October 19, 2011 at 22:27

GnuPG on smart cards. What does it look like ...

    image
    Almost everyone knows what GPG is. Many use it. Some even know that it is possible to store secret keys on external media such as smart cards. I also want to describe how it all looks in practice.

    A couple of days ago, a couple of "OpenPGP SmartCard v2" came to me. They were ordered from their official distributor - shop.kernelconcepts.de/index.php?language=en . The price of one card at the moment is 17.14 euros. Two of the ordered cards were sent with something like a registered letter and forwarding cost me 5 euros, which is very good. I was also pleased that the cards passed through customs without any problems. I’m not sure that this will happen with a large amount, but for personal use, I think you can order quite safely.

    And now I have them ...
    image

    Both are packed in separate bags and in each memo about the default PIN codes and about three attempts to enter.

    Earlier, to study various smart cards, I purchased a SCR331 model card reader. OpenPGP cards are read to them no worse than others.

    The first thing to do (Ubuntu 10.04 LTS) is to start the pcscd service. After that, insert the card and make the pcsc_scan command. If everything is fine, the technical data of the card is displayed in the console.

    Next, try to look at the map via gpg (there are already keys on the map):

    $ gpg --card-status
gpg: detected reader `SCM SCR 331 (21121046203464) 00 00 '
Application ID ...: D2760001240102000005000010C00000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000010C0
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: [not found]
URL of public key: [not set]
Login data .......: [not installed]
Private DO 1 .....: [not installed]
Private DO 2 .....: [not installed]
Signature PIN ....: forced
Key attributes ...: 2048R 1024R 2048R
Max PIN lengths.: 32 32 32
PIN retry counter: 3 0 3
Signature counter: 6
Signature key ....: 4F3B 52C3 23FF 3931 6774 E694 3D10 7955 72D5 82DB
      created ....: 2011-10-18 11:52:30
Encryption key ....: 82CB 2DB7 7DDD 6E56 5CB6 21B9 598A 49D6 B3F3 F028
      created ....: 2011-10-18 11:52:30
Authentication key: F159 6F7E D472 5CD0 7161 F00E 554E 78F8 CABD 115C
      created ....: 2011-10-18 11:52:30
General key info ..: pub 2048R / 72D582DB 2011-10-18 John Smith 
sec> 2048R / 72D582DB created: 2011-10-18 expires before: never     
                      card number: 0005 000010C0
ssb> 2048R / CABD115C created: 2011-10-18 expires on: never     
                      card number: 0005 000010C0
ssb> 1024R / B3F3F028 created: 2011-10-18 expires on: never     
                      card number: 0005 000010C0


    Using the “gpg --card-edit” command, you can change personal data: owner’s name, preferred language, gender and others. A very interesting field is “URL of public key”, but more on that later.

    Using the command “gpg --card-edit”, you can also generate keys on the map. In this procedure, the public key and the pseudo-secret key are inserted into the GPG database in the file system, in which the secret key itself is replaced by a stub indicating that it is actually located on the smart card.

    So what's next? Then I personally became interested in two questions:
    1. Is it possible to make a backup copy of my regular key on the card to use it in case of loss of the usual?
    2. Is the key on the smart card self-sufficient to use it, for example, to organize work from someone else's computer?


    Backup existing key


    Based on my experiments, I assume that the optimal procedure for creating a backup of your key on the map is as follows:
    1. Create a backup of the private key on the disk with the command “gpg --export-secret-key ";
    2. Enter the key using the command “gpg --edit-key ";
    3. Go to the private key part with the “toggle” command;
    4. The keytocard command transfers the key for signing. In the next dialog, select the line “Key for signing”;
    5. We switch to the next key, which is used for encryption, with the command "key 1";
    6. With the keytocard command we transfer the key to the card. In the next request, gpg should give one option - “Encryption Key”. We select it and wait for the transfer.
    7. We exit with the save command;
    8. Delete the secret key with the command “gpg --delete-secret-key ";
    9. We restore the secret key from the backup with the command “gpg --import <file name>”;

    After that, your card will contain backup copies of your private keys.

    Key Self-Sufficiency on Smart Card


    During the study, it turned out that in order to "load" the description of secret keys from a smart card in the GPG database, there must be a public key associated with the keys on the card (the usual public key of this bunch).

    Then, to “synchronize” the base with the card, it is enough to run the command “gpg --card-status”. After its execution, secret stub keys will be created in the GPG database and the key can be fully used.

    In order not to carry your public key everywhere with you, you can take advantage of placing it on the Internet (in the form of a file accessible via http, or on one of the key servers) and indicating the location of your public key in the “URL of public key” parameter of the card. I checked the operation of this property, indicating in it the url of the hkp server on which my public key is present.

    If you have the correct entry in the map parameter “URL of public key”, preparing the map for work in a new place (of course, if you have Internet access) comes down to two commands:
    1. gpg --card-edit and the subsequent fetch command in the gpg shell;
    2. gpg --card-status

    After that, you have your full key on the system and can work with it.

    Using


    Using GPG with a smart card is almost no different from normal use. In addition, instead of a passphrase, you need to enter the pin code of the card. If the card is not inserted in the card reader, during operations with the key in console mode, a message is displayed indicating the need to insert the card.

    Unfortunately, it turned out that my version of the GPA shell (0.9.0) is not able to work correctly with keys on a smart card. For some reason, she does not expect to enter the pin code of the card, but immediately indicates that the operation cannot be completed. Although, somewhere in the next window, a pin code request window hangs. Perhaps in other shells, things are better. Well, of course, I’m glad that at least everything works fine from the console.

    In general, storing secret keys on a smart card is, of course, much safer than in the key database on a computer or on a flash drive. And, of course, much more convenient when moving and the need to organize work with GPG from unfamiliar computers.
    Tags:

    Also popular now: