I'm not the local expert on this, but there are SCs with built-in crypto accelerators. They are designed for the use I described: * Generate an RSA key pair on board, * export the public key, * re-import the certificate, * wrap/unwrap a data block (typically a session key or hash for signing) using the onboard key pair without ever exporting the secret half of the key pair.
While they typically only use a PIN or passphrase for protection, they usually will commit electronic seppuku if too many (typically 3) bad PINs or passphrases are entered. With these, you can let your CA admin run the SW to create the keys and sign the public key, and still have reasonable assurance that he has not snagged a copy of the private key. Peter Trei > ---------- > From: Bill Frantz[SMTP:[EMAIL PROTECTED]] > Sent: Monday, February 04, 2002 3:41 PM > To: Bill Stewart; [EMAIL PROTECTED] > Subject: RE: Welome to the Internet, here's your private key > > At 10:20 AM -0800 2/4/02, Bill Stewart wrote: > >There are special cases where the user's machine doesn't have > >the CPU horsepower to generate a key - PCs are fine, > >but perhaps Palm Pilots and similar handhelds are too slow > >(though a typical slow 33MHz 68000 or Dragonball is faster > >than the 8086/80286 MSDOS machines that PGP originally ran on.) > >Cash machines may be too slow, but they normally run symmetric crypto. > >A smartcard-only system probably _is_ too limited to generate keys, > >but that's the only realistic case I see. > > It may depend on the public key system you are using. Where you have to > search for numbers which have certain mathematical properties (like with > RSA), then you can indeed use a bunch of CPU. For systems like DSA, where > the private key is in essence a random number, there is not searching, and > key generation is a lot faster. > > Cheers - Bill > > > ------------------------------------------------------------------------- > Bill Frantz | The principal effect of| Periwinkle -- Consulting > (408)356-8506 | DMCA/SDMI is to prevent| 16345 Englewood Ave. > [EMAIL PROTECTED] | fair use. | Los Gatos, CA 95032, USA > > > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] > --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]