Today smartcards are ubiquitous and an important security feature for a lot of appliances --- most notably cell phones. Despite what one might assume, their use on desktop computers is still not very widespread. As a solution we have specified the OpenPGP card and made an actual implementation for an affordable price available. GnuPG has supported this card since version 1.3.3. Applications like PAM and support for SSH are also available. This paper describes how to use the card for email encryption and signing. The OpenPGP card is an ISO-7816 compliant application. In contrast to X.509 cards, a CA is not required as key validation issues are left to the software using the card. The card is able to generate the keys on-chip, so that the private key won't ever be seen outside of the card. This provides very good resistance against key compromise through remote attacks or physical attacks by average attackers. Our software supports PC/SC and direct USB CCID device access; most of it can be easily ported to non-POSIX systems to allow the use of one card throughout heterogeneous systems. Due to the close integration with GnuPG, it may instantly be used by all MUAs supporting GnuPG. |
Werner Koch is radio amateur since the late seventies and became interested in software development at about the same time. He worked on systems ranging from CP/M systems to mainframes, languages from assembler to Smalltalk and applications from drivers to financial analysis systems. He is a long time GNU/Linux user, principal author of the GNU Privacy Guard and founding member of the FSF-Europe. In 2001 he founded g10 Code, a company specialized in development of Free Software based security applications. |
Last modified: Thu, 10 Mar 2005 10:10:14 +0100