Long Term Key Management With Hardware Tokens

Valtteri Vuorikoski vuori at notcom.org
Sat Jun 26 14:24:14 CEST 2021

Brandon Anderson via Gnupg-users <gnupg-users at gnupg.org> writes:

> Thanks for posting about the PivApplet project. I was looking for
> something like that for either the basic cards or java cards as I
> wanted to tinker around with them. Do you have a specific Java card
> model you are using?

You'll want something that implements at least JavaCard 3.0.4, since
that's the first version with useful EC operations. This came out in
2011 but because smartcards move at a glacial place there are still a
lot of 2.x cards on the market.

The NXP J3H145 appears to be a popular and widely available
dual-interface card. There is some discussion regarding cards on the
SmartPGP applet issue tracker:
https://github.com/ANSSI-FR/SmartPGP/issues/17 .

I haven't tried other Javacards besides the J3H145. They work well,
though a caveat is that they are quite slow compared to for example a
Yubikey 5: operations take approximately twice as long. The J2H145
should be pretty much identical but lacks the contactless interface and
is a bit cheaper. The newer J3R180 is supposedly quite a bit faster.

Unless you're buying large quantities and are prepared to deal with
weighty NDAs, make sure that the seller performs card
initialization/pre-personalization. GlobalPlatform tools won't be able
to access the card before this step. Most stores that sell single cards
will do this by default, but eBay/Aliexpress sellers might not.


More information about the Gnupg-users mailing list