Old PC as Hardware Security Module?

Robert J. Hansen rjh at sixdemonbag.org
Mon May 14 13:45:32 CEST 2007


> What prevents the keylogger in your first example to snarf the PIN  
> code
> for the OpenPGP card and send decryption requests to the OpenPGP card,
> using the PIN code, in the background, possibly remotely controlled  
> over
> the network?

There exist cryptographic smart cards you can actually be safe  
against this kind of attack with.  They're pretty cool.  I don't know  
if the OpenPGP card is one of them or not, but it's at least possible  
with a smartcard.  It's not possible with a PC-controlled setup--at  
least, not without a ton of specialized hardware.

> I think smart cards in general are somewhat over-rated.  You have no
> idea what they are signing, and the authorization control (PIN  
> code) is
> easy to get by with a trojan.

My objection to smartcards is more on the basis of RSA-1024 being too  
short for long-term security, but hey.

The question isn't whether smart cards are secure--nothing that's got  
that much RAM and processor power ever is--but whether smart cards  
are a security improvement.  On that one, I think they have the  
potential to bring substantial amounts of win to certain kinds of  
environments.  To other kinds of environments, they don't.  C'est la  
vie.







More information about the Gnupg-users mailing list