Welome to the Internet, here's your private key

Trei, Peter ptrei at rsasecurity.com
Mon Feb 4 16:51:13 EST 2002


I'm not the local expert on this, but there are SCs with
built-in crypto accelerators. They are designed for the 
use I described:
 
* Generate an RSA key pair on board, 
* export the public key,
* re-import the certificate, 
* wrap/unwrap a data block 
  (typically a session key or hash for signing) 
  using the onboard key pair without ever
  exporting the secret half of the key pair.

While they typically only use a PIN or passphrase
for protection, they usually will commit electronic 
seppuku if too many (typically 3) bad PINs or
passphrases are entered.

With these, you can let your CA admin run the
SW to create the keys and sign the public key,
and still have reasonable assurance that he has
not snagged a copy of the private key.

Peter Trei

> ----------
> From: 	Bill Frantz[SMTP:frantz at pwpconsult.com]
> Sent: 	Monday, February 04, 2002 3:41 PM
> To: 	Bill Stewart; cryptography at wasabisystems.com
> Subject: 	RE: Welome to the Internet, here's your private key
> 
> At 10:20 AM -0800 2/4/02, Bill Stewart wrote:
> >There are special cases where the user's machine doesn't have
> >the CPU horsepower to generate a key - PCs are fine,
> >but perhaps Palm Pilots and similar handhelds are too slow
> >(though a typical slow 33MHz 68000 or Dragonball is faster
> >than the 8086/80286 MSDOS machines that PGP originally ran on.)
> >Cash machines may be too slow, but they normally run symmetric crypto.
> >A smartcard-only system probably _is_ too limited to generate keys,
> >but that's the only realistic case I see.
> 
> It may depend on the public key system you are using.  Where you have to
> search for numbers which have certain mathematical properties (like with
> RSA), then you can indeed use a bunch of CPU.  For systems like DSA, where
> the private key is in essence a random number, there is not searching, and
> key generation is a lot faster.
> 
> Cheers - Bill
> 
> 
> -------------------------------------------------------------------------
> Bill Frantz           | The principal effect of| Periwinkle -- Consulting
> (408)356-8506         | DMCA/SDMI is to prevent| 16345 Englewood Ave.
> frantz at pwpconsult.com | fair use.              | Los Gatos, CA 95032, USA
> 
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to
> majordomo at wasabisystems.com
> 

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list