Re: Increasing Public Key Crypto Security with Handhelds
On Sun, Nov 28, 1999 at 08:13:52AM +1300, Peter Gutmann wrote:
> Brian Ristuccia <brianr@debian.org> writes:
>
> >I just came up with what I think may be a good way to increase the security
> >of GNU Privacy Guard using a cheap handheld computer like the Palm III or
> >the Handspring visor. I'm sure this has been proposed before with smartcard
> >technology or something similar. I'm not a cryptographer, so I'm interested
> >in hearing your comments.
>
> This has already been done by implementing a PKCS #11 interface to a Palm
> Pilot, the idea is that you use the Palm Pilot in place of a more usual crypto
> token like a smart card or iButton. Unfortunately the only implementations I
> know of are stuck behind the iron curtain (and even there they're not widely
> circulated), so they're not accessible to non-US users.
>
> The easiest way to handle this would be to take gpkcs11,
> http://www.trustcenter.de/html/Produkte/TC_PKCS11/1494.htm, and port it to the
> Palm Pilot so it can act as a PKCS #11 token. For handling the other side of
> things, I hope to release my general-purpose PKCS #11 interface code before the
> end of the year, this has been tested with a wide variety of tokens including
> smart cards, iButtons, crypto hardware, datakeys, and other bits and pieces,
> so you could use that to talk to the Palm Pilot.
>
Would such an arrangement allow for a partial display of the encrypted
document before the session key is released to the PC? Would it offer the
display of a document summary before signing in a way that said document
summary would invalidate the signature if it was not actually a subset of
the document being signed?
Otherwise, a compromised PC could trick the user into using their handheld
to decrypt or sign arbitrary documents.
--
Brian Ristuccia
brianr@osiris.978.org
bristucc@nortelnetworks.com
bristucc@cs.uml.edu
Reply to: