Thank you Evan, Donncha,
Regarding 1024-bit RSA support, take a look at http://www.fi.muni.cz/~xsvenda/jcsupport.html - almost all JavaCard cards support that.
I'm a Java developer but it looks like I'm going to have to switch to (and learn) Python for this since almost all Tor utilities appear to only be maintained in Python (and I don't feel like reinventing the wheel in Java). We'll see...
Thanks Evan for the .onion links, I'll take a look. I'm still collecting data, testing hardware, etc. BTW, one of the cheapest options for this is http://www.ftsafe.com/product/epass/eJavaToken - $12 at http://javacardos.com/store/smartcard_eJavaToken.php . Unfortunately it has a bug that prevents OpenPGP from running (something to do with signature padding, I didn't look much into it). My plan is to write a very small JavaCard-based applet to load onto the card - that only does RSA key generation and signing, nothing else. Easy to write and easy to audit.
Thanks again, Razvan
-- Razvan Dragomirescu Chief Technology Officer Cayenne Graphics SRL
On Mon, May 23, 2016 at 11:26 PM, Evan Margin twim@riseup.net wrote:
Hello Donncha!
Donncha Ó Cearbhaill:
However his code was integrating with a smartcard at a very low level by sending AT commands manually. I don't think that is the best approach for compatibility.
I think a better way would be to interface with the tokens via the PKCS#11 protocol. The majority of smartcards and HSMs implement this standard and there are compatible implementations available for most operating systems. The Python pykcs11 module should be a helpful start [1].
Yeah, interfacing smartcard directly or via GnuPG scdaemon is not the best approach. But PKCS#11 in even worse. Much much worse. This standard is so huge that noone can implement it right. It raises enterance threshold so high that it will be used only by overproprietary entities. OpenPGP Card spec is pretty small so that everyone can write code within an hour and start to interface with a card. So did I. At least I know what's going on under the hood and these transparency and simplicity makes this setup more secure.
-- Ivan Markin _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev