Re: Partial/fragmented decryption keys

2019-12-09 Thread Wiktor Kwapisiewicz via Gnupg-users 

Hi,


I recall from the early days of PGP that there was a way to create a corporate 
key, fragmented into a certain number of potions, which would require some 
quorum to be able to perform decryption. I pored over the GnuPG documentation 
but could not find an equivalent. Perhaps I?m just getting the terminology 
wrong. Is this still possible in OpenPGP and therefore in GnuPG?


It is indeed not implemented in GnuPG.

In case you're curious on how does it work in Symantec PGP here's the 
description:


https://support.symantec.com/us/en/article.HOWTO42097.html

and a video tutorial: https://www.youtube.com/watch?v=Q_Mpa8TOhU0

Symantec recommends this feature for "extremely high security keys" by 
which I guess they mean designated revoker key or additional decryption 
key. Their implementation seems to bring all private keys to one trusted 
computer to reconstruct the combined key.


As others mentioned there is a flag for marking an OpenPGP key as 
"split" in the spec so theoretically it could implemented in free software.


One project that's close is DKGPG but mind that it "should NOT be used 
in production environments". Check out the following links:


http://nongnu.org/dkgpg/

http://www.nongnu.org/libtmcg/kryptotag26_stamer_slides.pdf

Hope this helps!

Kind regards,
Wiktor

--
https://metacode.biz/@wiktor

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

v2.1 openpgp smartcard -- packing in after a `key to card'

2019-12-09 Thread Dirk-Willem van Gulik 
During a pretty standard create key; key to card cycle (scripted) - I got an 
error

gpg: OpenPGP card not available: Card removed 

just after the ‘save’ in the —edit-key. A subsequent status check gives me:

gpg2 --card-status 
gpg: OpenPGP card not available: Card removed

with below scdaemon log information. The key moved onto it was a rsa1024 key:

gpg2 --homedir . --batch --passphrase “$TEMP_PASSWD" --quick-add-key 
$FPR2 rsa1024

i.e the second of (key 1):

sec  ed25519/F93BF2C7E09FEDC0
 created: 2019-12-09  expires: 2021-12-08  usage: SC  
 trust: ultimate  validity: ultimate
ssb  rsa1024/3341725A21249687
 created: 2019-12-09  expires: never   usage: E   

Does this ring a bell with anyone ? 

With kind regards,

Dw.



2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 <- GETINFO version
2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 -> D 2.2.17
2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 -> OK
2019-12-09 18:15:06 scdaemon[47159] DBG: chan_7 <- SERIALNO openpgp
2019-12-09 18:15:06 scdaemon[47159] ccid open error: skip
2019-12-09 18:15:06 scdaemon[47159] ccid open error: skip
2019-12-09 18:15:06 scdaemon[47159] ccid open error: skip
2019-12-09 18:15:06 scdaemon[47159] detected reader 'SCM Microsystems Inc. SPR 
532'
2019-12-09 18:15:06 scdaemon[47159] detected reader 'ACS ACR122U PICC Interface'
2019-12-09 18:15:06 scdaemon[47159] detected reader 'OMNIKEY AG CardMan 3121'
2019-12-09 18:15:06 scdaemon[47159] reader slot 0: not connected
2019-12-09 18:15:07 scdaemon[47159] pcsc_control failed: not transacted 
(0x80100016)
2019-12-09 18:15:07 scdaemon[47159] pcsc_vendor_specific_init: 
GET_FEATURE_REQUEST failed: 65547
2019-12-09 18:15:07 scdaemon[47159] reader slot 0: active protocol: T1
2019-12-09 18:15:07 scdaemon[47159] slot 0: ATR=3B DA 18 FF 81 B1 FE 75 1F 03 
00 31 C5 73 C0 01 40 00 90 00 0C
2019-12-09 18:15:07 scdaemon[47159] AID: D2 76 00 01 24 01 02 01 00 05 00 00 57 
2D 00 00
2019-12-09 18:15:07 scdaemon[47159] Historical Bytes: 00 31 C5 73 C0 01 40 05 
90 00
2019-12-09 18:15:07 scdaemon[47159] Version-2+ .: yes
2019-12-09 18:15:07 scdaemon[47159] Extcap-v3 ..: no
2019-12-09 18:15:07 scdaemon[47159] Button .: no
2019-12-09 18:15:07 scdaemon[47159] SM-Support .: no
2019-12-09 18:15:07 scdaemon[47159] Get-Challenge ..: yes (2048 bytes max)
2019-12-09 18:15:07 scdaemon[47159] Key-Import .: yes
2019-12-09 18:15:07 scdaemon[47159] Change-Force-PW1: yes
2019-12-09 18:15:07 scdaemon[47159] Private-DOs : yes
2019-12-09 18:15:07 scdaemon[47159] Algo-Attr-Change: yes
2019-12-09 18:15:07 scdaemon[47159] Symmetric Crypto: no
2019-12-09 18:15:07 scdaemon[47159] KDF-Support : no
2019-12-09 18:15:07 scdaemon[47159] Max-Cert3-Len ..: 2048
2019-12-09 18:15:07 scdaemon[47159] Cmd-Chaining ...: no
2019-12-09 18:15:07 scdaemon[47159] Ext-Lc-Le ..: yes
2019-12-09 18:15:07 scdaemon[47159] Status-Indicator: 05
2019-12-09 18:15:07 scdaemon[47159] GnuPG-No-Sync ..: no
2019-12-09 18:15:07 scdaemon[47159] GnuPG-Def-PW2 ..: no
2019-12-09 18:15:07 scdaemon[47159] Key-Attr-sign ..: RSA, n=2048, e=32, fmt=std
2019-12-09 18:15:07 scdaemon[47159] Key-Attr-encr ..: RSA, n=1024, e=32, fmt=std
2019-12-09 18:15:07 scdaemon[47159] Key-Attr-auth ..: RSA, n=2048, e=32, fmt=std
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S SERIALNO 
D2760001240102010005572D
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> OK
2019-12-09 18:15:07 scdaemon[47159] sending signal 31 to client 47158
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 <- LEARN --force
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S READER OMNIKEY AG CardMan 
3121
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S SERIALNO 
D2760001240102010005572D
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S APPTYPE OPENPGP
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S EXTCAP 
gc=1+ki=1+fc=1+pd=1+mcl3=2048+aac=1+sm=0+si=5+dec=0+bt=0+kdf=0
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S DISP-NAME
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S DISP-LANG de
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S DISP-SEX 9
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S KEY-FPR 2 
26CFCE98D4681687B9665A273341725A21249687
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S KEY-TIME 2 1575909434
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S CHV-STATUS 
+0+32+32+32+3+0+3
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S SIG-COUNTER 0
2019-12-09 18:15:07 scdaemon[47159] pcsc_transmit failed: not transacted 
(0x80100016)
2019-12-09 18:15:07 scdaemon[47159] apdu_send_simple(0) failed: general error
2019-12-09 18:15:07 scdaemon[47159] reading public key failed: General error
2019-12-09 18:15:07 scdaemon[47159] DBG: chan_7 -> S KEYPAIRINFO 
2AF8CE28A1F0B6E3194C2505C682357407ACC3B3 OPENPGP.2
2019-12-09 18:15:07 scdaemon[47159] pcsc_transmit failed: not transacted 
(0x80100016)
2019-12-09 18:15:07