This document details how to use PGP on Windows with a USB smartcard token, specifically the ePass2000 network token.

The token used for this tutorial was kindly provided by OpenFortress, a technology provider specialized in applications of digital signatures.

Why?

The token makes it much easier for the user: no need to remember long passphrases. Just put the token into an USB slot and type in a small pincode of 4 to 8 characters. By making it easier for the user, security is improved: people will not need to write down their passphrases or use very short and insecure passwords.

The same token can be used for multiple applications. There is enough memory on the smartcard to store multiple keys and due to the standard pkcs#11 and microsoft cryptoapi interfaces almost any application supporting smartcards works just fine with the ePass2000. Examples for desktops are: logging on to a Windows Domain Server (supported by Windows 2000, XP and 2003), and from OpenFortress a solutionfor SSH logins (a Linux version is finished, a Windows prototype is available).

Why not?

If you lose or damage your token: you lose your private key and any data encrypted to it. Because the key is generated inside the token and cannot leave it, it is not possible to make a backup of the private key.

Also, the token only supports 1024 bit RSA, which according to some is inadequate. Tokens supporting 2048 bits are however already entering the market. And in any case, a 1024 bit Verisign RSA root key still secures online banking for millions of people, so why worry?

How does it work?

In short, the USB token internally is a combination of a smartcard reader and a smartcard in one package, which can be connected to a USB port. An application can then talk to the smartcard and ask it to do some cryptographic operation, like signing or decrypting some data. Of course the token will only execute this operation when supplied with the correct pin code.

When a keypair is generated on the token, the private key never leaves the token. Therefore, all private key operations need to be done by the token itself.

For efficiency reasons, PGP (as any other application using public key cryptography) does not encrypt or sign all data with a public key primitive. For encryption, all data is encrypted to a secret random symmetric key. This symmetric key is then encrypted to a public key. For decryption, PGP just sends the encrypted symmetric key to the token for decryption and after retrieving the secret symmetric key, all data is decrypted without using the token. That way, even if the encrypted file is for example one gigabyte in size, only a few hundred bytes are exchanged on the relatively slow usb link, while still maintaining the same security. For signatures a similar procedure is used: the signature is done over a hash or message digest of the full message

PGP on a token

In the final section of this document, we will detail how to configure PGP for token usage.

Requirements

In order to use ‘PGP on a token’, you need:

• An ePass2000 cryptographic token, obviously
• PGP 8, any paid-for version. The freeware version will not work.

It it also assumed that the token has been formatted and that the drivers for
the token are installed.

Configuration of PGP

First of all, open the PGPKeys application and go to the advanced tab of the options dialog.

Go to the Smart Card Support drop down box and select Other.

Enter the location of the ePass pkcs#11 dynamic link library, which is by default installed in c:\windows\system32\ep2pk11.dll. Click close twice and your PGP is ready to use the token.

Generating a key on the token

First, open the new key creation wizard.

Click on Expert

Enter the required name and e-mail address and select the ‘Generate key on Smart Card’ checkbox.

After waiting for about 30 seconds, the key has been generated on the smart card and you are ready to use it.

Using it

Use PGP normally as you would do when the private key is in the private key file on your hard disk. When asked to enter the passphrase, enter the pin code of the token instead.

PGP will automatically detect when the token is taken out of the USB port and put back in. Below are two screenshots showing the difference in PGPKeys: in the first the token is in the USB port, in the second it has been removed, showing that PGP at that point only knows about the public key.