Bitcoin Forum
December 08, 2016, 02:12:21 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: An FYI: GPG and SmartCard Implementation  (Read 2559 times)
Shinobi
Full Member
***
Offline Offline

Activity: 196


View Profile
July 03, 2011, 02:50:11 AM
 #1

I'm sure many of you aren't familiar with GnuPG Smart cards. For those not familiar, there is an OpenPGP SmartCard Project that has created an open standard specification for PGP-compliant smart cards. Kernel Concepts (Germany) sell cards made in compliance with this OpenPGP secification for roughly $20, which work with many commonly found card readers .

I have a setup that makes use of one of these cards in two ways:

1. PGP Decryption: Rather than having to manually key in my passphrase to decrypt PGP-encrypted e-mails sent to me, I have the passphrase and private key stored on the smartcard, and when it is inserted - e-mails are seamlessly decrypted. Apart from being convenient, the fact that my private key is kept ONLY on the card means that the chance of my private key being compromised is heavily reduced. Should someone steal my smartcard, they will have a helluva time trying to extract my private key - 10 incorrect tries to mount the smartcard and it erases itself.

2.  Full-Disk Encryption. I make use of Full Disk Encryption - if you are too lazy to read the linked Wiki page, it means that my harddrive is completely encrypted and the harddrive is decrypted on-the-fly when booted up (computers these days are so fast, that there is essentially no noticeable performance loss). This has several obvious advantages - when the computer is off, the harddrive remains in an encrypted state. My smartcard contains the passkey used to decrypt my system at boot. so with the smartcard plugged in, my computer seamlessly boots without my input. If the card is not installed, I am prompted for the passphrase just prior to booting of the OS.

I think many of you would benefit from this, the especially No. 2 above. Should you computer be stolen, your computer could not be booted, and depending on the strength of your passphrase, you harddrive could never be penetrated (and your wallet.dat compromised). Note that a smartcard is NOT needed for full-disk encryption. It just takes away the small annoyance of having to type in a passphrase everytime you boot. And because of this automation, your passphrase can be significantly longer since you don't have to spend time typing it. I recommend that all of you make use of full-disk encryption. Most flavors of Linux have it as an option during installation. Alternatively you can have Truecrypt set-up full-disk encryption (both Windows 7 and Linux). And you don't need to reinstall your OS to do so.


If anyone needs help setting this up, I'm more than happy to help. To head off any accusations, I do not work for any of the companies or foundations involved in this initiative, so I have nothing to financially gain. I'm just trying to be helpful.

_______
Thinking of using a cheap, yet reliable VPN? Go with PrivateInternetAccess. Not a referral link. Just a satisfied customer!
1481163141
Hero Member
*
Offline Offline

Posts: 1481163141

View Profile Personal Message (Offline)

Ignore
1481163141
Reply with quote  #2

1481163141
Report to moderator
1481163141
Hero Member
*
Offline Offline

Posts: 1481163141

View Profile Personal Message (Offline)

Ignore
1481163141
Reply with quote  #2

1481163141
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481163141
Hero Member
*
Offline Offline

Posts: 1481163141

View Profile Personal Message (Offline)

Ignore
1481163141
Reply with quote  #2

1481163141
Report to moderator
bitplane
Sr. Member
****
Offline Offline

Activity: 321

Firstbits: 1gyzhw


View Profile WWW
July 03, 2011, 03:08:48 AM
 #2

Sounds really interesting. A few questions though:

1) What happens if I lose my smartcard? Is it just my GPG key and passphrase in there?
2) My computer is always on. Can the software be set to launch secure storage when the card is inserted?
3) My laptop doesn't have a card reader, are there USB key options available?
Shinobi
Full Member
***
Offline Offline

Activity: 196


View Profile
July 03, 2011, 03:59:28 AM
 #3

No problem. I'll answer each in turn below:

Quote
1) What happens if I lose my smartcard? Is it just my GPG key and passphrase in there?[/qoute]

I am writing assuming that you have zero knowledge of PGP/GPG, so please do not be offended if you do! Perhaps the explanation may be of help to others on this forum.

To provide a tremendously oversimplified explanation, GPG works by having you create 2 keys, a public key which you give out to others, and a private key which you does not reveal to *anyone*. These keys are generated as a pair and are mathematically interrelated. When generating the keypair, the user has to enter a password (more appropriately called a passphrase as it can be more than one word). Each key is stored as a file. After creating the keypair, you can send your public key to all the folks with whom you want to communicate in an encrypted fashion, or more conveniently, you "publish" your public key to a keyring in the internet - the most popular is run by MIT.

When someone wants to send a private communication to you, they use one of the many GPG programs out there (it is available as a plugin or standalone, and there is the open-source version called GPG, for which there is an easy-to-use plugin for Mozilla Thunderbird) which takes their text and encrypts it using the public key you gave them. The output of the encryption looks like THIS which can be sent as any other e-mail.

When you receive this e-mail, your GPG program will decrypt it with your private key, and in order to do so will ask you for the passphrase. If you supply the correct passphrase, the message will be decrypted and you can read it. Presumably you will have your friend's public key and your communication with him will proceed by the same fashion.

NOTE: When you generate the keypair, you have the option of generating a revocation certificate. Should your private key be taken or if you ever feel your private key has been compromised, you simply need send the revocation certificate to the public keyring and it will kill the public key you had uploaded and you can also notify everyone who you use GPG with that this key is no longer valid. Furthermore, when you set up your Smartcard, you establish a PIN - much like an ATM card. Should 10 attempts to mount the card with an incorrect pin occur, the Smartcard deletes itself and is rendered invalid.

2) My computer is always on. Can the software be set to launch secure storage when the card is inserted?

Yes, it can. As the computer detects the card in the same manner as it detects a USB device, a script can easily be created and I"m sure one already exists, to mount secure storage related to the

3) My laptop doesn't have a card reader, are there USB key options available?

I believe there are, and that is often the purpose of dongles like Yubikey. Check your PM.

_______
Thinking of using a cheap, yet reliable VPN? Go with PrivateInternetAccess. Not a referral link. Just a satisfied customer!
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 03, 2011, 04:59:56 AM
 #4

1) What happens if I lose my smartcard? Is it just my GPG key and passphrase in there?

If you don't have a backup copy (which goes against the idea of a smart card as far as I can tell), you loose your wallet and coins.

The client really needs to support different wallets with varying degrees of security. Note there is no reason only one client can be used. Though, for pre-compiled binaries, one of the "official" clients is probably a good idea.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
Shinobi
Full Member
***
Offline Offline

Activity: 196


View Profile
July 03, 2011, 05:04:44 AM
 #5

Noone mentioned anything about putting one's wallet on the card!

_______
Thinking of using a cheap, yet reliable VPN? Go with PrivateInternetAccess. Not a referral link. Just a satisfied customer!
phillipsjk
Legendary
*
Offline Offline

Activity: 1008

Let the chips fall where they may.


View Profile WWW
July 03, 2011, 05:13:41 AM
 #6

You did mention having a back-up copy of your passphrase. If the passphrase is strong enough, deleting it can be almost the same as deleting the encrypted data itself.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
bcearl
Full Member
***
Offline Offline

Activity: 168



View Profile
July 03, 2011, 09:22:31 AM
 #7

Noone mentioned anything about putting one's wallet on the card!

You just need a card that can do ECDSA with the right properties.


https://en.bitcoin.it/wiki/Protocol_specification#Signatures

Misspelling protects against dictionary attacks NOT
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!