Re: SmartCard

Thu, 25 Feb 1999 19:47:38 -0500 

Christian Buysschaert wrote:
> 
> 
> Erwann, do you actually say that using the GemSAFE card will 'upgrade'
> the crypto in your crypto-disabled browser? That is, you can create 1024bit
> keys and use them in your browser to do SSL/SMIME? I've got the same
> package (in fact we've got lots of them ;-) ) and to my knowledge
> they are also limited in crypto. (Even when we patched our Netscape with
> Fortify, it didn't worked! :-( )
> 

My experience with Netscape is different. 

For the export crippled weak crypto version:

It wont generate keys larger than 512 bits but they can be imported and
used for S/MIME and SSL clients but it uses epemeral RSA for server keys
larger than 512 bits.

In smartcard terms it wont send a PKCS#11 request to generate a key
larger than 512 bits but it will use one if it already exists.

Similarly it wont make any use of strong crypto in a PKCS#11 library.

In my experience the fortified version has none of these restrictions
though older versions of fortify didn't remove the key generation and
S/MIME restrictions.

> IE4 in fact will NEVER allow strong crypto as they use CSP
> (Cryptographic Server Providers) which have to be signed by
> Microsoft. Thereby all strong crypto CSPs developped outside the
> US must go back in for the signing by Microsoft and can't get out
> anymore in their strong crypto form.
> 

IE4 is indeed another matter. It is of course possible to disable the
CSP check and run unsigned CSPs: no I don't have details.

The standard crippled base CSP will allow signature only key generation
and use for keys > 512 bits.

A bug in MSIE 4 means you can't use these for SSL authentication but
apparently MSIE 5 beta fixes this.

Steve.
-- 
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant. 
For info see homepage at http://www.drh-consultancy.demon.co.uk/
Email: [EMAIL PROTECTED]
NOTE NEW (13/12/98) PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to