|
Size: 869
Comment:
|
Size: 2505
Comment: fix link to Yubi key blog entry
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| Smartcard Tips and Information | Smartcard Hints and Information |
| Line 5: | Line 5: |
| * [[https://blog.josefsson.org/2014/06/23/offline-gnupg-master-key-and-subkeys-on-yubikey-neo-smartcard/|Generating and loading subkeys from an offline computer]] (specifically, for the YubiKey NEO, but recipe can be easily adapted for any smartcard) | |
| Line 7: | Line 8: |
| * https://wiki.debian.org/GnuPG/CCID_Driver * http://www.g10code.com/p-card.html * http://www.gnupg.org/howtos/card-howto/en/smartcard-howto.html |
* [[https://wiki.debian.org/GnuPG/CCID_Driver|List of smartcard readers and tokens supported by the GnuPG's in-stock CCID driver.]] * [[http://www.g10code.com/p-card.html|OpenPGP Card]] * [[http://www.gnupg.org/howtos/card-howto/en/smartcard-howto.html|How to use the Fellowship Smartcard]] * [[OpenPGPcardECC]] |
| Line 11: | Line 13: |
| == Smartcards? | |
| Line 12: | Line 15: |
| Possible enhancement to OpenPGP card specification 2.0.1 | GnuPG supports the use of hardware [[https://en.wikipedia.org/wiki/Security_token|security tokens]] that come as smartcards (or USB devices that support this mode). The tokens are minicomputers that can hold the secret key material and perform crypto operations. Because you need to connect the physical "token" to your machine, the secret key material is well protected against attacks that try to steal it. |
| Line 14: | Line 22: |
| * p22: 4.3.3.6 Algorithm Attributes ** ECDSA: |
Smartcards have to be compatible with GnuPG. Cards exist to either run ~OpenPGP or x509/CMS operations. |
| Line 17: | Line 25: |
| |= Byte|= Length |= Value | | 01 | 01 | Algorithm ID (RFC6637), 19 = ECDSA | | 02-| any | OID of the curve, 2A 86 48 CE 3D 03 01 07 for NIST P-256 | |
In order to try this, see the howto links above, you may need to acquire a smartcard and a reader or an integrated combination of both. |
| Line 21: | Line 28: |
| ** P23: 4.3.3.7 Private Key Template | == Use an existing Card |
| Line 23: | Line 30: |
| |4D|xx| Extended Header list | | | | B6 or B8 or A4 | 00 | Control Reference Template to indicate the private key | | | | 7F48 | xx | cardholder private key template | | | | | | 91 | xx | Length of private key (scaler) d | | | | 5F48 | xx | keydata... | |
Before you can use your existing card, your should import the public key associated with the private key on the card. == Known problems with Yubikey 4 == Windows and Linux-with-pcscd * After a suspend/resume cycle the Yubikey requires a reset of the device. This is [[https://dev.gnupg.org/T3825|done automatically since GnuPG 2.2.6]], so that the device does not need to be removed and plugged back in. Unfortunately, this reconnect does not happen until the error is triggered, so first a failing operation is required. Linux without pcscd * When the Yubikey has been used before suspending, after a suspend/resume cycle scdaemon gets into a state where it can no longer successfully communicate with the card. RESETting scdaemon is not sufficient, but a 'gpgconf --kill scdaemon' does resolve the issue. == Known Bug(s) of OpenPGPcard == * Encrypted message with 3DES can't be decrypted with [[http://www.g10code.com/p-card.html|OpenPGP Card]] (V2.1, V3.3 without fix) ** Due to the bug, it results: Missing item in object <SCD> ** See: https://dev.gnupg.org/T3576 |
Smartcard Hints and Information
- Generating and loading subkeys from an offline computer (specifically, for the YubiKey NEO, but recipe can be easily adapted for any smartcard)
- CardReader/PinpadInput
- CardReader/GemaltoPC
- List of smartcard readers and tokens supported by the GnuPG's in-stock CCID driver.
- OpenPGP Card
- How to use the Fellowship Smartcard
- OpenPGPcardECC
Smartcards?
GnuPG supports the use of hardware security tokens that come as smartcards (or USB devices that support this mode). The tokens are minicomputers that can hold the secret key material and perform crypto operations. Because you need to connect the physical "token" to your machine, the secret key material is well protected against attacks that try to steal it.
Smartcards have to be compatible with GnuPG. Cards exist to either run OpenPGP or x509/CMS operations.
In order to try this, see the howto links above, you may need to acquire a smartcard and a reader or an integrated combination of both.
Use an existing Card
Before you can use your existing card, your should import the public key associated with the private key on the card.
Known problems with Yubikey 4
Windows and Linux-with-pcscd
- After a suspend/resume cycle the Yubikey requires a reset of the device. This is done automatically since GnuPG 2.2.6, so that the device does not need to be removed and plugged back in. Unfortunately, this reconnect does not happen until the error is triggered, so first a failing operation is required.
Linux without pcscd
- When the Yubikey has been used before suspending, after a suspend/resume cycle scdaemon gets into a state where it can no longer successfully communicate with the card. RESETting scdaemon is not sufficient, but a 'gpgconf --kill scdaemon' does resolve the issue.
Known Bug(s) of OpenPGPcard
- Encrypted message with 3DES can't be decrypted with OpenPGP Card (V2.1, V3.3 without fix)
- Due to the bug, it results: Missing item in object <SCD>
- See: https://dev.gnupg.org/T3576