In general, smartcards work more or less like this:Normally when you sign a block of data, you first calculate a checksum (e.g. SHA) of the data you wish to sign, then you use the private key to encrypt that checksum. You then send the original data along with the signatur (which is nothing but the encrypted checksum) to the receiver, who calculates his own checksum on the data, and then decrypts the signature (encrypted checksum) with the public key, and if the decrypted and calculated checksums match, then the signature is ok.
With a *secure* smartcard, you will never be able to extract the private key. It is generated within the card, and you will only be able to extract the public key. However, you can still sign data, but you need to generate the checksum of the data you wish to sign yourself, then you pass that checksum to the card, and ask it to encrypt it with its private key. You then get the encrypted checkskum back and use that as the signature.
This way, the smartcard is not used as just a storage device. Since the private key never leaves the hardware, it can be considered more secure that the various keystores used by the applet at the moment.
/Kim porsia skrev:
Thanks!!!I am testing the OpenSignX that they talk about in that thread, and reading the source code I think it's not possible to sign from a smartcard, but as they say it IS in their web page I joined this list and asked here... If I understand you can do it only if first you extract the private key from the card and install it in the CAPI, if that is possible?2007/6/18, r <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>>: I recommend to read this thread: PKCS11, SmartCard on Linux platform http://www.openoces.org/pipermail/user/2007-May/000386.html Best regards! -r ------------------------------------------------------------------------ _______________________________________________ Developer mailing list [email protected] https://www.openoces.org/mailman/listinfo/developer
begin:vcard fn:Kim Rasmussen n:Rasmussen;Kim org:IT Practice A/S adr:;;Kronprinsessegade 54;Copenhagen;;DK-1306;Denmark email;internet:[EMAIL PROTECTED] title:Partner, IT Architect tel;cell:+45 26164023 x-mozilla-html:TRUE url:http://www.portalprotect.dk version:2.1 end:vcard
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Developer mailing list [email protected] https://www.openoces.org/mailman/listinfo/developer
