Old PC as Hardware Security Module?

Robert J. Hansen rjh at sixdemonbag.org
Mon May 14 13:45:32 CEST 2007

> What prevents the keylogger in your first example to snarf the PIN  
> code
> for the OpenPGP card and send decryption requests to the OpenPGP card,
> using the PIN code, in the background, possibly remotely controlled  
> over
> the network?

There exist cryptographic smart cards you can actually be safe  
against this kind of attack with.  They're pretty cool.  I don't know  
if the OpenPGP card is one of them or not, but it's at least possible  
with a smartcard.  It's not possible with a PC-controlled setup--at  
least, not without a ton of specialized hardware.

> I think smart cards in general are somewhat over-rated.  You have no
> idea what they are signing, and the authorization control (PIN  
> code) is
> easy to get by with a trojan.

My objection to smartcards is more on the basis of RSA-1024 being too  
short for long-term security, but hey.

The question isn't whether smart cards are secure--nothing that's got  
that much RAM and processor power ever is--but whether smart cards  
are a security improvement.  On that one, I think they have the  
potential to bring substantial amounts of win to certain kinds of  
environments.  To other kinds of environments, they don't.  C'est la  

More information about the Gnupg-users mailing list