Old PC as Hardware Security Module?

Sven Radde email at sven-radde.de
Mon May 14 19:24:04 CEST 2007


Robert J. Hansen schrieb:
>> How do they work?
> 
> A (very) small display to show the hash that's being signed and an  
> integrated PINpad.

Pointless given the attack scenario (PC subverted with a trojan to
specifically attack GnuPG and its smartcard), unless you can calculate
SHA-1 values in your head...

What do you make of the information that you are going to sign data that
has a hash value of 0xDEADBEEF?
It could be the hash of "Robert J. Hansen owes Sven Radde 10.000$"...

To avoid this, the card reader would have to display the actual data
that is to be signed and the card would have to calculate the hash by
itself. However, if you want to sign more than, say, a few hundred
characters this becomes rather useless.

cu, Sven




More information about the Gnupg-users mailing list