Don't store your key on a flash drive! [was Re: GnuPG (GPG)
Problem]
David Shaw
dshaw at jabberwocky.com
Sun Aug 20 03:17:58 CEST 2006
On Sat, Aug 19, 2006 at 02:37:28PM -0500, Robert J. Hansen wrote:
> > The OpenPGP smartcard is a much safer option, since it will not give
> > up the private key (even if you have the password), and will lock
> > itself after 3 incorrect password attempts. (And after 3 incorrect
> > Admin PIN attempts, it will destroy itself, which is pretty
> > inconvenient for someone trying to steal your key.) Compare this to
> > a pen drive that will let anyone copy off the secret key and guess
> > the passphrase on their friendly local supercomputer cluster.
>
> The entire point of a passphrase on a key is so that even if the
> attacker _does_ have a supercomputer cluster it will be of no use. An
> OpenPGP card may allow you to get away with a weaker passphrase, but
> there's nothing inherently dumb about putting a private key on a USB
> dongle as long as the passphrase is sufficiently strong.
This is quite correct and frequently misunderstood. After all, the
secret key encryption is essentially the same symmetric encryption
that is used to encrypt messages. If you're trusting it to protect
your messages, you probably should trust it to protect your key as
well.
The big difference, as I see it, between a smartcard and a flash key,
is not so much in how it protects the key "at rest" (i.e. a stolen
smartcard or flash key), but how it protects the key when in use.
A flash key has a mountable filesystem with actual files on it. A
compromised host machine could copy the secret key file, while
simultaneously keylogging the passphrase for it.
A smartcard cannot give up the secret key in normal use - there is
simply no interface to do that. (I'm not counting electron
microscopes and the like as "normal use" here. Normal use is sticking
the card into a reader.) A compromised host machine could keylog the
passphrase, but can't get the key.
In either case, a compromised host can *use* the key, say to decrypt
something, or make a signature.
> Speaking for myself, I have doubts about the long-term security of
> RSA/1024. I much prefer RSA/2048 instead. Thus, the OpenPGP card fails
> to meet my own security policy... whereas storing a copy of my private
> key on my USB dongle, with a high-security passphrase, is a far better
> solution than an OpenPGP card.
Yes. Smartcards really lag behind what general purpose machines can
generate. 1024 is fairly rare these days, and even 4096 is becoming
more common.
David
More information about the Gnupg-users
mailing list