Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)
On Wed, 15 Sep 2004 16:30:54 +0100, Ian Grigg said: > There is a device that is similar to those characteristics: > http://woudt.nl/epass-pgp/ > http://www.financialcryptography.com/mt/archives/000201.html The advantage of the OpenPGP card is that is is a specification that it is open and ready for everyone to implement. No proprietary strings attached as usual in the smartcard business. So go write an application according to the specs and it will, run with any card compliant with the spec. Any vendor may implement this spec on his card. Whether you do this on a slow 4 Euro chip or a fast 8 Euro chip or on an iButton is up to you. Our card is just one implementation of the spec using an expensive chip. Werner - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)
Eugen Leitl wrote: I'm looking for (cheap, PCI/USB) hardware to store secrets (private key) and support crypto primitives (signing, cert generation). It doesn't have to be fast, but to support loading/copying of secrets in physically secure environments, and not generate nonextractable secret onboard. Environment is OpenBSD/Linux/OpenSSL/gpg. Any suggestions? If I may put words in your mouth, you would require a server-side public key cryptography apparatus where the long-term private key value would be subject to utmost protection available, and the signature capability is nonetheless available to some "functional area" software on an general-purpose processor with less stringen protections. Hint: the software application where a security certificate is authorized is the Èfunctional areaÈ software. Presumably, some key management scheme must be provided so that once a "functional area" becomes suspicious, its usage of the private key can be rovoked through a key renewal, and the private key is not at stake. The disclosure of such system is at http://www.connotech.com/WIRCPATA.HTM. Be reassured that this was a preventive publication, so this design is in the public domain (and is, or should have been, prior art to US patent 6,671,804). Such server-side cryptographic hardware is currently under development. It should take the form of a 1U operational secure device and a separate key management console, the latter ensuring that no significant secret is ever stored on a personal computer. The application is not, however, certificate signing, as your post implies. I doubt that you will find products that fits your need as I expressed them. Perhaps with lower security, notably requiring that you trust the API design and implementation between the cryptographic hardware and the functional area. Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, Qc Canada H2M 2A1 Tel.: (514)385-5691 Fax: (514)385-5900 web site: http://www.connotech.com e-mail: [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)
On Wed, Sep 15, 2004 at 04:30:54PM +0100, Ian Grigg wrote: > There is a device that is similar to those characteristics: > > http://woudt.nl/epass-pgp/ "If you loose or damage your token: you loose your private key and any data encrypted to it. Because the key is generated inside the token and cannot leave it, it is not possible to make a backup of the private key." is a knockout criterium, though. Also an interactive PIN entry for each interaction is a no-no, if the machine is in a rack at the host. H4x0rs may break in and sign a few stray blobs, but they won't be able to steal the private key itself. > http://www.financialcryptography.com/mt/archives/000201.html -- Eugen* Leitl http://leitl.org";>leitl __ ICBM: 48.07078, 11.61144http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE http://moleculardevices.org http://nanomachines.net pgpjYj6c7OaaW.pgp Description: PGP signature
Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)
There is a device that is similar to those characteristics: http://woudt.nl/epass-pgp/ http://www.financialcryptography.com/mt/archives/000201.html iang David Shaw wrote: On Tue, Sep 14, 2004 at 10:31:11AM +0200, Eugen Leitl wrote: I'm looking for (cheap, PCI/USB) hardware to store secrets (private key) and support crypto primitives (signing, cert generation). It doesn't have to be fast, but to support loading/copying of secrets in physically secure environments, and not generate nonextractable secret onboard. Environment is OpenBSD/Linux/OpenSSL/gpg. Since your environment includes GPG, then I think the OpenPGP smartcard meets pretty well what you are requesting. Combine it it with a USB smartcard reader, and the card becomes USB, too ;) http://www.silicon-trust.com/pdf/secure_8/48_ppc.pdf http://www.g10code.de/p-card.html - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: pci hardware for secure crypto storage (OpenSSL/OpenBSD)
On Tue, Sep 14, 2004 at 10:31:11AM +0200, Eugen Leitl wrote: > > I'm looking for (cheap, PCI/USB) hardware to store secrets (private > key) and support crypto primitives (signing, cert generation). It > doesn't have to be fast, but to support loading/copying of secrets > in physically secure environments, and not generate nonextractable > secret onboard. Environment is OpenBSD/Linux/OpenSSL/gpg. Since your environment includes GPG, then I think the OpenPGP smartcard meets pretty well what you are requesting. Combine it it with a USB smartcard reader, and the card becomes USB, too ;) http://www.silicon-trust.com/pdf/secure_8/48_ppc.pdf http://www.g10code.de/p-card.html David - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]