D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] Adding GPG keys to a smart card

 

On Sat, Mar 24, 2007 at 02:34:12PM +0000, Neil Williams wrote:
> On Sat, 24 Mar 2007 14:02:26 +0000
> Henry Bremridge <henry.bremridge@xxxxxxxxx> wrote:
> 
> Which smart card reader did you get, where and how much?
> 
I have a SCR 335. Cost was about £30 from what I recall.

I have another Smart card reader (from HSBC) but that did not work when
I just plugged it in. Apparently did not recognise. Not sure why, will
look later.

> I'd rather not have a third GnuPG key, I want to be sure I can use my
> main key before using something like this.
> 
Here is where I get a little fuzzy. From somewhat bitter experience, I
believe that your GPG key comprises
-   A master key
-   A subkey for encryption
-   A subkey for decryption
-   A subkey for signing

It is these subkeys that are changed, not the master. Hence for example
my master key is 854f 8d8d but this email is not signed with that key.
However, presumably it shows as confirmed from me...

I would stress that before you start with this back your entire .gnupg/
directory with all the keys. Then if (or with me when) something goes
pearshaped recovery is easy and you do not lose your existing keys.

> Would this kind of thing work with OpenID too?
> 
If the Open ID algrorithm fitted on the key. I believe that there is
space for one more key, either SSH or ..

> Presumably there is still a passphrase involved - some of the readers
> appear to show simple pin entry pads, I'd be happier if this was more
> than a 4 digit pin.
> 
Two passphrases
-   A 6 digit user id. If entered wrongly three times then the key is
    blocked and has to be unblocked with the administrative key
-   An 8 digit admin key. If entered wrongly three times.. good bye card    
 
> Do you mean a new signature on the key or a new key entirely? My Debian
> key isn't one I would change lightly.

See above
> 
> > -   Your decryption key will have changed: therefore if you receive an
> >     email to your previous key then you will addback your old key
> 
> I'd prefer to keep the old one and migrate that to a card.

From what I understand, if you lose the card or it goes ker-phutt then
you have lost the key. If you just add a new sub-key to the card then
additional subkeys can always be re-generated

This to be honest is where I think I fell down the first time. I read in
the bumpf that the card only takes a 1028 bit key, while my default key
was 2056...

So I tried to create a new 1028bit key.... don't.
> 
 
> My problem with cards like this is:
> 
> I'm upstairs, working away on the desktop. SSH, GnuPG, etc. I complete
> that task and fancy a break. Downstairs, I remember something I have to
> do and grab the laptop. That's fine if SSH depends on a passphrase in
> my memory but it's a PITA if I have to go upstairs to get the card from
> the other machine - I'd end up almost never using the laptop. (And
> removing the card every time I leave the office upstairs is just as
> much of a pain when it's only me in the house.) Without buying a second
> card reader, I'd also have to faff around unplugging the reader before
> going downstairs. Yeah, right....
> 
Reader is a usb-dongle. Mind you there is nothing to say you could not
run the same sort of scheme with a usb memory stick

-   Create sub-keys on that
-   Move from one machine to another machine as required

Advantages
-   No problem with ssh keys / Open ID etc etc
-   Cost (especially the readers)

Disadvantages
-   The smart card is basically protected if lost: 6 false log in and
    the card is useless. With the USB key approach, lose that and you
    are dead - unless you have appropriate keys

    To be honest this is what I like with the smart card approach:
    entering a 6 digit number to send an email is easy. Entering a
    password was a PITA. 


--
Henry
Sat Mar 24 18:01:39 GMT 2007

Attachment: signature.asc
Description: Digital signature

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html