Alexander Leidinger

Just another weblog

Nov
25

Which crypto card to use with FreeBSD (ssh/gpg)

The recent secu­rity inci­dent trig­gered a dis­cus­sion how to secure ssh/gpg keys.

One way I want to focus on here (because it is the way I want to use at home), is to store the keys on a crypto card. I did some research for suit­able crypto cards and found one which is called Feit­ian PKI Smart­card, and one which is called OpenPGP card. The OpenPGP card also exists in a USB ver­sion (basi­cally a small ver­sion of the card is already inte­grated into a small USB card reader).

The Feit­ian card is reported to be able to han­dle RSA keys upto 2048 bits. They do not seem to han­dle DSA (or ECDSA) keys. The smart­card quick starter guide they have  (the Tun­ing smart­card file sys­tem part) tells how to change the para­me­ters of the card to store upto 9 keys on it.

The spec of the OpenPGP card tells that it sup­ports RSA keys upto 3072 bits, but there are reports that it is able to han­dle RSA keys upto 4096 bits (you need to have at least GPG 2.0.18 to han­dle that big keys on the crypto card). It looks to me like the card is not han­dle DSA (or ECDSA) cards. There are only slots for upto 3 keys on it.

If I go this way, I would also need a card reader. It seems a class 3 one (hard­ware PIN pad and dis­play) would be the most “future-proof” way to go ahead. I found a Reiner SCT cyber­Jack sec­oder card reader, which is believed to be sup­ported by OpenSC and seems to be a good bal­ance between cost and fea­tures of the Reiner SCT card readers.

If any­one read­ing this can sug­gest a bet­ter crypto card (keys upto 4096 bits, more than 3 slots, and/or DSA/ECDSA  sup­port), or a bet­ter card reader, or has any prac­ti­cal expe­ri­ence with any of those com­po­nents on FreeBSD, please add a comment.

GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…
Which crypto card to use with FreeBSD (ssh/gpg), 3.0 out of 10 based on 1 rating
Share

4 Responses to “Which crypto card to use with FreeBSD (ssh/gpg)”

  1. cs Says:

    Exactly for the same rea­son (the FreeBSD inci­dent), I just ordered a Cryp­to­Stick from the Ger­man Pri­vacy Foun­da­tion (http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/). Installing it was very easy. I just had to recom­pile security/gnupg and install devel/libccid plus devel/pcscd-lite. There are three keys gen­er­ated, sign­ing, encryp­tion, and authen­ti­ca­tion. The max­i­mum was 3075bit to cre­ate them on the stick. How­ever, I think you can cre­ate 4096bit locally and trans­fer the key to the stick. As the authen­ti­ca­tion key is not used by gnupg, you can use it for ssh. You need to start gpg-agent with –dae­mon –enable-ssh-support –sh and it works. I can use now the stick for ssh and gpg :-)

    GD Star Rating
    loading...
    GD Star Rating
    loading...
  2. johans Says:

    The Feit­ian smart­card also comes as USB device:
    http://www.gooze.eu/feitian-epass-pki-token

    I have used both the Fait­ian and OpenPGP cards with FreeBSD — they work as spec­i­fied with­out problems.

    GD Star Rating
    loading...
    GD Star Rating
    loading...
  3. Crypto card possibilities – DragonFly BSD Digest Says:

    […] dis­cus­sion of cryp­to­graphic hard­ware for FreeBSD may include hard­ware that would work for Drag­on­Fly too.  Can some­one ver­ify? Posted by Justin […]

  4. netchild Says:

    What I like about the OpenPGP card is, that I can use keys upto 4096 bits. What I like about the Feit­ian card is that I can add a lot of keys.

    I have 2 GPG keys, one for my FreeBSD.org address, one for my Leidinger.net address. I also would like to use a ssh key just for the use with FreeBSD, and a seper­ate one for my own machines which is dif­fer­ent from the FreeBSD one. And maybe I want a sec­ond ssh key for my machines which I would use out­side of trusted envi­ron­ments. The first one to use it in trusted places, the sec­ond one to use it “on the road”. Well, ok, for the sec­ond one I should use a card only with this key. And maybe I want a 4th and 5th ssh key for sys­tems I don’t own but have access to (if I lose the card on the road some­how, I still have a card in a trusted env to access the machines and I can lock out the lost card by remov­ing just the keys from the authorized_keys).

    With the OpenPGP card it seems I’m forced into using mul­ti­ple cards (3 to 6, depend­ing on how I want to com­bine the cer­tifi­cates), while with the Feit­ian one maybe two or three are enough (one GPG, one ssh-trusted and one ssh-on-the-road).

    GD Star Rating
    loading...
    GD Star Rating
    loading...

Leave a Reply