Mailing List Archive: GnuPG: devel

1024-3072 bit OpenPGP cards

Index | Next | Previous | View Threaded

wk at gnupg

Jul 17, 2009, 2:26 AM

Post #1 of 8 (1032 views)
Permalink

1024-3072 bit OpenPGP cards

Hi,

I talked with David about the new OpenPGP card and how to solve a
surprising behaviour. A little background:

The new v2 specification of the card explicitly allows different key
sizes for the card. It is even possible to change the key size from the
factory default (this deletes an existing key). This is an optional
feature announced through the card's capabilities mechanism. It is a
boolean flag telling whether changing the key size is possible.

What the card doesn't tell is the range of the allowed key sizes and how
the keys are internally represented; if you select an invalid size or
bad parameters the card will simply reject it. Thus before changing the
key size you need to check with the vendor what sizes are supported.

I recently enhanced the "keytocard" command to change the key size of the
card to match the size of the key to be written to the card. That is a
nice and much desirable feature. In the past, if you tried to use the
"keytocard" command, it failed if the sizes didn't match. So far so
good. Now for the surprise:

If you later generate new keys (gpg --edit-key; admin, generate) these
keys are created with the current key sizes of the card. For example:
if you recently wrote a 1024 bit authentication key to the card, you
would create 3 keys: 2048, 2048 and 1024).

David suggested to always ask the user for the key size (in case the
card supports changing the key size at all). The problem is that we
don't know what key sizes the card supports: The one card implementation
currently available supports 1024 to 3072bit RSA [1]. We know that but
we can't tell without looking at the specs of the concrete card. There
are a few other vendors which may support other key sizes or the chip of
the card is replaced and with that the supported key sizes; it is
entirely possible that you are restricted to certain sizes, e.g. 1024
and 2048 but no 1536 or any other odd number. If we would always ask
for the key size the user would be surprised as well if he selects a
certain size and finally ends up with an error message that the key
could not be created.

Note that we don't have a way to figure out a default size and set the
card back to that before keys are generated.

I see a few possibilities:

1) Keep it as it is. This will work without surprises unless the user
once wrote different sized keys to the card.

2) Always ask for the key size and use as default the current size.
Show a warning notice if the user entered a different size.

3) Same as 2 but do this only with --expert.

4) Add a new command "keysize" to manually set the keysize for each
key. Print a warning notice before key generation if the key sizes
of the card are not all the same and tell the user about the keysize
command.

5) Other suggestions?

Salam-Shalom,

Werner

[1] Actually 4096 but due to internal data structure limitations in
GnuPG it is currently limited to 3072.

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

marcus.brinkmann at ruhr-uni-bochum

Jul 17, 2009, 4:56 AM

Post #2 of 8 (981 views)
Permalink

Re: 1024-3072 bit OpenPGP cards [In reply to]

Werner Koch wrote:
> Note that we don't have a way to figure out a default size and set the
> card back to that before keys are generated.

Can't we include a list of allowed keysizes based on card revision/manufacturer?

Thanks,
Marcus

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Jul 17, 2009, 6:03 AM

Post #3 of 8 (980 views)
Permalink

Re: 1024-3072 bit OpenPGP cards [In reply to]

On Fri, 17 Jul 2009 13:56, marcus.brinkmann [at] ruhr-uni-bochum said:

> Can't we include a list of allowed keysizes based on card revision/manufacturer?

A manufacturer is free to change the implementation or hardware. One
reason that ZeitControl does not like to tell us the used chip might be
to change the chip without getting into trouble with some legal
departments.

The manufacturer id is similar to the vendor assigned MAC address blocks
of ethernet cards. It allows them to assign serial number without a
centralized authority.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

dshaw at jabberwocky

Jul 17, 2009, 11:05 AM

Post #4 of 8 (983 views)
Permalink

Re: 1024-3072 bit OpenPGP cards [In reply to]

On Jul 17, 2009, at 5:26 AM, Werner Koch wrote:

> 1) Keep it as it is. This will work without surprises unless the user
> once wrote different sized keys to the card.
>
> 2) Always ask for the key size and use as default the current size.
> Show a warning notice if the user entered a different size.
>
> 3) Same as 2 but do this only with --expert.
>
> 4) Add a new command "keysize" to manually set the keysize for each
> key. Print a warning notice before key generation if the key sizes
> of the card are not all the same and tell the user about the
> keysize
> command.
>
> 5) Other suggestions?

My feeling is #2 is the best answer. I'd do it with the current size
(whatever it is) of the signing key slot being used as the default for
all three slots (it it reasonable to assume that if slot #1 can handle
a particular size, then slots #2 and #3 can also handle it?) Prompt
for the key size, and if it is not the same as the default, then print
out a message something like:

You have requested a key size of %u. Note that not all cards can
handle all key sizes.
GnuPG will attempt to create your key, but if the card rejects it,
you may need to try a different key size.
Please consult your card documentation for more information.

Then try and generate the key. If it fails, the user has been
prepared for that possibility.

This makes the user experience of generating a key on a card as close
as possible to generating a key normally.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

lion at lion

Jul 18, 2009, 2:54 AM

Post #5 of 8 (976 views)
Permalink

Re: 1024-3072 bit OpenPGP cards [In reply to]

reflum,

On Fri, 2009-07-17 at 11:26 +0200, Werner Koch wrote:
> 2) Always ask for the key size and use as default the current size.
> Show a warning notice if the user entered a different size.
>
> 3) Same as 2 but do this only with --expert.
>
> 4) Add a new command "keysize" to manually set the keysize for each
> key. Print a warning notice before key generation if the key sizes
> of the card are not all the same and tell the user about the keysize
> command.

I vote for 3+4:
while using --expert you get asked every time, this is good for experts
as they know the problems. But as --expert is normaly the wrong way^(TM)
there need to be a better way to set it, even without --expert. This may
be done by a additioal command (btw. I would use something including
'card' in the command name).

--
Philipp.
(Rah of PH2)

Attachments:

signature.asc (0.47 KB)

wk at gnupg

Jul 20, 2009, 10:56 AM

Post #6 of 8 (970 views)
Permalink

Re: 1024-3072 bit OpenPGP cards [In reply to]

On Sat, 18 Jul 2009 11:54, lion [at] lion said:

> be done by a additioal command (btw. I would use something including
> 'card' in the command name).

Not required because that would be a command in the --card-edit menu.

Meanwhile I tend to implement option 2 and may add an additional
"keysize" command. The latter might be useful to quickly delete all
keys from the card without requiring the time to generate new keys.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

dshaw at jabberwocky

Jul 20, 2009, 10:57 AM

Post #7 of 8 (973 views)
Permalink

Re: 1024-3072 bit OpenPGP cards [In reply to]

On Jul 18, 2009, at 5:54 AM, Philipp Schafft wrote:

> reflum,
>
> On Fri, 2009-07-17 at 11:26 +0200, Werner Koch wrote:
>> 2) Always ask for the key size and use as default the current size.
>> Show a warning notice if the user entered a different size.
>>
>> 3) Same as 2 but do this only with --expert.
>>
>> 4) Add a new command "keysize" to manually set the keysize for each
>> key. Print a warning notice before key generation if the key
>> sizes
>> of the card are not all the same and tell the user about the
>> keysize
>> command.
>
> I vote for 3+4:
> while using --expert you get asked every time, this is good for
> experts
> as they know the problems. But as --expert is normaly the wrong
> way^(TM)
> there need to be a better way to set it, even without --expert. This
> may
> be done by a additioal command (btw. I would use something including
> 'card' in the command name).

My problem with a "keysize" command (#4) is that it makes key
generation into two steps. First the user must run "keysize", and set
the size they want (and if the size isn't supported, they will get an
error). Then they must generate the key.

#2 just combines the "keysize" and "generate" functions into a single
command, as people are used to from regular key generation.

David

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Aug 5, 2009, 3:37 AM

Post #8 of 8 (925 views)
Permalink

Re: 1024-3072 bit OpenPGP cards [In reply to]

Hi,

I just commited code to allow selection of the key size. It works by
always asking for the keyseize and presenting the current size as the
default. A warning is shown once if you try to change the keysize. I
don't think that a sepeare keysize command makes much sense now.

Here is a sample session:

Make off-card backup of encryption key? (Y/n)

gpg: NOTE: keys are already stored on the card!

Replace existing keys? (y/N) y

Please note that the factory settings of the PINs are
PIN = `123456' Admin PIN = `12345678'
You should change them using the command --change-pin

What keysize do you want for the Signature key? (1024) 2048
The card will now be re-configured to generate a key of 2048 bits
NOTE: There is no guarantee that the card supports the requested size.
If the key generation does not succeed, please check the
documentation of your card to see what sizes are allowed.
What keysize do you want for the Encryption key? (2048) 1024
The card will be re-configured to generate a key of 1024 bits
What keysize do you want for the Authentication key? (2048)
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
[...]

A failure looks like this:

[...]
What keysize do you want for the Encryption key? (1024) 1530
rounded up to 1536 bits
The card will now be re-configured to generate a key of 1536 bits
NOTE: There is no guarantee that the card supports the requested size.
If the key generation does not succeed, please check the
documentation of your card to see what sizes are allowed.
gpg: error changing size of key 2 to 1536 bits: Invalid value
What keysize do you want for the Encryption key? (1024) 2048
The card will now be re-configured to generate a key of 2048 bits
[...]

The warning notice is printed in advance to cover the case that changing
the key attributes does not report an error but the actual key
generation fails at a later point.

On a lower level you can change the keysize using gpg-connect-agent:

$ gpg-connect-agent
> /hex
> scd serialno
OK
> scd setattr KEY-ATTR --force 3 1 1024
OK

This deletes the authentication key from the card and prepares it for
creatiion of a 1024 bit key. The "--force" ist used to prevent
accidental key deletion.

Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads