Old PC as Hardware Security Module?
groups at caseyljones.net
Mon May 14 16:15:10 CEST 2007
Werner Koch wrote:
> On Mon, 14 May 2007 10:44, groups at caseyljones.net said:
>> something's wrong. Can the OpenPGP Card be set to do one operation per
>> pin entry when used with a card reader that has a keypad? This seems
> Yes, use the command "forcesig" in the --card-edit menu to toggle this
> feature. However it does not help you if the host has been compromised
> and the admin PIN is know. You can always bypass the requirement to use
> the keypad. With some social engineering this make it easy to get
> control over the card.
That sounds great. If I understand correctly, you rarely need to use the
admin PIN, so it would be unlikely to be compromised. For example you
could use the admin pin only after booting from a CD.
>> not in use, so that if my device falls into the wrong hands, I won't
>> have to worry too much. Does the OpenPGP Card encrypt the keys while
>> stored on the card?
> No, that does not make sense - the standard security features of the
> chip are employed to make probing the chip difficult and expensive.
Why doesn't it make sense? The chip's security features make it fairly
secure. But having the keys encrypted on the card would make it highly
secure. As long as the passphrase hadn't been captured, like after being
lost, stolen, or confiscated.
>> Also, the OpenPGP Card appears to be from a german organization, like
> That is not correct. I have developed the specs along with Achim Peitig
> of a Paderborn card vendor. Achim wrote the implementation. It was
> done all on our own money and for our fun. Only later the BSI (The
> German federal IT security agency) mentioned this card as a good example
> of a usable smart card without vendor lock in.
Can the person who loads the software onto the cards be given orders by
the German court?
>> the one that developed the Java Anonymous Proxy, and was forced by the
>> german government to back door the software. Does the german government
> JAP has not been backdoored but the organisations running a JAP server
> have the ability to log the IP addresses.
OK, not backdoored, just compromised.
> The case you have in mind is
> that the lists of IP addresses have been handed over to the prosecution
> authorities. IIRC, they have not been forced to do this but did this
According to this article
it was mandated by the courts.
...the JAP team replied to the thread, admitting
that there is now a "crime detection function" in
the system mandated by the courts. But they
defended their decision:
"What was the alternative? Shutting down the
service? The security apparatchiks would have
appreciated that - anonymity in the Internet
and especially AN.ON are a thorn in their
> That is basically the same as with a TOR server: It is
> possible to log things to help the prosecution but no sane person wouild
> do this.
Are the authors of the Java Anonymous Proxy not sane? If they would do
it, why not ZeitControl?
> My company is running a heavy loaded exit node
> (allium.gnupg.org) and we get about one request a fortnight to tell the
> IP address. Obviously we don't do that and usually a few minutes talk
> is today sufficient to explain them that this is an anoymizer server and
> that there is no chance to get to the IP address of the previous node.
What will you do if the court orders you to turn on logging, hand over
the logs, and keep it secret?
More information about the Gnupg-users