Security 如何在不使用密钥服务器的情况下从OpenPGP智能卡获取公钥?
我正在研究一个使用OpenPGP在智能卡(Yubikey)上生成公钥对的用例 然后将智能卡发送给用户。 尝试在本地模拟此操作时,正在执行以下操作:Security 如何在不使用密钥服务器的情况下从OpenPGP智能卡获取公钥?,security,public-key-encryption,gnupg,Security,Public Key Encryption,Gnupg,我正在研究一个使用OpenPGP在智能卡(Yubikey)上生成公钥对的用例 然后将智能卡发送给用户。 尝试在本地模拟此操作时,正在执行以下操作: 在智能卡上生成密钥 删除GnuPG主目录 访问智能卡以重新生成GnuPG主目录 问题是,在执行了上述步骤之后,我无法测试加密文件,因为公钥似乎丢失了fetch似乎不起作用 在这个阶段,我不想在任何在线服务器上共享公钥。 删除钥匙环后,是否有办法从智能卡中检索公钥 以下是所遵循的步骤: $ gpg --card-edit
fetch$ gpg --card-edit
Reader ...........: 1050:0404:X:0
Application ID ...: D2760001240102010006046314290000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04631429
Name of cardholder: sm sm
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: sm
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: 54D4 E469 7056 B390 AE72 CAA1 A507 3320 7876 0302
created ....: 2017-10-11 13:16:52
Encryption key....: ADA3 2D7F 8D66 4F34 C04A 457C DFEB E3E4 A8F1 8611
created ....: 2017-10-11 11:14:18
Authentication key: 18B9 7AB4 0723 46F4 C23A 3DD7 E5C0 6A93 049E F6A8
created ....: 2017-10-11 11:14:18
General key info..: [none]
gpg/card> admin
Admin commands are allowed
gpg/card> generate
Make off-card backup of encryption key? (Y/n) n
gpg: Note: keys are already stored on the card!
Replace existing keys? (y/N) y
What keysize do you want for the Signature key? (4096)
What keysize do you want for the Encryption key? (4096)
What keysize do you want for the Authentication key? (4096)
Key is valid for? (0) 0
Is this correct? (y/N) y
Real name: john doe
Email address: john.doe@foobar.com
Comment:
You selected this USER-ID:
"john doe <<john.doe@foobar.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
gpg: /home/xxx/.gnupg/trustdb.gpg: trustdb created
gpg: key 6825CB0EBDA94110 marked as ultimately trusted
gpg: directory '/home/xxx/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/xxx/.gnupg/openpgp-revocs.d/6858F119E93FB74BB561DE556825CB0EBDA94110.rev'
public and secret key created and signed.
gpg/card> list
Reader ...........: 1050:0404:X:0
Application ID ...: D2760001240102010006046314290000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04631429
Name of cardholder: sm sm
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: sm
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110
created ....: 2017-10-11 13:18:11
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC
created ....: 2017-10-11 13:18:11
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32
created ....: 2017-10-11 13:18:11
General key info..: pub rsa4096/6825CB0EBDA94110 2017-10-11 john doe <<john.doe@foobar.com>
sec> rsa4096/6825CB0EBDA94110 created: 2017-10-11 expires: never
card-no: 0006 04631429
ssb> rsa4096/31C77DBE2D227E32 created: 2017-10-11 expires: never
card-no: 0006 04631429
ssb> rsa4096/47114B69A622C1DC created: 2017-10-11 expires: never
card-no: 0006 04631429
gpg/card> quit
$ rm -rf .gnupg/
$ gpg --card-status
gpg: directory '/home/smalatho/.gnupg' created
gpg: new configuration file '/home/smalatho/.gnupg/dirmngr.conf' created
gpg: new configuration file '/home/smalatho/.gnupg/gpg.conf' created
gpg: keybox '/home/smalatho/.gnupg/pubring.kbx' created
Reader ...........: 1050:0404:X:0
Application ID ...: D2760001240102010006046314290000
Version ..........: 2.1
Manufacturer .....: Yubico
Serial number ....: 04631429
Name of cardholder: sm sm
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: sm
Signature PIN ....: not forced
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: 6858 F119 E93F B74B B561 DE55 6825 CB0E BDA9 4110
created ....: 2017-10-11 13:18:11
Encryption key....: BE05 7FDF 9ACD 05F0 B75A 570F 4711 4B69 A622 C1DC
created ....: 2017-10-11 13:18:11
Authentication key: 7275 2C47 B1EF BFB5 1E6D 0E65 31C7 7DBE 2D22 7E32
created ....: 2017-10-11 13:18:11
General key info..: [none]
$gpg——卡片编辑
读卡器:1050:0404:X:0
应用程序ID…:D2760001240102010006046314290000
版本:2.1
制造商:尤比科
序列号:04631429
持卡人姓名:sm
语言优先…:en
性别:未指明
公钥的URL:[未设置]
登录数据……:sm
签名PIN:不强制
关键属性…:rsa4096 rsa4096 rsa4096
最大销长度:127
PIN重试计数器:3 0 3
签名柜台:0
签名密钥:54D4 E469 7056 B390 AE72 CAA1 A507 3320 7876 0302
创建时间:2017-10-11 13:16:52
加密密钥….:ADA3 2D7F 8D66 4F34 C04A 457C DFEB E3E4 A8F1 8611
创建时间:2017-10-11 11:14:18
身份验证密钥:18B9 7AB4 0723 46F4 C23A 3DD7 E5C0 6A93 049E F6A8
创建时间:2017-10-11 11:14:18
常规密钥信息:【无】
gpg/卡>管理员
允许使用管理命令
gpg/卡>生成
是否对加密密钥进行卡外备份?(是/否)否
注意:钥匙已经存储在卡上了!
替换现有密钥?(是/否)是
您希望签名密钥的密钥大小是多少?(4096)
您希望加密密钥的密钥大小是多少?(4096)
您希望身份验证密钥的密钥大小是多少?(4096)
密钥对有效吗?(0) 0
这是正确的吗?(是/否)是
真名:约翰·多伊
电子邮件地址:约翰。doe@foobar.com
评论:
您选择了此用户ID:
“john doe它要求用户在删除GNUPGHOME目录之前手动导出公钥,然后在智能卡中重新导入公钥
$ gpg --armor --export j.doe@example.com > public.asc
$ rm -rf ~/.gnupg
$ gpg --import public.asc
OpenPGP智能卡存储的信息不足,无法重建完整的OpenPGP公钥。您必须单独导入公钥——在密钥服务器上共享公钥是一种解决方案,但您也可以gpg-导出
密钥,然后gpg-再次导入
密钥进行测试。我认为密钥服务器存储的信息相同作为本地公钥环进行确认?实际上,密钥服务器只提供未经验证/未经验证的密钥,并根据密钥ID或指纹(长密钥ID和指纹定义了一个给定的密钥,碰撞几率非常低)或用户ID(根本不进行验证,只需在密钥服务器网络中搜索president@whitehouse.gov
)。从这个意义上说,上传到存储库的密钥是一个更强大的概念,因为它允许如上所述的“首次使用时信任”。无论您以何种方式检索密钥(从存储库、密钥服务器)您仍然需要验证密钥。是否至少有一些关于公钥的部分信息可以从OpenPGP智能卡中提取?如何提取?密钥的指纹存储在卡上,可以用作从密钥服务器获取公钥的参考(如果上载到卡上).非常感谢。当我换上一台新笔记本电脑时,我一直在寻找解决这个问题的方法,但我的提交签名失败了!