Hi Marc: > From the FAQ at http://www.opensc-project.org/faq.html > > "Can I store my ssh private key on a smart card? > > "Most people prefer to use a smart card with a key that was generated on > the card and cannot ever leave it. In fact everyone seems to do that. So > while it might be technically possible to convert a private key in ssh > format into pem format and then store it on a smart card, until now no > one wrote such a code, so you can't. If you really need it, please ask > on the mailing list...." > ------------------------------------------------------------ > > Is this to say the card cannot accept any externally generated private > keys?
No, it just says that storing a private key that was generated by OpenSSH (or PuTTY) cannot be stored into a smartcard with OpenSC since OpenSC can only store keys on smartcards that were saved in PEM- or DER-Format. There are two possibilities: 1) Create a private key with OpenSSL. This key will be in PEM-format and OpenSC will be able to store it into a smartcard. Also OpenSC will be able to read the public key from your smartcard and store it in either PEM-, DER- or SSH-format. 2) Create a private key with OpenSSH (or PuTTY). Convert this key into PEM- or DER-format and store it into your smartcard with OpenSC. Most likely you must write the conversion program yourself. > I would be uncomfortable letting any closed-source application, such as > firmware on a card, generate a key for me. Even more so, as I read that > many cards have no hardware random number generator and in essence > generate keys from their serial numbers. This feels like walking > directly into a trap. If you don't trust the key-generation mechanism within your smartcard you should not use smartcards at all. If there were smartcards out there that generate keys based on their serial number than those smartcards will also have undocumented commands by which the NSA can read your private key out of your smartcard. Such a card would be absolutely useless. The only purpose of a smartcard is to protect your private key and ensure that this key key can be used only WITHIN the card. Of course you can ask your smartcard to create a couple of keys and compare them. Please let us know if you own a smartcard that "generates" the same key over and over. > I am a "Global War on Terror" surveillee, and I am uncomfortably > accustomed to being monitored for thinly veiled political reasons. > > Another excellent reason for not generating a key on a card is that I > cannot have a backup. I can hide a backup key securely... that is, if > the NSA didn't generate the key for me in the first place. If you want a backup you MUST create your key outside your card (or find the unddocumented commands by which you can read a private key out of your card) How about using the OpenPGP card. If you don't trust closed source firmware than this card may be the right choice. Peter _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
