search

github-af / SmartPGP

SmartPGP is a JavaCard implementation of the OpenPGP card specifications
GNU General Public License v2.0
227 stars 47 forks source link

How to setup KDF-DO? #5

Closed alphazo closed 1 year ago

alphazo commented 6 years ago

I have noticed the commands set-kdf and get-kdf but don't know what file is required as input and more generally how to setup and use kdf on the host PC and card. Can you post some pointers?

BTW, is this related to the recent work on kdf-do like https://dev.gnupg.org/T3823?

af-anssi commented 6 years ago

The content of KDF-DO is given page 19 of OpenPGP v3.3 specification. As depicted in the OpenPGP specification, it is up to the card's client to derivate PIN codes before they are sent to the token/card/applet which is only responsible for holding the KDF parameters. The setup/use of KDF-DO for PIN codes is ongoing work for GnuPG, as you noticed. I don't think there is ongoing work for OpenKyechain. So it has not been tested yet, and the SmartPGP applet may change if we have to fix a problem.

af-anssi commented 6 years ago

Recent changes related to KDF support have been introduced in the STABLE-BRANCH-2.2 of GnuPG: https://dev.gnupg.org/source/gnupg/history/STABLE-BRANCH-2-2/

I have not tesed those changes yet, so if you encounter a problem, please let me know and I will investigate.

persmule commented 4 years ago

On a JCOP J3D081 just programmed with SmartPGP built from current branch javacard-3.0.1 (which means PINs are on their factory value), invoking kdf-setup from GnuPG's --edit-card causes PINs becoming invalid, which should not be the case as discussed in https://dev.gnupg.org/T3891 .

af-anssi commented 4 years ago

The issue on GnuPG is still opened, so it is still not functional with SmartPGP. By the way, the support of KDF in SmartPGP was not entirely functional and tested. I just implemented the missing part in SmartPGP (see commit 9b77f6c).

In addition, I created an additional command called setup-kdf in the smartpgp-cli utility in the repository which implements strictly the script I mentionned in the GnuPG opened ticket (see https://dev.gnupg.org/T3891#114950).

The KDF is functional now with GnuPG, the only exception is the setup (which needs to be done only one time) which has to be done with the smartpgp-cli utility until it is correcty implemented in GnuPGP.

af-anssi commented 1 year ago

GnuPG issue 114950 has been marke resolved in GnuPG 2.3.0.