Using a 3072 bit key on a OpenPGP 2.0 card with GnuPG 2.0.12+patches from issue
1094 fails with a card error. Signing and SSH logins works great and I've
succesfully transferred 3072 bit keys to the card, but DECIPHER fails with this:
2009-08-17 12:16:06 scdaemon[5132] DBG: response: sw=640A datalen=0
Looking at the spec, 640A doesn't even look like a valid error?
What other information can I provide?
This is the relevant lsusb output:
Bus 001 Device 005: ID 0b97:7762 O2 Micro, Inc. Oz776 SmartCard Reader
I forgot to mention, by the way, that everything worked fine with my old
Fellowship card (which I lost).
According to http://pcsclite.alioth.debian.org/shouldwork.html#0x0B970x7762
this reader should work but it has not been tested.
From your description is seems that it works with short APDUs but nut properly
with extended length APDUs which are required for decryption of keys >= 2048
bit. The problem with 3072 bit keys may be due to internal buffer limitations
in the reader of in libccid.
I have no experience with these low-end readers (character level exchange) but
given all the problems with extended lengths APDUs, it is not unlikely that it
just does not work.
Given that you need to use libccid (i.e. pcscd), I'd recommend to ask the
libccid maintainer to look at a dump created with pcscd.
Does the fact that I can encrypt, sign, and authenticate correctly with 3072 bit
keys affect your hypothesis?
This is now a known problem. The likely reason is bug in the card's code. The
workaround is to forget about card based 3072 bit encryption keys.
FWIW, encryption is not done by the card.
We can't do anything about it.
Cards with manufacturer id 5 and serial numbers up to 346 (0x15a) are affected.
Newer cards work fine.