Old PC as Hardware Security Module?
Andrew Berg
bahamut at digital-signal.net
Mon May 14 16:32:10 CEST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Robert J. Hansen wrote:
>> I've been considering getting an OpenPGP Card, but there are
>> three reasons I'm reluctant to. The main one is that I want
>> something that will only do one signature or decryption at a
>> time. That way if my machine is compromised, I'll only suffer one
>> hit before I'll notice something's wrong.
>
> The OpenPGP card actually gives you a substantial advantage in this
> situation.
>
> Let's say that you're running GnuPG on a PC and I'm able to subvert
> the box. I put in a keylogger and snarf your passphrase. I also
> copy your private keyring and mailspool off the box. I can now
> read your mail without ever touching it, except to copy a couple of
> files and install a small app. You're none the wiser.
>
> Compare this to an OpenPGP card, where I have to find you in a dark
> alley and have a conversation with your kneecaps to get your card
> and PIN. You will most probably know that something has happened
> to you.
If you have enough physical access and time to compromise a Linux box,
install a stealthy keylogger and then harvest the logs at a later
time, all without being caught, I think you can snoop around and find
the card and compromise it. Then again, I don't see how you would have
access to the mail if you get the card and its PIN, even if you don't
get caught, without access to either box or the mailserver of the
email provider assigned to your victim (and in the case of the latter,
you'd only likely have access to new mails anyway).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEVAwUBRkhy6viOA0Bgp4/LAQMD1QgA0b/+0Snz4UH/7McPZ6L0jMbzOmfyTq01
FfYkrVDRSJ4bAW2J63FAedJ/gEdNisyNgu76I6rsTB1WTg3bKQ3t8NkqauRBRUEn
bXnAkMH952kNCPaoNNDfLsVBkRb5buXYQTJGXqR6Cji/VY2b+IMwAMQC45bGgHBK
T/N3TZ6imuwG80pmha48StRdyXdXS3YYH7m6ZswAWnzl4P8EleMSUe6nyCarPTeN
3R3g2rvPjQLLA2gIR6lxL4A//g+Un7lwvegdsSNgzoA3mIePKmpAdPwiIAESPqYL
aRRozgseOjXnt5ip8Z0oBAJnt4+xaQ16NvI38LaCt0rc+eP21BNixw==
=W5n1
-----END PGP SIGNATURE-----
More information about the Gnupg-users
mailing list