OpenPGP card

Last updated December 27, 2024

This is an image of an OpenPGP card from the vendor ZeitControl. This card is pre-punched to be used in ID-000 readers, as shown below

In cryptography, the OpenPGP card^[1] is an ISO/IEC 7816-4, -8 compatible smart card ^[2] that is integrated with many OpenPGP functions. Using this smart card, various cryptographic tasks (encryption, decryption, digital signing/verification, authentication etc.) can be performed. It allows secure storage of secret key material; all versions of the protocol state, "Private keys and passwords cannot be read from the card with any command or function."^[1]^[3] However, new key pairs may be loaded onto the card at any time, overwriting the existing ones.

The original OpenPGP card was built on BasicCard, and remains available at retail. Several mutually compatible JavaCard implementations of the OpenPGP Card's interface protocol are available as open source software and can be installed on generic JavaCard smart cards, including NFC-enabled cards.^[4] Nitrokey ^[5] and Yubico provide USB tokens implementing the same protocol through smart card emulation.

The smart card daemon, in combination with the supported smart card readers,^[6] as implemented in GnuPG, can be used for many cryptographic applications. With gpg-agent in GnuPG 2, an ssh-agent implementation using GnuPG, an OpenPGP card can be used for SSH authentication also.

Vendor IDs

An OpenPGP card features a unique serial number to allow software to ask for a specific card. Serial numbers are assigned on a vendor basis and vendors are registered with the FSFE.

Assigned vendor ids are:^[7]^[8]

ID	Name	Assignation date	Comment
0x0000	Testcard	Specification	Reserved for testing.
0x0001	PPC Card Systems	Specification
0x0002	Prism Payment Technologies	2005-09-02
0x0003	OpenFortress Digital signatures	2006-03-10
0x0004	Wewid AB	2008-01-26
0x0005	ZeitControl cardsystems GmbH	2009-06-02
0x0006	Yubico AB	2012-11-15
0x0007	OpenKMS	2014-01-20
0x0008	LogoEmail	2014-11-03
0x0009	Fidesmo AB	2015-10-21
0x000A	VivoKey	2016-03-12
0x000B	Feitian Technologies	2020-01-20
0x000D	Dangerous Things	2021-03-09
0x000E	Excelsecu	2021-03-09
0x000F	Nitrokey	2022-07-28
0x0010	NeoPGP	2024-05-26
0x0011	Token2	2024-05-22
0x002A	Magrathea	2009-05-25
0x0042	GnuPG e.V.	2017-11-01
0x1337	Warsaw Hackerspace	2014-12-08
0x2342	warpzone e.V.	2016-04-25
0x4354	Confidential Technologies	2018-10-04
0x5343	SSE Carte à puce	2021-06-10
0x5443	TIF-IT e.V.	<= 2020-01-28
0x63AF	Trustica s.r.o	2018-04-05
0xBA53	c-base e.V.	2020-03-03
0xBD0E	Paranoidlabs	2018-02-01
0xCA05	Atos CardOS	2022-05-10
0xF1D0	CanoKeys	2021-11-04
0xF517	Free Software Initiative of Japan	2010-09-06
0xF5EC	F-Secure	2020-02-21
0xFF00..FFFE	Random	Specification	Range reserved for randomly assigned serial numbers.
0xFFFF	Testcard	Specification	Reserved for testing.

Related Research Articles

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. Phil Zimmermann developed PGP in 1991.

The Secure Shell Protocol is a cryptographic network protocol for operating network services securely over an unsecured network. Its most notable applications are remote login and command-line execution.

GNU Privacy Guard is a free-software replacement for Symantec's cryptographic software suite PGP. The software is compliant with the now obsoleted RFC 4880, the IETF standards-track specification of OpenPGP. Modern versions of PGP are interoperable with GnuPG and other OpenPGP v4-compliant systems.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

In cryptography, Camellia is a symmetric key block cipher with a block size of 128 bits and key sizes of 128, 192 and 256 bits. It was jointly developed by Mitsubishi Electric and NTT of Japan. The cipher has been approved for use by the ISO/IEC, the European Union's NESSIE project and the Japanese CRYPTREC project. The cipher has security levels and processing abilities comparable to the Advanced Encryption Standard.

In computer security, a key server is a computer that receives and then serves existing cryptographic keys to users or other programs. The users' programs can be running on the same network as the key server or on another networked computer.

GnuTLS is a free software implementation of the TLS, SSL and DTLS protocols. It offers an application programming interface (API) for applications to enable secure communication over the network transport layer, as well as interfaces to access X.509, PKCS #12, OpenPGP and other structures.

WinSCP is a file manager, SSH File Transfer Protocol (SFTP), File Transfer Protocol (FTP), WebDAV, Amazon S3, and secure copy protocol (SCP) client for Microsoft Windows. The WinSCP project has released its source code on GitHub under an open source license, while the program itself is distributed as proprietary freeware.

Seahorse is a GNOME front-end application for managing passwords, PGP and SSH keys. Seahorse integrates with a number of apps including Nautilus file manager, Epiphany browser and Evolution e-mail suite. It has HKP and LDAP key server support.

This is a technical feature comparison of different disk encryption software.

Gpg4win is an email and file encryption package for most versions of Microsoft Windows and Microsoft Outlook, which utilises the GnuPG framework for symmetric and public-key cryptography, such as data encryption, digital signatures, hash calculations etc.

In cryptography, Curve25519 is an elliptic curve used in elliptic-curve cryptography (ECC) offering 128 bits of security and designed for use with the Elliptic-curve Diffie–Hellman (ECDH) key agreement scheme. It is one of the fastest curves in ECC, and is not covered by any known patents. The reference implementation is public domain software.

DNSCurve is a proposed secure protocol for the Domain Name System (DNS), designed by Daniel J. Bernstein. It encrypts and authenticates DNS packets between resolvers and authoritative servers.

ssh-keygen is a standard component of the Secure Shell (SSH) protocol suite found on Unix, Unix-like and Microsoft Windows computer systems used to establish secure shell sessions between remote computers over insecure networks, through the use of various cryptographic techniques. The ssh-keygen utility is used to generate, manage, and convert authentication keys.

Libgcrypt is a cryptography library developed as a separated module of GnuPG. It can also be used independently of GnuPG, but depends on its error-reporting library Libgpg-error.

<span class="mw-page-title-main">YubiKey</span> Hardware authentication device by Yubico

The YubiKey is a hardware authentication device manufactured by Yubico to protect access to computers, networks, and online services that supports one-time passwords (OTP), public-key cryptography, authentication, and the Universal 2nd Factor (U2F) and FIDO2 protocols developed by the FIDO Alliance. It allows users to securely log into their accounts by emitting one-time passwords or using a FIDO-based public/private key pair generated by the device. YubiKey also allows storing static passwords for use at sites that do not support one-time passwords. Google, Amazon, Microsoft, Twitter, and Facebook use YubiKey devices to secure employee accounts as well as end-user accounts. Some password managers support YubiKey. Yubico also manufactures the Security Key, a similar lower-cost device with only FIDO2/WebAuthn and FIDO/U2F support.

Nitrokey is an open-source USB key used to enable the secure encryption and signing of data. The secret keys are always stored inside the Nitrokey which protects against malware and attackers. A user-chosen PIN and a tamper-proof smart card protect the Nitrokey in case of loss and theft. The hardware and software of Nitrokey are open-source. The free software and open hardware enables independent parties to verify the security of the device. Nitrokey is supported on Microsoft Windows, macOS, Linux, and BSD.

The ROCA vulnerability is a cryptographic weakness that allows the private key of a key pair to be recovered from the public key in keys generated by devices with the vulnerability. "ROCA" is an acronym for "Return of Coppersmith's attack". The vulnerability has been given the identifier CVE-2017-15361.

wolfSSH is a small, portable, embedded SSH library targeted for use by embedded systems developers. It is an open-source implementation of SSH written in the C language. It includes SSH client libraries and an SSH server implementation. It allows for password and public key authentication.

References

1 2 OpenPGP Card specification - version 3.4.1, Achim Pietig, 2020. URL: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf
↑ The OpenPGP Card - How to use the Fellowship Smartcard - The GnuPG Smartcard HOWTO, Rebecca Ehlers, Thorsten Ehlers, et al., Free Software Foundation Europe e. V., 2005. URL: http://www.gnupg.org/howtos/card-howto/en/ch01.html#id2472312
↑ OpenPGP Card specification - version 1.1, Achim Pietig, PPC Card Systems GmbH, 2004. URL: http://www.g10code.com/docs/openpgp-card-1.1.pdf
↑ Nathan Willis (August 3, 2016). "Free software and smartcards". LWN.net .
↑ Nitrokey, https://www.nitrokey.com/
↑ Required Hardware - How to use the Fellowship Smartcard - The GnuPG Smartcard HOWTO, Rebecca Ehlers, Thorsten Ehlers, et al., Free Software Foundation Europe e. V., 2005. URL: http://www.gnupg.org/howtos/card-howto/en/ch02s02.html#id2519120
↑ OpenPGP Card Vendors. Backup URL: https://web.archive.org/web/20181115153825/https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg-verein.git;a=blob;f=office/misc/OpenPGP-Card-Vendors
↑ OpenPGP Card Vendors. https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=scd/app-openpgp.c;h=e1ceed4bc62e41ccef1bec45561ffa5509e70d3a;hb=HEAD#l294

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[spec-2-1] 1 2 OpenPGP Card specification - version 3.4.1, Achim Pietig, 2020. URL: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-3.4.1.pdf

[2] The OpenPGP Card - How to use the Fellowship Smartcard - The GnuPG Smartcard HOWTO, Rebecca Ehlers, Thorsten Ehlers, et al., Free Software Foundation Europe e. V., 2005. URL: http://www.gnupg.org/howtos/card-howto/en/ch01.html#id2472312

[spec-1-3] OpenPGP Card specification - version 1.1, Achim Pietig, PPC Card Systems GmbH, 2004. URL: http://www.g10code.com/docs/openpgp-card-1.1.pdf

[4] Nathan Willis (August 3, 2016). "Free software and smartcards". LWN.net .

[5] Nitrokey, https://www.nitrokey.com/

[6] Required Hardware - How to use the Fellowship Smartcard - The GnuPG Smartcard HOWTO, Rebecca Ehlers, Thorsten Ehlers, et al., Free Software Foundation Europe e. V., 2005. URL: http://www.gnupg.org/howtos/card-howto/en/ch02s02.html#id2519120

[7] OpenPGP Card Vendors. Backup URL: https://web.archive.org/web/20181115153825/https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg-verein.git;a=blob;f=office/misc/OpenPGP-Card-Vendors

[8] OpenPGP Card Vendors. https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=scd/app-openpgp.c;h=e1ceed4bc62e41ccef1bec45561ffa5509e70d3a;hb=HEAD#l294

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]