The financial cryptographer's decade old dream of token-based security is inching closer. The ideal is a custom configured iPaq or palmPilot with only the secure application on it.
Although lacking a display, here's a cost effective compromise - a USB "keyfob" token that generates your PGP keys and keeps them safe inside the internal smart card. Edwin Woudt wrote up how to hook up a USB token with PGP Inc's current (paid) product, using tokens from OpenFortress.
Hint to the GPG guys - how cool is this?
Posted by iang at August 25, 2004 08:56 AM | TrackBackI looked into this, but why bother with a smart card on a custom USB fob when USB memory cards are widely available? You just store a passphrase-protected private key and it works almost exactly as described in the article.
Posted by: Steve Wart at August 25, 2004 09:13 AMNot really. The private key in this USB token is stored in such a way that it is impossible to retrieve it: it is generated on the token and all operations with the private key are done on the token as well. Even if you wanted to, you cannot get to the private key other than by using very expensive equipment to get it directly from the smartcard (if such equipment even exists).
The advantage is more security: with an USB memory stick the key itself is transferred to the PC. Also one still needs a long passphrase, which isn't necessary for an USB token.
Posted by: Edwin Woudt at August 25, 2004 09:43 AMOT: You seem to have changed the URL for your RDF/XML feed back in late July without ever posting a notice. I only noticed because someone linked to one of your recent postings from another forum.
Sounds a lot like AADS chip strawman with dedicated secure signing application and not any of the vagaries of some efforts for doing a certificate-less signing application on a multi-function smartcard (of the emv or any other variety).
http://www.garlic.com/~lynn/aadsm2.htm#straw
Okay, as the slashdot folks like to say, RTFA (I did actually, but did not look at the ePass link).
This is very cool. For some reason I was thinking card reader and yet another wallet card. Of course, this is a self contained unit that fits on your keychain.
The nice thing is that it also acts as a password safe. There's a reseller in Germany that sells the SDK online for EUR 24 (you need to get one of these before you can order individual keys), so the biggest expense is the PGP Desktop license (about USD 70 I think), but that's not even necessary if all you need is basic e-mail and file encryption.
All in all, this is far cheaper, more secure, and more convenient than upgrading my old Palm III to one of the new phone/camera/pda things that I've never quite been able to justify.
Too early to say whether it's a "killer app" or yet another project of the week to clutter up my workspace :-)
Posted by: Steve Wart at August 25, 2004 11:58 PMThe catch is: PGP Freeware has no smartcard support. That said, one desktop license only cost me EUR 49.
And regarding the smartcard kit: the EUR 24 is for the ePass1000 which has no RSA (and is thus not useful for PGP). The ePass2000 kit is EUR 45.
Posted by: Edwin Woudt at August 26, 2004 03:13 AMMight order one -- not sure why you need to get the SDK if all you need is the fob itself. Is the "Demo" version that comes with the SDK fully functional or is it crippled in some way?
Posted by: Steve Wart at August 26, 2004 05:44 AMThe SDK includes one token, AFAIK it is uncrippled, but ask the reseller to be sure.
Posted by: Edwin Woudt at August 28, 2004 01:27 PMhttp://www.theregister.co.uk/2004/06/01/email_memory_stick/
This Register article adds a lot of background.
Posted by: Iang at September 1, 2004 07:06 AM