Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

[Werner Koch]

On Wed, 28 Feb 2018 15:02, w...@gnupg.org said:

> Oh no, I don't want to promote create solutions of our complex API ;-)

s/create/creative/



-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpGzDg0TYmpd.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: openpgp smartcard: ssh auth speed vs. RSA key size

[Werner Koch]

On Thu,  1 Mar 2018 18:18, thomas.jaro...@intra2net.com said:

> We found this while creating our keys with 4096 bit and now reverted to 2048 
> bit. It's secure enough and the speed hit is almost not noticeable.

With a gnuk token and an ed25519 key it will even be much faster than
with a RSA 2048 bit key and a real smartcard.  Unfortunately the
Zeitcontrol card does not support ed25519.


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpSMLu93OnY9.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: [FEATURE REQ] Keygrips in --card-status

[Werner Koch]

On Thu,  1 Mar 2018 13:06, pe...@digitalbrains.com said:

> So if --card-status would actually use the --with-keygrip option, it
> would be much easier to look up the keygrip for an OpenPGP smartcard,

Good suggestion.  Here is the output you will see in 2.2.6 when
--with-keygrip is used with --card-status:

Signature counter : 4604
Signature key : C1D3 4B69 219E 4AEE C0BA  1C21 E3FD FF21 8E45 B72B
  created : 2015-02-18 18:12:18
  keygrip : 1D538E0FA8DFC2ED7F0382ED25ADE1EF23D12C5C
Encryption key: DC9D AC60 8A8F 118F D8D0  F332 F4EC 45F1 1B45 7A45
  created : 2016-02-14 13:12:34
  keygrip : EE5A80CF605C7B8A2402E9CB41B553F2E5069B33
Authentication key: 59CE FA65 05DF 817B 3FE9  8F57 A588 F0D2 ABD0 CAF6
  created : 2016-02-14 13:14:07
  keygrip : EE5A80CF605C7B8A2402E9CB41B553F2E5069B33

and the --with-colons output has an addtional "grp: record (even without
--with-keygrip).


Shalom-Salam,

   Werner


-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpcuZVVS4Iq_.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Use the same passphrase for PGP and SSH keys and get prompted only once by gpg-agent

[Ben McGinnes]

On Wed, Feb 28, 2018 at 03:02:58PM +0100, Werner Koch wrote:
> On Wed, 21 Feb 2018 07:27, b...@adversary.org said:
> 
> >> No, there is no way to configure an extra hack to also test a passphrase
> >> for an ssh key.
> >
> > Wanna bet?
> 
> Oh no, I don't want to promote create solutions of our complex API ;-)

Heheh.

I have a friend who frequently used to say that if a question began
with "Would it be wrong to ..." then the answer was always "No."

I think it was about the point where I asked, "Would it be wrong to
release freshwater crocodiles just a little upstream of [local picnic
area where children feed ducks and geese] just in time for the summer
holidays?" that he gave up.


Regards,
Ben


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

openpgp smartcard: ssh auth speed vs. RSA key size

[Thomas Jarosch]

Hello together,

here's an interesting observation on ssh auth speed
when using different key sizes on the openpgp smartcard:

RSA 2048 bit key: 0.7s
RSA 4096 bit key: 3.1s

Card used is an openpgp smartcard V3.3
with gnupg 2.2.4. The ssh key is accessed via gpg-agent.

We found this while creating our keys with 4096 bit and now reverted to 2048 
bit. It's secure enough and the speed hit is almost not noticeable.

The time was measured with:

$ time ssh SERVERNAME /bin/true

Cheers,
Thomas




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

[Werner Koch]

On Thu,  1 Mar 2018 10:08, k...@glsys.de said:

> i found this ct 2017-10 (german computer magazine) Article,
> where they claim the reader to be working with the openpgp smartcard Version 
> 2.1 
> by transfering precreated 4096-Bit keys. This is exactly what i am

Well most drivers work on Windows because they fix them using their
Windows drivers.  This does not work on Linux because tehre is no
generic (and proprietary) driver for them.

> So either i am doing something stupid or the V3.3 card incorporated changes 
> which broke this.
> I ordered another reader and asked if it would be possible do buy some
> 2.1 cards for cross-tersting, but it seems they would have to be

The interface part of the 3.3 cards is not different from the 2.1 cards;
the chnages are just in the OpenPGP card application which counterpart
is in GnuPG.

> Can anybody suggest how i could further debug the --card-edit and 
> --card-status to find out why the stubs are not being generated?

Now, are you on 2.1.11 or 2.2.3?


Salam-Shalom,

   Werner

-- 
#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgpftlrIq01UK.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

[Klaus Römer]

Thank you all for the support!
The mail about needing support for the V3.3 cards in opensc pointed me in the 
right direction.
I relied on the information that the V3.3 is backwards compatible to the V2.1
but this does not seem to be the case.
Compiling a fresh gpg 2.2.5  with --enable-ccid-driver from source did the 
trick for the linux machines.

Kind Regards,
 Klaus Römer


signature.asc
Description: Message signed with OpenPGP
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

[FEATURE REQ] Keygrips in --card-status (was: gpgsm --gen-key with key on smartcard)

[Peter Lebbing]

On 28/02/18 20:59, Werner Koch wrote:
> But that is about gpg and not about gpgsm.

Currently, it's not that easy to get the keygrip for an OpenPGP
smartcard key.

For keys for which the public part is available, it's:
$ gpg --card-status
Note desired KEYID
$ gpg --with-keygrip -k $KEYID
Find the KEYID in the certificate listed and see the keygrip below it.

I have smartcards with Auth keys that are not part of an OpenPGP
certificate. For these and other cases where the public part is not in
the keyring, it's more difficult to get the keygrip. Probably something
like:
$ gpg-connect-agent 'keyinfo --list' /bye|grep 87061340
for my GnuK with serial FFFE 87061340.

So if --card-status would actually use the --with-keygrip option, it
would be much easier to look up the keygrip for an OpenPGP smartcard,
*especially* when the smartcard is not currently in use by gpg. Even
though the query is done by "gpg --card-status", it is more a feature
for OpenPGP smartcards regardless of whether they are used for OpenPGP keys.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

[Thomas Jarosch]

Hello Klaus,

On Thursday, 01 March 2018 10:08:14 CET Klaus Römer wrote:
> This is my target device because it is build-in in our Laptops,
> i found this ct 2017-10 (german computer magazine) Article,
> where they claim the reader to be working with the openpgp smartcard Version
> 2.1 by transfering precreated 4096-Bit keys. This is exactly what i am
> tring to do - and it seems to work, only the stub keys are not being
> generated…
> 
> So either i am doing something stupid or the V3.3 card incorporated changes
> which broke this. I ordered another reader and asked if it would be
> possible do buy some 2.1 cards for cross-tersting, but it seems they would
> have to be manufactured as they are out of stock.

Today I'm also setting up a bunch of V3.3 cards.

There is indeed a problem: OpenSC added support for the new cards just
in the current git HEAD version. See:
https://github.com/OpenSC/OpenSC/issues/1215

-> we compiled opensc from git on Fedora now are able to talk to the card.

You might be affected by this if gnupg talks to the card
via opensc instead of the builtin libusb based CCID driver.
(that's what NIIBE Yutaka suspected in his reply)

HTH,
Thomas




___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: gnupg SmartCard V3.3

[Klaus Römer]

> Am 28.02.2018 um 15:56 schrieb Werner Koch :
> 
> On Tue, 27 Feb 2018 01:04, k...@glsys.de said:
> 
>> gpg2 --version is 2.1.11
> 
> That is a pretty old an somewhat buggy version which will likely have
> problems with newer smartcards.
> 
>> Tried gpg (GnuPG/MacGPG2) 2.2.3
>> on a completely different machine (mac)
> 
> That version is recent enough and as long as macOS is properly
> configured for the card it will work.  You maywant to ask over at
> gpgtools.org, though.
> 
>> Tried three different card-reader:
>> - Cherry GmbH SmartBoard XX44
> 
> IIRC that is the old Omnikey reader based keyboard.  I have one myself.
> It does not work with 2048 bit keys unless you use their Windows driver.
> 
>> -  KOBIL EMV CAP - SecOVID Reader III
> 
> I am not sure which reader this is, I had to dump my Kobil reader a logn
> time ago wehn I moved to 2048 bit keys.  The problem is slightly
> different than with Omnicard keys but I can't remember the details.
> 
>> - Alcor Micro AU9540 00 00
> 
> I am not sure about them.  Quite some time ago they simply did not worked.
This is my target device because it is build-in in our Laptops,
i found this ct 2017-10 (german computer magazine) Article,
where they claim the reader to be working with the openpgp smartcard Version 
2.1 
by transfering precreated 4096-Bit keys. This is exactly what i am tring to do 
- and it seems to work, only the stub keys are not being generated…

So either i am doing something stupid or the V3.3 card incorporated changes 
which broke this.
I ordered another reader and asked if it would be possible do buy some 2.1 
cards for cross-tersting, but it seems they would have to be manufactured as 
they are out of stock.

Can anybody suggest how i could further debug the --card-edit and --card-status 
to find out why the stubs are not being generated?

Kind Regards,
 Klaus


> 
> @gniibe: Do you have any more up to date information on macOS and
> smartcard readers?
> 
> 
> Shalom-Salam,
> 
>   Werner
> 
> -- 
> #  Please read:  Daniel Ellsberg - The Doomsday Machine  #
> Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Fwd: gnupg SmartCard V3.3

[Matthias Apitz]

El día Thursday, March 01, 2018 a las 09:14:15AM +0900, NIIBE Yutaka escribió:

> Hello,
> 
> Werner Koch  wrote:
> > @gniibe: Do you have any more up to date information on macOS and
> > smartcard readers?
> 
> If possible, I recommend to use GnuPG's in-stock driver to access
> smartcard.  It is direct access by libusb, not using PC/SC service.
> 
> For GNU/Linux, if you don't have any other use of PC/SC service, please
> uninstall it, or disable the service, and try again with GnuPG's
> in-stock driver.
> 
> For the driver, I maintain this list:
> 
> https://wiki.debian.org/GnuPG/CCID_Driver
> 
> For macOS, I think that it still uses old PC/SC and libccid library.
> I'm afraid that new readers (with new features like pinpad support)
> don't work well, or don't work at all.
> 

Hello,

I do yous the following USB token ond FreeBSD-12 CURRENT and the 'pcscd'
is configured to be started by devd on device attach:

Mar  1 08:00:56 r314251-amd64 kernel: ugen0.2:  at usbus0
Mar  1 08:00:56 r314251-amd64 root: CCID uTrust, type: ATTACH, system: USB, 
subsystem: INTERFACE
Mar  1 08:00:56 r314251-amd64 root: /usr/local/sbin/pcscd
Mar  1 08:00:56 r314251-amd64 root: Unknown USB device: vendor 0x04e6 product 
0x5816 bus uhub0

The OpenPGP card works fine as:

$ gpg2 --card-status

Reader ...: Identiv uTrust 3512 SAM slot Token (55511514602745)
00 00
Application ID ...: D2760001240102010005532B
Version ..: 2.1
Manufacturer .: ZeitControl
Serial number : 532B
Name of cardholder: Matthias Apitz
...

Do I have any chance to use the USB token and the card directly without
'pcscd'?

Thanks

matthias

-- 
Matthias Apitz, ✉ g...@unixarea.de, ⌂ http://www.unixarea.de/   
+49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users