranoid. I'd rather have you consider
it and then dismiss it than not think of it at all.

HTH,

Peter.

[1] https://lists.gnupg.org/pipermail/gnupg-users/2013-October/047841.html

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>