Management of signature keys for government

Brian Gladman gladman at seven77.demon.co.uk
Sun, 1 Mar 1998 13:35:48 -0000 

-----Original Message-----
From: Markus Kuhn <Markus.Kuhn@cl.cam.ac.uk>
To: ukcrypto@maillist.ox.ac.uk <ukcrypto@maillist.ox.ac.uk>
Date: 01 March 1998 10:53
Subject: Re: Management of signature keys for government


>Thomas Womack wrote on 1998-02-27 23:36 UTC:
>> >Now since even the best RSA smartcards take 30 seconds plus to
>> >generate a keypair, while a standard card personalisation line handles
>> >several cards a second, bank customer keys are generated externally
>> >and injected into the cards.
>>
>> Why isn't pipelining possible here? Set up the cards, attach power pack,
>> send the 'generate your key' instruction, continue to the next processing
>> phase, wait 30 seconds, remove power pack.
>
>It is naive to assume that key generation inside the card adds you
>any security over external key generation in the card personalization
>machine.

Yes, but surely the aim is to make the totality of the environment that has
to be trusted as 'small' as possible.  By its nature an on-card 'key
generation environment' will typically be much simpler than an environment
involving both on and off card elements and this means that ***if*** we can
do all the things we need to do on the card we will then have a simpler task
in convincing ourselves that the total environment involved in key
generation is trustworthy.

I would accept that we cannot look at the key generation issue in isolaton
but even so my assumption has been that we accept both on and off card
components for key generation simply because smart-cards are not capable
enough of doing what we need completely on the card.  If this is correct,
the issue is a practical one and does not undermine the possibility that a
key generation solution achieved completely on the card might offer a better
basis for trust. I certainly have considerable sympathy with this as a
desirable objective (provided of course that we have suitable mechanisms in
place for design and implementation scrutiny at card level - do we?).

>The card personalization lines are usually the places where not only the
>keys are generated but also where the smartcard operating system is
uploaded
>using the smartcard's boot ROM. If you trust the key-generation software
>inside a smartcard, then you also have to trust the entire system involved
>in the EEPROM upload of this software, as there you can tamper with the key
>generation at any place as well. Even if the key is generated inside
>the smartcard, there could be a weak key generator have been used in the
>card or the card software could have been tampered to leak the key after
>generation. Smartcard operating systems allow EEPROM overwrites of
>software, therefore evidence of such manipulation could even be removed
>by overwriting the relevant code with a more secure one after key
>generation. I hope this makes clear that in-card key generation does not
>make it unnecessary to include the personalization facilities into the
>trusted computing base.

It seems so and this makes smartcards an inadequate vehicle for really good
security at the moment.  For some defence applications in which I have been
involved we had to adopt the PCMCIA card format for just this reason.
However smartcards are improving steadily and it my be possible before too
long to do more on the basic card (i.e. before it is personalised) including
fast key generation and verification.  Of course this means that scrutiny of
the basic card will be even more vital but this is hardly a problem since if
this is subverted we are dead anyway.

While on the subject, I keep hearing about a UK goverment project to provide
some sort of smart-card based identity card for UK citizens.   Does such a
project exist and, if so, where can I find out about it?

   Brian