Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

OpenPGP 2.0 and Hushmail keys

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


mcse83 at hotmail

Sep 10, 2009, 12:36 AM

Post #1 of 5 (948 views)
Permalink
OpenPGP 2.0 and Hushmail keys
Does anyone know if the new OpenPGP 2.0 card supports Hushmail keys?
>From what I understand Hushmail is based on OpenPGP so it should work.
The key I have from my Hushmail account is 2048bit in length but once I
copy the key onto the OpenPGP 2.0 card I can't decrypt Hushmail email
anymore, any idea why?

Also, if I generate a brand new key pair ON the OpenPGP 2.0 card, will
anyone be able to export or copy the private key (if the OpenPGP card is
NOT inserted in the reader)? Does GPG write a copy of the keys anywhere
else besides on the card?

I know it asks you when you generate the key pair if you want to store
an off card copy for backup purposes but I selected no for this.

What I don't understand is that when I generated a brand new test key
pair on the OpenPGP card and then removed it from the reader I was still
able to export the keys to a file from key management in Thunderbird,
can someone explain this? I thought the private/secret key was ONLY on
the card when generated this ways so that no one could get to it to
brute force it etc?

Thanks everyone! ;-)
Attachments: smime.p7s (5.46 KB)


dshaw at jabberwocky

Sep 10, 2009, 9:17 AM

Post #2 of 5 (886 views)
Permalink
Re: OpenPGP 2.0 and Hushmail keys [In reply to]
On Sep 10, 2009, at 3:36 AM, Sean Wilson wrote:

> Does anyone know if the new OpenPGP 2.0 card supports Hushmail keys?
>> From what I understand Hushmail is based on OpenPGP so it should
>> work.
> The key I have from my Hushmail account is 2048bit in length but
> once I
> copy the key onto the OpenPGP 2.0 card I can't decrypt Hushmail email
> anymore, any idea why?

It should work fine. It sounds like a different sort of problem.

> Also, if I generate a brand new key pair ON the OpenPGP 2.0 card, will
> anyone be able to export or copy the private key (if the OpenPGP
> card is
> NOT inserted in the reader)? Does GPG write a copy of the keys
> anywhere
> else besides on the card?

No, but there is a stub secret key that lives in the usual secret
keyring. This isn't a true secret key (it does not contain the actual
key data), but is the OpenPGP information (user IDs and other things),
along with a pointer that says "the key is on smartcard XYZ".

So if they can get ahold of your computer, someone could steal this
stub, but there is nothing secret about it, and it won't do them any
good.

David


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


mcse83 at hotmail

Sep 10, 2009, 9:53 AM

Post #3 of 5 (877 views)
Permalink
Re: OpenPGP 2.0 and Hushmail keys [In reply to]
Thanks for the reply!

How do I troubleshoot the issue I am experiencing with my Hushmail keys
on the OpenPGP 2.0 card not being able to decrypt my mail?

Are you sure about what you said below regarding the stub and the
secret/private key? I just generated a test key pair on the OpenPGP 2.0
card and then removed the card from the reader. When I go into key
management in Thunderbird and select the newly created key and select
"export keys to file" it says:

Do you want to include the secret key in the saved OpenPGP key file?

So I click " Export secret keys" and it saves it to a .asc file. If I
open this in notepad it looks as follows (this is a test key so I don't
mind posting it here as it will be deleted and is for testing purposes
only):

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (MingW32)

mI0ESqkqYgEEAIYhqEhZZee+zfPk2b782y+KvWswD38+6upjGP0wz/hq3iazMZLG
8YZKTQ81GIaKptl3Ke0hBEKVLBlU97Sf0ijUclUtZU6AVn+uscFAw7MiH9a+Lzek
xYWlA9ITrlz4BVTmc78yFr9SC/ntcX1a7fovKMg6nDgogcEXi1RAN0nFABEBAAG0
JHN3QHRlc3QuY29tIChURVNUIDAwMykgPHN3QHRlc3QuY29tPoi4BBMBAgAiBQJK
qSpiAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBEbTBUCVZGxk1OA/9e
Bx0CJfn07D3YUZiVgVdqhz4aKom7QiQtLmJRZoasToKs3cq5UInMwu8DlMm+FHd0
0jgvlVTSsp/wfcGHM3s77rD/6mJmPsGNaBsLUFouyRbbAm4IhAAKTqjbWgwORjF9
ffOWy28GTXwp9vGACu2kIDSvRhFPhHzPs5Ssieq1PriNBEqpKmIBBACkoagKVkIU
+3ugbhTty3xQQ/7uQUmWGIcoUu/nWtitswK0KHO6sOD+pVAm2C8KqYTxVLgJcfrq
XUAkB/CDbo1NIDONdBuPR8yxOh+BRjpGEKdW887y1C2k7dVM9HX4001AEcOo3lQD
s/jKfn5wLqYUhbHFEOxkqQvpbmkBs1we0wARAQABiJ4EGAECAAkFAkqpKmICGyAA
CgkQRG0wVAlWRsalyAP2Lb29wtB7h84dKb4dg28Wgq0jd7ZisLhJNn8hjlTUcYK8
q0BbXXLkpVgt8JWYXubmQbXsHLMipab3qQAryGU9v6eH+VeRV4E4L/G9hJOuqaQs
ySHj61iLaI6GSAo3maVRnJwFSyX5zIHo2bIlpQWQtqvp2cw/YwhSVgJcHoQcV7iN
BEqpKmIBBACRYDxMNqTMOdoAeRHG8AOnzhhBCCXSVI0ErZ7t3xs67vd7S4JmZcMd
wj80CKCNSH56iDHRGWbgJ7x5a2ngl41vspFOgOxeb90YTN+k6W8CfCB/Rah4crQQ
U0RtoKoghia6AyRstMLNjxXssKM4So2PzaUVZkkj6F4g1EY374qF7wARAQABiJ8E
GAECAAkFAkqpKmICGwwACgkQRG0wVAlWRsa5FQP+PPKmU/jKZCd0HSVuBhVwRNHl
1cUmagZNgBeCMP2n1vj4fqcEkRLgE1UxZ2vs/n+r3bmIf47rSYH6ANeo47d1NymJ
WCJnD2xrjuqhVX6uYeECfMS36k5bxPKBveuPvbhmxSBa26Ju215fPizg8CCYjw7p
/sFdiVsSWXO9wCETPPQ=
=zTSa
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.10 (MingW32)

lKYESqkqYgEEAIYhqEhZZee+zfPk2b782y+KvWswD38+6upjGP0wz/hq3iazMZLG
8YZKTQ81GIaKptl3Ke0hBEKVLBlU97Sf0ijUclUtZU6AVn+uscFAw7MiH9a+Lzek
xYWlA9ITrlz4BVTmc78yFr9SC/ntcX1a7fovKMg6nDgogcEXi1RAN0nFABEBAAH/
AGUAR05VAhDSdgABJAECAAAFAAAAQwAAtCRzd0B0ZXN0LmNvbSAoVEVTVCAwMDMp
IDxzd0B0ZXN0LmNvbT6IuAQTAQIAIgUCSqkqYgIbAwYLCQgHAwIGFQgCCQoLBBYC
AwECHgECF4AACgkQRG0wVAlWRsZNTgP/XgcdAiX59Ow92FGYlYFXaoc+GiqJu0Ik
LS5iUWaGrE6CrN3KuVCJzMLvA5TJvhR3dNI4L5VU0rKf8H3BhzN7O+6w/+piZj7B
jWgbC1BaLskW2wJuCIQACk6o21oMDkYxfX3zlstvBk18KfbxgArtpCA0r0YRT4R8
z7OUrInqtT6cpgRKqSpiAQQApKGoClZCFPt7oG4U7ct8UEP+7kFJlhiHKFLv51rY
rbMCtChzurDg/qVQJtgvCqmE8VS4CXH66l1AJAfwg26NTSAzjXQbj0fMsTofgUY6
RhCnVvPO8tQtpO3VTPR1+NNNQBHDqN5UA7P4yn5+cC6mFIWxxRDsZKkL6W5pAbNc
HtMAEQEAAf8AZQBHTlUCENJ2AAEkAQIAAAUAAABDAACIngQYAQIACQUCSqkqYgIb
IAAKCRBEbTBUCVZGxqXIA/Ytvb3C0HuHzh0pvh2DbxaCrSN3tmKwuEk2fyGOVNRx
gryrQFtdcuSlWC3wlZhe5uZBtewcsyKlpvepACvIZT2/p4f5V5FXgTgv8b2Ek66p
pCzJIePrWItojoZICjeZpVGcnAVLJfnMgejZsiWlBZC2q+nZzD9jCFJWAlwehBxX
nKYESqkqYgEEAJFgPEw2pMw52gB5EcbwA6fOGEEIJdJUjQStnu3fGzru93tLgmZl
wx3CPzQIoI1IfnqIMdEZZuAnvHlraeCXjW+ykU6A7F5v3RhM36TpbwJ8IH9FqHhy
tBBTRG2gqiCGJroDJGy0ws2PFeywozhKjY/NpRVmSSPoXiDURjfvioXvABEBAAH/
AGUAR05VAhDSdgABJAECAAAFAAAAQwAAiJ8EGAECAAkFAkqpKmICGwwACgkQRG0w
VAlWRsa5FQP+PPKmU/jKZCd0HSVuBhVwRNHl1cUmagZNgBeCMP2n1vj4fqcEkRLg
E1UxZ2vs/n+r3bmIf47rSYH6ANeo47d1NymJWCJnD2xrjuqhVX6uYeECfMS36k5b
xPKBveuPvbhmxSBa26Ju215fPizg8CCYjw7p/sFdiVsSWXO9wCETPPQ=
=Ol1j
-----END PGP PRIVATE KEY BLOCK-----


If I open my Hushmail keys in notepad it looks familiar to the test key
I have exported from key management (with the card not inserted in the
reader)!

I am battling to understand this as I thought generating a key pair on
the openPGP card itself was as secure as can be as your private key ONLY
exists on the card itself and is not available anywhere else (ie: on
your hard drive for export).


David Shaw wrote:
> On Sep 10, 2009, at 3:36 AM, Sean Wilson wrote:
>
>> Does anyone know if the new OpenPGP 2.0 card supports Hushmail keys?
>>> From what I understand Hushmail is based on OpenPGP so it should work.
>> The key I have from my Hushmail account is 2048bit in length but once I
>> copy the key onto the OpenPGP 2.0 card I can't decrypt Hushmail email
>> anymore, any idea why?
>
> It should work fine. It sounds like a different sort of problem.
>
>> Also, if I generate a brand new key pair ON the OpenPGP 2.0 card, will
>> anyone be able to export or copy the private key (if the OpenPGP card is
>> NOT inserted in the reader)? Does GPG write a copy of the keys anywhere
>> else besides on the card?
>
> No, but there is a stub secret key that lives in the usual secret
> keyring. This isn't a true secret key (it does not contain the actual
> key data), but is the OpenPGP information (user IDs and other things),
> along with a pointer that says "the key is on smartcard XYZ".
>
> So if they can get ahold of your computer, someone could steal this
> stub, but there is nothing secret about it, and it won't do them any
> good.
>
> David
>
>
>
Attachments: smime.p7s (5.46 KB)


mcse83 at hotmail

Sep 10, 2009, 10:36 AM

Post #4 of 5 (879 views)
Permalink
Re: OpenPGP 2.0 and Hushmail keys [In reply to]
This is the error I get when I try to decrypt Hushmail emails in
Thunderbird with the OpenPGP card:

Error - secret key needed to decrypt message

gpg command line and output:
C:\Program Files\GNU\GnuPG\gpg.exe
gpg: detected reader `AKS ifdh 0'
gpg: detected reader `AKS ifdh 1'
gpg: detected reader `AKS VR 0'
gpg: detected reader `Aladdin Token JC 0'
gpg: detected reader `SCM Microsystems Inc. SCR3340 ExpressCard Reader 0'
gpg: fingerprint on card does not match requested one (huh, whats this
mean?)
gpg: encrypted with 2048-bit RSA key, ID xxxxxxxx, created 2006-07-11
""xxxxxxxxxx [at] hush" <xxxxxxxxx [at] hush>"
gpg: encrypted with 2048-bit RSA-E key, ID xxxxxxxx, created 2009-05-27
""xxxxxxxx [at] hushmail" <xxxxxxxxxxx [at] hushmail>"
gpg: public key decryption failed: wrong secret key used
gpg: decryption failed: secret key not available

This happens after copying my Hushmail keys to the OpenPGP card...


David Shaw wrote:
> On Sep 10, 2009, at 3:36 AM, Sean Wilson wrote:
>
>> Does anyone know if the new OpenPGP 2.0 card supports Hushmail keys?
>>> From what I understand Hushmail is based on OpenPGP so it should work.
>> The key I have from my Hushmail account is 2048bit in length but once I
>> copy the key onto the OpenPGP 2.0 card I can't decrypt Hushmail email
>> anymore, any idea why?
>
> It should work fine. It sounds like a different sort of problem.
>
>> Also, if I generate a brand new key pair ON the OpenPGP 2.0 card, will
>> anyone be able to export or copy the private key (if the OpenPGP card is
>> NOT inserted in the reader)? Does GPG write a copy of the keys anywhere
>> else besides on the card?
>
> No, but there is a stub secret key that lives in the usual secret
> keyring. This isn't a true secret key (it does not contain the actual
> key data), but is the OpenPGP information (user IDs and other things),
> along with a pointer that says "the key is on smartcard XYZ".
>
> So if they can get ahold of your computer, someone could steal this
> stub, but there is nothing secret about it, and it won't do them any
> good.
>
> David
>
>
>
Attachments: smime.p7s (5.46 KB)


wk at gnupg

Sep 21, 2009, 2:10 AM

Post #5 of 5 (786 views)
Permalink
Re: OpenPGP 2.0 and Hushmail keys [In reply to]
On Thu, 10 Sep 2009 18:53, mcse83 [at] hotmail said:

> I am battling to understand this as I thought generating a key pair on
> the openPGP card itself was as secure as can be as your private key ONLY
> exists on the card itself and is not available anywhere else (ie: on
> your hard drive for export).

If you look at the exported key you posted with gpg --list-packets yopu
will get the listing below. I added a few comments:

:secret key packet:
version 4, algo 1, created 1252600418, expires 0
skey[0]: [1024 bits]
skey[1]: [17 bits]
gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
serial-number: d2 76 00 01 24 01 02 00 00 05 00 00 00 43 00 00

The primary secret key stub. The line "gnu-divert-to-card" indicates
that this is stub key.

As you can see there are only two parameters: skey[0] and skey[1] - this
makes up the public parts of the key. There is nothing secret with
them. For a real secret key (and not just a stub) you would see more
parameters (i.e. the secret parameters).

:user ID packet: "sw [at] test (TEST 003) <sw [at] test>"
:signature packet: algo 1, keyid 446D3054095646C6
version 4, created 1252600418, md5len 0, sigclass 0x13
digest algo 2, begin of digest 4d 4e
hashed subpkt 2 len 4 (sig created 2009-09-10)
hashed subpkt 27 len 1 (key flags: 03)
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)
hashed subpkt 30 len 1 (features: 01)
hashed subpkt 23 len 1 (key server preferences: 80)
subpkt 16 len 8 (issuer key ID 446D3054095646C6)
data: [1023 bits]
:secret sub key packet:
version 4, algo 1, created 1252600418, expires 0
skey[0]: [1024 bits]
skey[1]: [17 bits]
gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
serial-number: d2 76 00 01 24 01 02 00 00 05 00 00 00 43 00 00

Same as with the primary key.

:signature packet: algo 1, keyid 446D3054095646C6
version 4, created 1252600418, md5len 0, sigclass 0x18
digest algo 2, begin of digest a5 c8
hashed subpkt 2 len 4 (sig created 2009-09-10)
hashed subpkt 27 len 1 (key flags: 20)
subpkt 16 len 8 (issuer key ID 446D3054095646C6)
data: [1014 bits]
:secret sub key packet:
version 4, algo 1, created 1252600418, expires 0
skey[0]: [1024 bits]
skey[1]: [17 bits]
gnu-divert-to-card S2K, algo: 0, simple checksum, hash: 0
serial-number: d2 76 00 01 24 01 02 00 00 05 00 00 00 43 00 00

Same as with the primary key.

:signature packet: algo 1, keyid 446D3054095646C6
version 4, created 1252600418, md5len 0, sigclass 0x18
digest algo 2, begin of digest b9 15
hashed subpkt 2 len 4 (sig created 2009-09-10)
hashed subpkt 27 len 1 (key flags: 0C)
subpkt 16 len 8 (issuer key ID 446D3054095646C6)
data: [1022 bits]



Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.