Re: [cryptography] -currently available- crypto cards with onboard key storage
On Fri, 28 Oct 2011 14:03, t...@panix.com said: So this appears to be basically a smartcard and USB smartcard reader built into the same frob. I can probably find a way to put it within Right. Unfortunately, it also appears to be unbuyable. I tried all three sources listed on the crypto-stick.org website yesterday: two were out of stock, while the third said something along the lines of They are manually assembled thus you won't see much in stock. Your better choice is to buy one of the Zeitcontrol OpenPGP cards and an SCM USB stick style reader [1] - you get exactly the same. Salam-Shalom, Werner [1] Never buy an Omnikey card reader unless you can want to use it only on Windows. Only the Windows drivers allows the use of 2k keys. The omnikey chip supports Extended Length APDUs only via proprietary and undocumented features. -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] -currently available- crypto cards with onboard key storage
On Fri, 28 Oct 2011 11:10, mar...@martinpaljak.net said: PKCS#11 but also open source drivers (also free, in the sense of free software vs open source software) is as good excuse to reject PKCS#11 In 99% percent of all cases Open Source and Free Software describe software distributed under the same terms. Thus it is not helpful to distinguish between them. And common sense tells that using PKCS#11 is a better option than not using it at all or inventing a 15th standard [1]. Well, GnuPG had support for several cards before there was any _working_ pkcs#11 driver for any available card on non-Windows platforms. Recall that not too long ago pkcs#11 was an interface consisting of some basic core functions with a lot of required proprietary extensions and many of them even shared the same function pointer slot. Meanwhile major players don't use it anymore for interop purposes but defined their own high level standard - similar to what GnuPG did. Anyway, we had this discussion on the gnupg lists often enough that it does not make sense to repeat our views here again. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] -currently available- crypto cards with onboard key storage
Martin Paljak mar...@martinpaljak.net writes: Taking into account the original request of getting something off-the-shelf for PGP uses, this demand basically just rules out GnuPG for some users and use cases. At the risk of slight self-promotion, cryptlib, http://www.cs.auckland.ac.nz/~pgut001/cryptlib/, has supported PKCS #11 for PGP use since pretty much forever. It's a crypto toolkit rather than a complete app like GPG, but it's there if you want it. So far no part of me has turned green and fallen off just because I used a closed-source PKCS #11 driver. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] -currently available- crypto cards with onboard key storage
Thor Lancelot Simon wrote: On Thu, Oct 27, 2011 at 12:15:32PM +0300, Martin Paljak wrote: You have not described your requirements (ops/sec, FIPS/CC etc) but if the volume is low, you could take USB CryptoStick(s) (crypto-stick.org), which is supported by GnuPG and what can do up to 4096 bit onboard keys, unfortunately only one signature/decryption pair usable through GnuPG. Probably you can also stack them up and populate with the same key for load sharing. So this appears to be basically a smartcard and USB smartcard reader built into the same frob. I can probably find a way to put it within the chassis of even a fairly compact rackmount server without fear it will come loose and take the application offline. Unfortunately, it also appears to be unbuyable. I tried all three sources listed on the crypto-stick.org website yesterday: two were out of stock, while the third said something along the lines of low stock - order soon, walked me through the whole ordering process, then said my order had been submitted -- without ever asking for payment. It's possible I might walk into my office next week and see two crypto-sticks, provided free of charge, but I am not too optimistic about that! Is there a way to actually get these? This sounds familiar to me: while the direct cost, per unit, of crypto gear would seem very low when compared with mass market devices with the same kind of electronics, crypto gear remains very difficult to procure without a massive contribution to engineering costs incurred by the supplier (for the crypto added value). Ultimately a crypto gear under discussion is merely a CPU plus a rudimentary memory subsystem and an interface to a host (it may have a separate keypad, and/or a key injection port). The packaging matters to provide confidence that the secret/private keys remain onboard. Likewise, the API with the host is a can of worm about which you want to avoid discussion, again to provide this well informed sense of assurance that information risks and controls are in balance. This being said, there is indeed a practical security benefit of having computations directly involving secret/private keys done by a CPU unlikely to be infected by a Trojan. Security certification concerns put aside, the architectural demands are no more elaborate than a CPU unlikely to be infected by a Trojan. From there, you either pay for the certification gimmick, or you mend your own solution. This is the basis for an open source HSM ... Regards, -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, QC, Canada H2M 2A1 Tel. +1-514-385-5691 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] -currently available- crypto cards with onboard key storage
Take a cheap Android, write the code you need for it, make it talk via USB, rip out all antennas, put it in your box (wrap in a paper bag first), and connect with USB cable to the internal USB port. HW cost: $80 a Trojan. Security certification concerns put aside, the architectural demands are no more elaborate than a CPU unlikely to be infected by a Trojan. From there, you either pay for the certification gimmick, or you mend your own solution. This is the basis for an open source HSM ... cryptography mailing list ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] -currently available- crypto cards with onboard key storage
Or pluk any old PC/laptop/notebook you have lying around and make it talk over IP. Phones consume less energy though, nice idea. It's arguably more secure than a CPU but I doubt it'd make a noticeable difference (since the rest of the hardware needs to be secure also). 2011/10/28 Morlock Elloi morlockel...@yahoo.com: Take a cheap Android, write the code you need for it, make it talk via USB, rip out all antennas, put it in your box (wrap in a paper bag first), and connect with USB cable to the internal USB port. HW cost: $80 a Trojan. Security certification concerns put aside, the architectural demands are no more elaborate than a CPU unlikely to be infected by a Trojan. From there, you either pay for the certification gimmick, or you mend your own solution. This is the basis for an open source HSM ... cryptography mailing list ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] Further evidence of Certificate Authority break-ins
http://www.h-online.com/security/news/item/Further-evidence-of-Certificate-Authority-break-ins-1367856.html -Michael ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] -currently available- crypto cards with onboard key storage
On Wed, Oct 26, 2011 at 11:12 AM, Thor Lancelot Simon t...@panix.com wrote: I find myself needing a crypto card, preferably PCIe, with onboard key storage As far as I know, the only current products that do this are the IBM 4765 and the BCM586x line of chips. There were more sources once-upon-a-time of course -- nCipher and NetOctave/NBMK/etc. but those products seem to be gone now (and have obsolete PCI host interfaces, as well). i've used Sun Cryptographic Accelerator 6000s with success. however, as of some months ago Oracle changed their retail price from $1,499 to $9,999. you can still find second hand for a grand or so. expect to jump through hoops to get drivers, firmware, etc. (contact me off list if needed) i too would like to know what other options are available for HSM + Accel in PCIe form factor. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
