PGP with eToken - PGP

This is a discussion on PGP with eToken - PGP ; I've been using PGPv8 for a while with a DH/DSS key-pair. I've recently got hold of an Aladdin eToken, which integrates with PGP and allows me to generate a RSA key-pair on the token itself. I like the idea of ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: PGP with eToken

  1. PGP with eToken

    I've been using PGPv8 for a while with a DH/DSS key-pair. I've recently got
    hold of an Aladdin eToken, which integrates with PGP and allows me to
    generate a RSA key-pair on the token itself. I like the idea of offloading
    the private key as it effectively gets round the issue of a keycatcher
    obtaining my PGP passphrase (obviously they could still capture my token
    passcode, but without the token it wouldn't be much use).

    My problem is how I deal with the loss of my token - the very strength above
    falls down as because the private key never leaves the token I lose the
    ability to sign/decrypt if I lose the token.

    I can import pkcs12 certificates onto the token; what would be ideal would
    be to generate the RSA legacy key in PGP; export this to a .pfx file (which
    I can then securely archive); and then import this to the token. Obviously
    PGP does not offer this facility, but I'd welcome thoughts from anyone
    regarding a potential alternative.

    Cheers,
    Chris



  2. Re: PGP with eToken

    Hello!
    You wrote on Sun, 27 Jun 2004 11:45:37 +0100:

    C> I can import pkcs12 certificates onto the token; what would be ideal
    C> would be to generate the RSA legacy key in PGP; export this to a .pfx
    C> file (which I can then securely archive); and then import this to the
    C> token. Obviously PGP does not offer this facility, but I'd welcome
    C> thoughts from anyone regarding a potential alternative.

    You can do the following:

    1) Generate a self-signed X.509 certificate (for example using PKI Tools
    from http://www.eldos.org/pkitools/pkitools.html)
    2) Save it to PFX and archive the PFX (PKI Tools let you save the generated
    certificate in PFX format)
    3) put the certificate to eToken using eAladdin tools that come with your
    token
    4) use eToken and certificate with PGP.

    This is exactly how I use it myself and this works flawlessly.

    --
    Eugene Mayevski
    EldoS Corp., CTO
    Networking and security solutions, development and consulting services
    http://www.eldos.com


  3. Re: PGP with eToken

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "Can2002" wrote in
    news:40dea554$0$58823$5a6aecb4@news.aaisp.net.uk:

    > I've been using PGPv8 for a while with a DH/DSS key-pair. I've
    > recently got hold of an Aladdin eToken, which integrates with PGP and
    > allows me to generate a RSA key-pair on the token itself. I like the
    > idea of offloading the private key as it effectively gets round the
    > issue of a keycatcher obtaining my PGP passphrase (obviously they
    > could still capture my token passcode, but without the token it
    > wouldn't be much use).
    >
    > My problem is how I deal with the loss of my token - the very strength
    > above falls down as because the private key never leaves the token I
    > lose the ability to sign/decrypt if I lose the token.
    >
    > I can import pkcs12 certificates onto the token; what would be ideal
    > would be to generate the RSA legacy key in PGP; export this to a .pfx
    > file (which I can then securely archive); and then import this to the
    > token. Obviously PGP does not offer this facility, but I'd welcome
    > thoughts from anyone regarding a potential alternative.


    PGP is suppose to be able to import 1024 bit v3 RSA keys into smart
    cards. Is there something unique about the Aladdin eToken that prevents
    this?

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.McCune.cc/PGP.htm

    iQEVAwUBQN69SWDeI9apM77TAQIJIwgAhu453brOWg13qxscTr f3g22YfI0lFEWE
    dVq/g8AjtSdjPXQ6xnhyu4bU8oG34sRJRbMI2vvTsDPiFyrgt9QvR6 roOoyt5awC
    dlqh9JrjycukGpAbmNMvcGGA70SyA3mfi9xoAP2BcCJiWbvYQw wgEbxMBeZWRp7/
    8QUlF4QnKeB8F1CyJFpbeEP/YfWxaofAdgC63gfTzY1/Vza8wngvyT6HW9phq21B
    CBTiuFcptOTssVui9Y8EHIMUmnX0xtAE9wbHGAqG0Em7lBBlh7 DkpLAWNKfWxDpe
    koHZKgPqCkhQUJqIQ1GLClEQaAgbsWpuLh2Dx26DtRAyvhnjmT p5xw==
    =B1+O
    -----END PGP SIGNATURE-----

  4. Re: PGP with eToken

    "Eugene Mayevski" wrote in message
    news:cbmbef$pql$1@voodoo.volia.net...
    > You can do the following:
    >
    > 1) Generate a self-signed X.509 certificate (for example using PKI Tools
    > from http://www.eldos.org/pkitools/pkitools.html)
    > 2) Save it to PFX and archive the PFX (PKI Tools let you save the

    generated
    > certificate in PFX format)
    > 3) put the certificate to eToken using eAladdin tools that come with your
    > token
    > 4) use eToken and certificate with PGP.
    >
    > This is exactly how I use it myself and this works flawlessly.


    Thanks for the tip Eugene, I had tried using Openssl to do the same, but
    wasn't having much luck. I'll give the tool you mention a go.

    Regards,
    Chris



  5. Re: PGP with eToken

    "Tom McCune" wrote in message
    news:k3zDc.139131$j24.72420@twister.nyroc.rr.com.. .
    > PGP is suppose to be able to import 1024 bit v3 RSA keys into smart
    > cards. Is there something unique about the Aladdin eToken that prevents
    > this?


    Hi Tom,

    PGP actually sends a request to the token to generate the key pair, the end
    result is that the private key never leaves the token. This is a double
    edge sword, as there's no way of getting the private key off the token.

    The key was generating a self-signed x.509 cert, which is now considerably
    easier following Eugene's post!!

    Cheers,
    Chris



  6. Re: PGP with eToken

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    "Can2002" wrote in
    news:40df2afa$0$58820$5a6aecb4@news.aaisp.net.uk:

    > Hi Tom,
    >
    > PGP actually sends a request to the token to generate the key pair,
    > the end result is that the private key never leaves the token. This
    > is a double edge sword, as there's no way of getting the private key
    > off the token.
    >
    > The key was generating a self-signed x.509 cert, which is now
    > considerably easier following Eugene's post!!


    Thank's Chris.

    I understand this:
    "The private portion of your keypair that is generated on a smart card
    never leaves the smart card—it’s not exportable. Decryption and signing
    operations take place directly on the card."

    However, there is also the option of importing a regularly PGP generated
    RSA key:
    "The exception to this is if you generate a keypair on your desktop,
    rather than on the smart card, and then afterwards copy the keypair to
    your smart card."

    Sometimes I think about using a smartcard, and can't imagine not doing
    the importing so that I could have a backup of the private key.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    Comment: My PGP Page & FAQ: http://www.McCune.cc/PGP.htm

    iQEVAwUBQN8yD2DeI9apM77TAQJZHwf9HbAsKJ4RgBo06GRYwD gAUg0HmXVeDaaL
    NstqQwYVZLablXGwNTSUXp2s04LcAroC5EoEeyjmluV8u1/XBQWxpph1z6YB12vH
    CnN1+3He+REmQmTL1hC+GWSt20DCNqVbcQ4Hr+cIs/JgxzdswrYx3Nk4z4I07csT
    4Ntqbv2iMQ+d9if5FswH+BqYaNDyckRLlOtYUM5pIYjZijZeV+ pBPXBnEAGivKbY
    +hkPq8tHFedAhMBQHjlebnQpkNkjwN9YqSgasXjadVnJ11fIOl WWi6FoMH5mtRjK
    3LWSvBY6X8889UJ5ffjG4MAHra+js1iEQoJZRnUGW2zRQk/W0I/1ng==
    =PpoA
    -----END PGP SIGNATURE-----

  7. Re: PGP with eToken

    "Tom McCune" wrote in message
    news:kmGDc.255573$hY.212803@twister.nyroc.rr.com.. .
    > However, there is also the option of importing a regularly PGP generated
    > RSA key:
    > "The exception to this is if you generate a keypair on your desktop,
    > rather than on the smart card, and then afterwards copy the keypair to
    > your smart card."


    Thanks again Tom,

    I'll give it a try! I hadn't thought importing an exported RSA keypair
    would actually place it on the Smartcard.

    Cheers,
    Chris



  8. Re: PGP with eToken

    In article <40df3645$0$58819$5a6aecb4@news.aaisp.net.uk>, can2002
    @nospammailDOTnet says...
    > "Tom McCune" wrote in message
    > news:kmGDc.255573$hY.212803@twister.nyroc.rr.com.. .
    > > However, there is also the option of importing a regularly PGP generated
    > > RSA key:
    > > "The exception to this is if you generate a keypair on your desktop,
    > > rather than on the smart card, and then afterwards copy the keypair to
    > > your smart card."

    >
    > Thanks again Tom,
    >
    > I'll give it a try! I hadn't thought importing an exported RSA keypair
    > would actually place it on the Smartcard.


    With the smart card inserted, run PGPkeys, right-click the key in
    question, and select Send To->Smart Card.

    Paul


  9. Re: PGP with eToken

    Paul B. Johnson wrote:
    > With the smart card inserted, run PGPkeys, right-click the key in
    > question, and select Send To->Smart Card.


    Thanks Paul, I feel a little silly now!

    Tested and sorted!

    Chris



  10. Re: PGP with eToken

    IMHO this is just forgetting what e-token have been thought for
    initially : storing credentials and binding them *uniquelly* to the
    holder...
    If you get to export/import/convert or whatever, how can people be sure
    the key they're 'dealing' with is binded to you. This is another type
    of 'need', which I respect, but I think that is out of etoken's purpose.

    Jul

    Paul B. Johnson wrote:
    > In article <40df3645$0$58819$5a6aecb4@news.aaisp.net.uk>, can2002
    > @nospammailDOTnet says...
    >
    >>"Tom McCune" wrote in message
    >>news:kmGDc.255573$hY.212803@twister.nyroc.rr.com.. .
    >>
    >>>However, there is also the option of importing a regularly PGP generated
    >>>RSA key:
    >>>"The exception to this is if you generate a keypair on your desktop,
    >>>rather than on the smart card, and then afterwards copy the keypair to
    >>>your smart card."

    >>
    >>Thanks again Tom,
    >>
    >>I'll give it a try! I hadn't thought importing an exported RSA keypair
    >>would actually place it on the Smartcard.

    >
    >
    > With the smart card inserted, run PGPkeys, right-click the key in
    > question, and select Send To->Smart Card.
    >
    > Paul
    >


+ Reply to Thread