OpenPGP card
The OpenPGP card is a hardware security module in the form of an ISO/IEC 7816-4 and 7816-8 compatible smart card that implements the OpenPGP standard for the secure storage and management of cryptographic keys, enabling operations such as digital signing, encryption, decryption, and authentication without ever exposing the private keys to the host system.[1][2] Designed primarily for integration with GnuPG and compatible software, it provides a tamper-resistant environment for key usage, protecting against theft or unauthorized access by keeping private keys confined to the card's secure element.[3][1] Key features of the OpenPGP card include support for up to three independent RSA key pairs—for signing, encryption, and authentication—with lengths ranging from 1024 to 4096 bits, as well as on-card key generation to ensure keys are created in a secure environment.[1][3] Later versions, such as 3.0 and above, extend compatibility to elliptic curve cryptography (ECC) algorithms, enhancing efficiency for modern applications.[3] The card also stores additional data like cardholder information, X.509 certificates (from version 2.0 onward), a signature counter to detect replay attacks, and optional login details or public key URLs for easy key retrieval.[1][2] Security is enforced through PIN-based authentication, with user (PW1) and admin (PW3) PINs requiring minimum lengths of 6 and 8 characters, respectively, along with retry counters limited to three attempts before lockout, and a factory reset option via a resetting code.[2] It operates over the T=1 protocol, ensuring broad compatibility with standard smart card readers, and supports secure messaging with algorithms like Triple-DES or AES for protected communication.[1][2] Development of the OpenPGP card began with version 1.0 in 2003, followed by 1.1 in 2004, 2.0 in 2009, and the latest 3.4.1 specification released in 2020, all maintained as open standards without licensing restrictions to promote widespread adoption.[3] The project originated from efforts by g10 Code GmbH and is closely tied to the GnuPG ecosystem, with initial support integrated into GnuPG versions 1.4 and 2.0 as early as 2004.[1] Implementations are available in various form factors, including standard ID-1 cards, SIM-sized modules, and USB tokens like those from Nitrokey, produced by manufacturers such as ZeitControl cardsystems GmbH and distributed through vendors like FLOSS-Shop.[1][3] Software support extends beyond GnuPG to tools like OpenSC for PKCS#15 compatibility and pkcs15-init for key management, making it a versatile tool for privacy-focused users in email encryption, software signing, and secure authentication.[3]Overview
Definition and Purpose
The OpenPGP card is an ISO/IEC 7816-4 and -8 compatible smart card that implements the OpenPGP application for performing cryptographic operations such as digital signing, decryption, and authentication.[4] This hardware security module integrates the non-proprietary OpenPGP standard, defined in RFC 4880, which specifies the format and methods for public-key cryptography, including key generation, message encryption, and digital signatures.[5] By adapting OpenPGP protocols to a smart card environment, the device provides a portable and tamper-resistant platform for secure key handling in various computing ecosystems.[4] The primary purpose of the OpenPGP card is to store secret key material securely within the card's protected memory, allowing users to conduct hardware-accelerated cryptographic operations without ever exposing private keys to the host computer or external systems.[4] This design ensures that sensitive operations, such as signing data or decrypting messages, are executed entirely on the card, minimizing risks associated with software-based key management on potentially compromised devices.[4] As a result, the card serves as a robust tool for enhancing privacy and data integrity in applications ranging from email encryption to secure authentication protocols.[5] A fundamental security principle of the OpenPGP card is that private keys and associated passwords (or PINs) cannot be extracted or read from the card using any standard command, a requirement enforced across all versions of the application protocol.[4] This non-exportability feature, rooted in the smart card's hardware isolation, protects against unauthorized access even if the host system is breached, thereby upholding the confidentiality and non-repudiation guarantees of OpenPGP cryptography.[4]Historical Development
The development of the OpenPGP card began in the early 2000s with the initial commercial implementation on the BasicCard platform by ZeitControl cardsystems GmbH, which provided a programmable smart card foundation for the OpenPGP application.[6] This marked the first hardware realization of the standard, enabling secure key storage and cryptographic operations on ISO 7816-compliant cards.[7] The formal specification evolved through successive versions to enhance functionality while maintaining backward compatibility. Version 1.0 was released in 2003, followed by version 1.1 in 2004, which introduced optional data objects for private use with varying access conditions.[7] Version 2.0 arrived in 2009, adding support for longer keys and improved application identifiers.[2] The specification progressed to version 3.0 in 2010 and culminated in version 3.4.1 by 2020, incorporating enhancements like extended length information and additional private use data objects.[8][4] Open-source implementations expanded accessibility, particularly through JavaCard-based applets that allow deployment on generic smart cards, including those with NFC capabilities for contactless operation. Projects such as SmartPGP and the Java Card OpenPGP Card provide free, verifiable code compliant with the specification, enabling broader adoption without proprietary hardware dependencies.[9][10] The Free Software Foundation Europe (FSFE) played a key role in standardizing manufacturer identification by assigning unique vendor IDs to registered producers, ensuring interoperability and promoting open standards without cost barriers.[2] Advancements in cryptography drove specification updates, notably the addition of elliptic curve cryptography (ECC) support in version 3.0 alongside traditional RSA, allowing for more efficient key sizes and reflecting shifts toward modern elliptic curves like NIST and Brainpool.[8] This evolution has facilitated seamless integration with tools like GnuPG from its early versions onward.[11]Technical Specifications
Standards Compliance
The OpenPGP card is designed to comply with ISO/IEC 7816-4, which specifies the organization, security, and commands for interchange in integrated circuit cards, ensuring standardized application structures and protocol handling for smart card operations.[12] Additionally, it adheres to ISO/IEC 7816-8, which defines interindustry commands and mechanisms for security operations, including secure messaging and key establishment protocols to support cryptographic functions on the card.[12] These compliances enable consistent interoperability across diverse smart card readers and host systems. The OpenPGP card application follows the OpenPGP Card Application specification, a functional standard developed by the GnuPG project that outlines mandatory Application Protocol Data Units (APDUs) for core cryptographic operations, such as the PSO: COMPUTE DIGITAL SIGNATURE command (INS 2A) for signing and the PSO: DECIPHER command (INS 2A) for decryption.[12] Key pair loading and overwriting are supported through specific APDUs like PUT DATA (with odd INS values for extended headers per ISO/IEC 7816-8) and GENERATE ASYMMETRIC KEY PAIR, which require authentication via PW3 and maintain stateless operation by limiting user PIN (PW1) validity to a single command unless configured otherwise.[12] Feature evolution in the specification ensures backward compatibility while introducing enhancements; for instance, version 3.0 added support for Elliptic Curve Cryptography (ECC) operations like ECDSA for signing and ECDH for key derivation, building on prior RSA-focused capabilities without disrupting existing implementations.[12] Interoperability with the broader OpenPGP ecosystem is achieved through alignment with RFC 4880, which standardizes message formats, algorithm identifiers (e.g., for SHA-256 hashing), and packet structures used in signing and encryption processes on the card.[13][12]Key Management and Storage
The OpenPGP card supports the generation of up to three asymmetric key pairs directly on the device: one for signing (Key Reference 1), one for encryption and decryption (Key Reference 2), and one for authentication (Key Reference 3). This process uses theGENERATE ASYMMETRIC KEY PAIR command (CLA=00/0C, INS=47), which requires verification of the admin PIN (PW3) and returns the public key portion for external use, while the private key remains securely on the card.[4] The generation resets the digital signature counter and allows the terminal to compute and store key fingerprints afterward.[4] Alternatively, starting with version 3.2, key pairs can be imported from external sources using the PUT DATA command with an odd INS value (0xDB) and an Extended Header List (DO 4D), supporting both RSA and ECC algorithms; this requires PW3 verification and follows ISO 7816-8 formatting with a Control Reference Template (e.g., 0xB6 for signature keys) and a Cardholder Private Key Template (DO 7F48).[4]
Private keys are stored in the card's secure non-volatile memory and are non-extractable, meaning no command allows reading or exporting the private components to prevent compromise.[4] Public keys, however, are exportable via the GET DATA command and can be retrieved in formats such as DER-encoded for RSA (DO 7F49) or raw for ECC (DO 86).[4] The card supports RSA key sizes of 2048 bits or higher, with implementations allowing up to 4096 bits, and ECC curves starting at 256 bits, including secp256r1, secp384r1, secp521r1, and Brainpool variants up to 521 bits, as specified for operations like ECDSA and ECDH.[4][3]
Key management involves overwriting existing keys during new generation or import, where mismatched algorithm attributes trigger internal deletion or disablement of prior keys.[4] There is no dedicated on-card revocation procedure for OpenPGP keys, which are typically revoked off-card via standard PGP methods; instead, the card can be reset to its initial state using the TERMINATE DF command (INS=E6), which erases all keys, PINs, and data after PW3 verification, or the ACTIVATE FILE command to restore defaults.[4] Updates, such as changing key attributes or PINs, require admin PIN (PW3) modification via the CHANGE REFERENCE DATA command (INS=24).[4]
For key identification, the card stores fingerprints—20-byte SHA-1 hashes for each of the three keys—in Data Object C5 (60 bytes total).[4] Recovery capabilities include a Reset Code (RC, stored in DO D3, minimum 8 characters), which serves as a backup mechanism to reset the user PIN (PW1) retry counter after failed attempts, preventing permanent lockout without full card erasure.[4] This RC must be set during initialization and acts as a recovery token for PIN-related access issues.[4]