Re: USB vs Smart Card?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi! Moritz Schulte schrieb: >> Can I use a USB instead of a Smart Card? > > Without further context this question does not make too much sense. USB > sticks (i guess that is what you mean) are completely different from > smartcards when it comes to security solutions. > ... Perhaps the OP meant some USB crypto token... (eg. "Aladin eToken Pro") There are such crypto tokens but most of them use something X.509 compatible (certificate based, PKCS#11). If I remember correctly there exists a very small USB smartcard reader which can be "paired" with a small form factor smartcard (like the "GSM" ones) into one enclosure. If you take a cutter and reduce the size of a OpenPGP card to the mentioned size and find this particular reader *and* this reader is supported by Gnupg... then you're done! :-) Interessting link: [http://csrc.nist.gov/publications/nistir/IR-7056/Capabilities/Jun-SmartCardTech.pdf] Salut, Jörg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFlQoW/PQgU9f6RRIRAsv2AKCDjc7xju39sOjnrMInWieifyndRwCg4qDU 9/Wzl+XX0MY6I+0xXGJfvqc= =yFoZ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
sshd authentication problem with gpg-agent and OpenPGP card
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! I recently found a problem when using OpenPGP cards with gpg-agent in combination with ssh/sshd. Technical details follows: - --- snip --- > gpg-agent --version gpg-agent (GnuPG) 2.0.0 - --- snip --- > rpm -qf `which ssh-add` openssh-3.9p1-12.10 - --- snip --- > ssh-add -l 1024 fingerprint_in_hex cardno:my_card_no (RSA) 1024 fingerprint_in_hex ~/id_dsa (DSA) 1024 fingerprint_in_hex ~/other_id_dsa (DSA) 1024 fingerprint_in_hex ~/other2_id_dsa (DSA) - --- snip --- (on the remote machine) # rpm -qf `which sshd` openssh-3.9p1-12.10 - --- snip --- OK. Connecting to the remote via: > ssh -i ~/.ssh/id_dsa remote_host works perfectly (no card involved) but: > ssh - remote_host tries to use the card and results in: - --- snip --- debug2: key: cardno:my_card (0x8095498) debug2: key: ~/.ssh/id_dsa (0x80999b0) debug2: key: ~/.ssh/other_id_dsa (0x8098d98) debug2: key: ~/.ssh/other2_id_dsa (0x8098d98) debug1: Authentications that can continue: publickey,keyboard-interactive debug3: start over, passed a different list publickey,keyboard-interactive debug3: preferred publickey,keyboard-interactive,password debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: cardno:my_card_no debug3: send_pubkey_test debug2: we sent a publickey packet, wait for reply Connection closed by remote_host - --- snip --- and the log on the remote machine explains this abrupt connection loss: - --- snip --- Dec 5 09:47:19 floyd sshd[4666]: fatal: buffer_get_bignum2: negative numbers not supported Dec 5 09:55:13 floyd sshd[4893]: fatal: buffer_get_bignum2: negative numbers not supported - --- snip --- The last snippet shows whats going on in gpg-agent: - --- snip --- [client at fd 4 connected] 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 für fd 7 gestartet 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) started 4 - 2006-12-05 10:10:37 gpg-agent[10191]: new connection to SCdaemon established (reusing) [client at fd 5 connected] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $AUTHKEYID 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $AUTHKEYID OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR SERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S SERIALNO my_serial_info 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- READKEY OPENPGP.3 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> [ xx xx...(all bytes skipped) ] 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- GETATTR $DISPSERIALNO 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> S $DISPSERIALNO the_displayable_serialno 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: ssh request handler for request_identities (11) ready 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: <- RESTART 5 - 2006-12-05 10:10:37 scdaemon[10600.0] DBG: -> OK 4 - 2006-12-05 10:10:37 gpg-agent[10191]: SSH-Handhabungsroutine 0x80858b8 für fd 7 beendet - --- snip --- So gpg-agent in conjunction with this ssh version might deliver invalid data to the waiting ssh daemon. I found nothing particular on the mentioned bignum package in sshd though... :-( Anybody knows whats going on with OpenPGP card authentication? Werner? :-) Salut, Jörg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFFdTik/PQgU9f6RRIRArT4AJ4wXZaBiR8oZWhlvAcZXSOP8VdUcwCgzbs/ aUdw1ByhBJlE8e3C9KeiGsE= =JwLw -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Beginner's smartcard questions
Hi!
Am Mittwoch, 6. September 2006 19:11 schrieb Sven Radde:
> Hi!
>
> I intend to buy an OpenPGP card and I have some questions regarding its use
> unter WinXP, particularly in combination with my new (and yet untested)
> banking card. Is there any difference in the required hardware to access
> both cards?
Yes!
> In other words, will the card-readers sold at
> http://www.kernelconcepts.de/products/security-en.shtml also support my
> banking-card (german HBCI) or,
Probably not. :-(
> vice-versa, can I expect GnuPG to support
> the card-reader recommended by my bank ("cyber Jack" devices by ReinerSCT)?
Sure not! Esp. the "CyberJack" is known to be problematic (at least) with
OpenGPG cards...
> Are there any caveats in general regarding the card-readers at
> kernelconcepts.de under Windows? In particular, I stumbled over the
> "Supported by GnuPG *via PC/SC drivers*" in the description of the Omnikey
> CM4040 PCMCIA device). Sorry for insisting, but before spending actual
> money, I want to be sure it works.
I think most of them will work under Win, You'll have to look for drivers for
your special application...
> One more question: When using a class-3 reader, what (if any) information
> does GnuPG display on it?
Nothing
> I wonder how much added security I would get from
> a class-3 reader in comparison to one without display.
With GnuPG nothing. (But I think the difference between class 2 and 3 is not
only the display but here in Germany the "clearance" to do "binay cashing"
via e.g. GeldKarte and the like...)
> I understand that a
> class-2 reader will prevent sniffing of the PIN in case my PC is infected
> with a trojan.
Not with GnuPG. With *some* HomeBanking applications, your PIN will never
reach "the system" (Win) and thus will be save.
Salut, Jörg
--
gpg/pgp key # 0xd7fa4512
fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512
pgp9vdMqEdjyF.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: smart card usage on multiple workstations
Hi Kai! Am Dienstag, 9. Mai 2006 07:54 schrieb Kai Kretschmann: > ... > But how do I use this key on a second computer? I was thinking of simply > plugging the card into another workstation and use it there too. But the According to Werner the missing "stubs" for the private keys (which are on the card), should be generated by gpg "on-the-fly" if you issue a command like --card-status or the like... (Please have a look in the mail-archive with keywords "opengpg card") But here this _never_ happend with all of our cards and all version of gpg! :-( The stubs were only generated in the "key issuing" gpg installation. Our only chance to move the stubs to other/new workstations was to manually export the (priv.) keys/stubs or move the keyrings. HTH. Salut, Jörg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 pgpfZZrkqMUhq.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: gpg-agent cache
Hi Remco! Am Mittwoch, 8. März 2006 19:47 schrieb Remco Post: > ... > I've started gpg-agent with: > > /usr/local/bin/gpg-agent --use-standard-socket --pinentry-program > /usr/bin/pinentry-gtk-2 --default-cache-ttl 1800 --default-cache-ttl-ssh > 900 --enable-ssh-support --write-env-file $HOME/.gpg-agent-info --daemon > --sh /usr/bin/fvwm2 From your mail it's not quite clear if you used the output from gpg-agent (the environment vars)... I would have guessed something like: eval "$(gpg-agent --gpg-agent-options)" And then start your gpg-agent-using-applications in the same shell afterwards. HTH. Salut, Jörg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 pgpeJkZ1TMuGu.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: new version of gnupg signed with different key?
Hi! Am Donnerstag, 16. Februar 2006 22:11 schrieb privacy.at Anonymous Remailer: > gnupg-1.4.2.tar.bz2.sig was signed with key 0x57548DCD > but > gnupg-1.4.2.1.tar.bz2.sig is signed with 0x1CE0C630, which is not in > turned signed with the old key. Why? How do we verify it's > trustworthy? Werner? What happend? I saw it's tagged as a "(dist sig) <[EMAIL PROTECTED]>" but why did you changed your policy? [Are you on ham radio btw. :-) ?] I did a short review on the diff from 1.4.2 and it seems there are only the changes regarding the mentioned vuln. and I think Werner (et.al) switched from CVS to Subversion :-) Right? Salut, Joerg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 pgpfkdKwW5N1r.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
gpg-agent PIN cache
Hi Werner, hi all! I've a problem with "PIN keeping" in gpg-agent (version numbers below). Everythings works fine: I start up gpg-agent: # eval `gpg-agent -v --enable-ssh-support --daemon \ --log-file /home/jsl/ga.log --debug-level expert --default-cache-ttl-ssh\ 2` and I can see my "new" key on the card: # ssh-add -l 1024 e5:f9:3c:fc:04:0e:b4:b4:75:98:72:cf:d5:df:96:cb cardno:000mynumber (RSA) Now I can "ssh" to any where my pkey is registered. Good. The first time i try to use the key, the pinentry(-qt) comes up and asks for the PIN. But the problem is: The second time and ever on, pinentry comes up and asks for my PIN! Although I said "cache ttl for ssh should be some hours..." Does anyone know why gpg-agent/pinentry does so? Here is a log of two "ssh sessions": --- snip -- 2005-10-05 19:51:59 gpg-agent[8885] Es wird auf Socket `/tmp/gpg-kvPjWi/S.gpg-agent' gehört 2005-10-05 19:51:59 gpg-agent[8885] Es wird auf Socket `/tmp/gpg-RXfxR6/S.gpg-agent.ssh' gehört 2005-10-05 19:52:04 gpg-agent[8886] SSH Handhabungsroutine 0x8083b88 für fd 0 gestartet 2005-10-05 19:52:04 gpg-agent[8886] ssh request handler for request_identities (11) started 2005-10-05 19:52:04 gpg-agent[8886] no running SCdaemon - starting it 2005-10-05 19:52:04 gpg-agent[8886] DBG: first connection to SCdaemon established 2005-10-05 19:52:04 gpg-agent[8886] DBG: additional connections at `/tmp/gpg-0HjfQH/S.scdaemon' 2005-10-05 19:52:05 gpg-agent[8886] ssh request handler for request_identities (11) ready 2005-10-05 19:52:05 gpg-agent[8886] ssh request handler for sign_request (13) started 2005-10-05 19:52:05 gpg-agent[8886] DBG: detected card with S/N "my number" :-) 2005-10-05 19:52:05 gpg-agent[8886] starting a new PIN Entry 2005-10-05 19:52:05 gpg-agent[8886] DBG: connection to PIN entry established 2005-10-05 19:52:06 gpg-agent[8886] SIGUSR2 received - checking smartcard status 2005-10-05 19:52:09 gpg-agent[8886] ssh request handler for sign_request (13) ready 2005-10-05 19:52:09 gpg-agent[8886] SSH Handhabungsroutine 0x8083b88 für fd 0 beendet 2005-10-05 19:52:45 gpg-agent[8886] SSH Handhabungsroutine 0x8083b88 für fd 0 gestartet 2005-10-05 19:52:45 gpg-agent[8886] ssh request handler for request_identities (11) started 2005-10-05 19:52:45 gpg-agent[8886] new connection to SCdaemon established (reusing) 2005-10-05 19:52:46 gpg-agent[8886] ssh request handler for request_identities (11) ready 2005-10-05 19:52:46 gpg-agent[8886] ssh request handler for sign_request (13) started 2005-10-05 19:52:46 gpg-agent[8886] DBG: detected card with S/N "again my number" :-) 2005-10-05 19:52:46 gpg-agent[8886] starting a new PIN Entry 2005-10-05 19:52:47 gpg-agent[8886] DBG: connection to PIN entry established 2005-10-05 19:52:50 gpg-agent[8886] ssh request handler for sign_request (13) ready 2005-10-05 19:52:51 gpg-agent[8886] SSH Handhabungsroutine 0x8083b88 für fd 0 beendet 2005-10-05 20:02:15 gpg-agent[8886] SSH Handhabungsroutine 0x8083b88 für fd 0 gestartet 2005-10-05 20:02:15 gpg-agent[8886] ssh request 1 is not supported 2005-10-05 20:02:15 gpg-agent[8886] ssh request handler for request_identities (11) started 2005-10-05 20:02:15 gpg-agent[8886] new connection to SCdaemon established (reusing) 2005-10-05 20:02:16 gpg-agent[8886] ssh request handler for request_identities (11) ready 2005-10-05 20:02:16 gpg-agent[8886] SSH Handhabungsroutine 0x8083b88 für fd 0 beendet --- snip -- Here are the versions used... # gpg2 --version gpg (GnuPG) 1.9.19 # scdaemon --version scdaemon (GnuPG) 1.9.19 # gpg-agent --version gpg-agent (GnuPG) 1.9.19 # pinentry --version pinentry-qt (pinentry) 0.7.3-cvs # libgcrypt-config --version 1.3.0-cvs # libassuan-config --version 0.6.11-cvs # pth-config --version GNU Pth 2.0.5 (05-Oct-2005) # ksba-config --version 0.9.12 # gpg-error-config --version 1.1 Did I miss something? ;-) Thank you very much in advance! Salut, Jörg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 pgpSc1z0IiIb5.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP Card
Hi Alon! I would like to see support for PKCS#11 too but... (won't elaborate on this now ;-) Regarding the "open-ness" of OpenGPG: Why do you (and Benjamin) think its not open (enough)? The specs are there and you are free to implement "both sides" of the (smart) card. For me the specs allow(ed) it to try implementing OpenGPG on a IBM JavaCard (and it *would* be possible to have a JavaCard implement OpenGPG in parallel to PKCS#11...) Just my 2cts... Salut, Jörg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 pgpd3IcEJT8v0.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Pinpad on SPR532 isn't used
Hi! Am Mittwoch, 24. August 2005 15:17 schrieb Felix E. Klee: > After installing GNUPG 1.4.2, I can now access my OpenPGP smartcards > (bought at Kernelconepts) using my SPR532 reader. However, the pinpad > of the reader is not used. An example: > ... If you browse through the archives of this group you'll find that there *is* no keypad support for _any_ card reader (until now). The documentation also always states that it *would be possible* to integrate support for pinpads... Salut, Jörg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 pgpmIUMlqC5GR.pgp Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: chrooting gnupg
Hi Christian! [EMAIL PROTECTED] wrote: ... does anyone here know by chance, what I have to provide to gnupg in order to run in a chrooted environment? Providing the libs obviously is not enough. I'm suspecting /dev/random or /dev/urandom or sth. the like, but in my tests it did not work properly (hangs) - due to entropy, I'd assume? Got no clue, how entropy is handled in a chroot, nor if this IS the problem. I'd appreciate any hints. What does "strace gpg_chroot --version_or_anything" reveal on this chroot-ed binary? Salut, Jörg -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
OpenPGP smartcard and crpyto fs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! I would like to use my O.card to securely hold an encryption key to be used by the Linux "crypto filesystem". This fs uses an utiulity "losetup" at startup which asks for a passphrase/keyword to be used as encryption/decryption key. losetup can be configured to use a file descriptor to read this info from a file. OK. Next thing is: I don't want to let the card do all the encryption ;-) (I think it would be a little bit slow... although the key would stay savely inside the card...) Next thing (which works here), was to use a gpg encrypted file containing the passphrase(es) and doing something like "cat ~/.crypto-fs-key.gpg|gpg -q --decrypt -r 0xdeadbeef 2>/dev/null" but one problem was gpg spitting out these "Please insert" and "PIN" info on stdout, and I'm not very comfortable with my passwords lying around on the disks... (altough they *are* encrypted). What I would like would be to pull out some secret key (or plain data) and handle it over to losetup directly. I know that then the key can no longer be viewed as secure as it leaves the card, but that would be ok for me. Anyone who thought about a scenario like this? TIA. Salut, Jörg - -- gpg/pgp key # 0xd7fa4512 fingerprint 4e89 6967 9cb2 f548 a806 7e8b fcf4 2053 d7fa 4512 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (GNU/Linux) iD8DBQFCY8ka/PQgU9f6RRIRAtRLAKCcUWd5bciKrlgBoYbkqZIMyXO9iQCeNq5J puPvoTIxUYDv9BA4BD1B+X8= =aqrB -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
