Old PC as Hardware Security Module?
Robert J. Hansen
rjh at sixdemonbag.org
Mon May 14 13:45:32 CEST 2007
> What prevents the keylogger in your first example to snarf the PIN
> for the OpenPGP card and send decryption requests to the OpenPGP card,
> using the PIN code, in the background, possibly remotely controlled
> the network?
There exist cryptographic smart cards you can actually be safe
against this kind of attack with. They're pretty cool. I don't know
if the OpenPGP card is one of them or not, but it's at least possible
with a smartcard. It's not possible with a PC-controlled setup--at
least, not without a ton of specialized hardware.
> I think smart cards in general are somewhat over-rated. You have no
> idea what they are signing, and the authorization control (PIN
> code) is
> easy to get by with a trojan.
My objection to smartcards is more on the basis of RSA-1024 being too
short for long-term security, but hey.
The question isn't whether smart cards are secure--nothing that's got
that much RAM and processor power ever is--but whether smart cards
are a security improvement. On that one, I think they have the
potential to bring substantial amounts of win to certain kinds of
environments. To other kinds of environments, they don't. C'est la
More information about the Gnupg-users