[OTR-users] Smartcard support?

Jacob Appelbaum jacob at appelbaum.net
Fri Sep 28 18:01:27 EDT 2012 

Pete Stephenson:
> On 9/28/2012 10:18 PM, Jacob Appelbaum wrote:
>> Pete Stephenson:
>>> Hi all,
>>>
>>> Quick question: are there any plans for OTR to support keys stored on
>>> smartcards?
>>>
>>> I like the idea of storing keys securely (with offline backups,
>>> naturally) on smartcards to prevent their being abused even in the event
>>> of a system compromise and I have my PGP and S/MIME certs on such cards.
>>> It'd be nice to also have OTR keys stored on smartcards.
>>>
>>
>> I have one of the GnuPG smart cards made by g10 - it seems to me that an
>> OTR DSA key could be added to the authentication key slot.
> 
> Hmm. I was under the impression that the g10 card only supported RSA
> keys, not DSA?
> 

Oh yes, I forgot. How frustrating. There is another reason to add an RSA
key type...

> My primary PGP key is DSA but I have RSA subkeys on a GPF Crypto Stick
> (it's a g10 smartcard encapsulated in a self-contained USB token). My
> Feitian ePass 2003 smartcard also only handles RSA as the public key
> algorithm. I suspect most other common smartcards are similar.
> 

Yes, I seem to recall a few reasons for this design.

>> The main issue is how we'd interface with the smart card from libotr or
>> pidgin-otr. Does GnuPG offer some kind of abstraction interface for
>> third party applications? If so, I think it would be a fantastic idea to
>> try to to make this happen.
> 
> Good question. I'd imagine that for most *nix-based systems one could
> use OpenSC to interface with with most smartcards.
> 
> For Windows, card vendors can make CCID-spec devices
> <http://msdn.microsoft.com/en-us/windows/hardware/gg487509> so that
> device-specific drivers aren't needed. For card-specific commands, card
> vendors can use a "minidriver" that makes it (relatively) easy to
> implement those features without having to re-invent the wheel. For
> example, the ePass 2003 can get the relevant minidriver from Windows
> Update without needing any vendor-specific software.
> 

Does GnuPG work in Windows directly?

> Gooze, a French distributor, is giving away no-cost tokens to free
> software developers:
> <http://www.gooze.eu/feitian-pki-free-software-developer-card> -- for
> various legal reasons (I believe it's related to a patent dispute) they
> can't ship the smartcards to the US and Canada but they can ship the USB
> tokens (which have the same smartcard functionality) to those countries.
> 

Wow, nice.

> Of course, all of these smartcards require RSA public keys, so perhaps
> this won't work with OTR. :/
> 

Well, if we were to add an RSA key type, I think we could use it.

> Disclaimer: I am not affiliated with Gooze, Feitian, the GPF, or any of
> the organizations listed above other than simply being a private
> customer of their products. I have no interest, financial or otherwise,
> in their organizations or products.
>

Heh, OK. Thanks for the pointers.

All the best,
Jacob

More information about the OTR-users mailing list