Re: handling private keys

To: debian-security@lists.debian.org
Subject: Re: handling private keys
From: Ilkka Tuohela <hile@iki.fi>
Date: Tue, 28 Jun 2005 19:43:30 +0300
Message-id: <[🔎] 1119977010.18983.16.camel@localhost.localdomain>
In-reply-to: <[🔎] 42C16EE8.30907@infra.net>
References: <[🔎] 42C14D52.4060702@smartpost.ro> <[🔎] 42C16EE8.30907@infra.net>

ti, 2005-06-28 kello 17:38 +0200, Christian Storch kirjoitti:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>  
> Radu Spineanu wrote:
> 
> > Hello
> >
> > I working on a small project, and i have a problem related to
> > keeping gpg private keys stored on usb drives secure when working
> > with them.
> >
> > My problem is that in case the machine is compromised, if the usb
> > with the key is mounted the attacker has access to it.
> >
> > Has anyone heard of an implementation, or at least a whitepaper
> > related to creating some kind of secure zone where i can keep these
> > keys ?
> 
> It's a logical problem: If somone has compromised your machine
> there would be >no< possibility to make a difference between a
> legitimate user
> and an intruder.
> So he would possibly be able to read your private key!
> 
> The only absolute solution would be a kind of intelligent usb drive
> which is accepting
> a file to decrypt or sign and offer the result.
> So somebody could use the key as long as you leave your usb drive in
> your machine,
> but not any longer!
> Unfortunatly science fiction at the moment. ;)

Not really: you just need to use a gpg-compatible smart card and buy a
smart card reader. In this case your secret keys are always on the
smartcard and any signing or whatever can only be done with the card.

I just bought a gemplus GemPC PCMCIA smartcard reader, and still waiting
for OpenPGP cards for basic use. In addition the Finnish HST identity
cards just got new models with 64k storage, will get that as well...
(http://www.sahkoinenhenkilokortti.fi/default.asp?todo=setlang&lang=uk)

The reader will sit in one of my laptop's pcmcia slots permanently,
that's why I got such model and  not USB reader: just insert the card
when you need it... btw the reader was easy to install with sarge and
ubuntu.

In addition to pgp-key storage smart cards can support for example login
with the card (libpam-opensc and libpam-musclecard, depending what you
really want).

So, for each user, you will spend about 10-40 dollars/euros for the
smartcards and in addition all systems must have a smart card reader.

	*hile*

Reply to:

References:
- handling private keys
  - From: Radu Spineanu <radus@smartpost.ro>
- Re: handling private keys
  - From: Christian Storch <storch@infra.net>

Prev by Date: Securing Private Keys
Next by Date: Re: Security team support
Previous by thread: Re: handling private keys
Next by thread: Re: handling private keys
Index(es):
- Date
- Thread