How secure is GnuPG

Janusz A. Urbanowicz alex@FUCKUP.fantastyka.net
Thu Jul 25 11:19:09 2002


> From: Janusz A. Urbanowicz [mailto:alex@FUCKUP.fantastyka.net]
> >But there is a way to avoid passphrase logging with
> >keylogger. The solution was used in Tinfoil Hat Linux
> >(and it was the only interesting thing in it). It works
> >like that - for every letter off passphrase, there is a
> >random table of characters displayed and user enters
> >coordinates of appropriate letter. Since new table is
> >generated every time, keyloggers are defeated. But, it
> >is very inconvenient.
> 
> But couldn't a skilled root-level attacker that new about this
> approach sniff the keyboard and the screen, allowing the eavesdropper
> to reconstruct the password?

It is perfectly possible. I was also thinking about larger caliber - both
radio and optical TEMPEST for interception.

There's always SOME way to defeat crypto-user. The only thing that I can't
directly tell ways of defeating (except of stealing it) is trusted hardware
crypto token that actually can display the data it works on so the user is
sure what he is signing/decrypting. In short - use GPG on a notebook.

Alex