Old PC as Hardware Security Module?

Werner Koch wk at gnupg.org
Mon May 14 20:57:25 CEST 2007

On Mon, 14 May 2007 16:15, groups at caseyljones.net said:

> Why doesn't it make sense? The chip's security features make it fairly 
> secure. But having the keys encrypted on the card would make it highly 
> secure. As long as the passphrase hadn't been captured, like after being 

No, you are required to remember a long passphrase and use it all the
time.  The advantage of a PIN is that it is easy to remember (well, even
the 6 digits are too many for many people).  Security is tradeoff here
between usability and semi-paranoia.

If on the other side you really have these strong security demands, you
need to define your whole working process very tightly.  The smart card
will be just a very small piece of the whole story.

> Can the person who loads the software onto the cards be given orders by 
> the German court?

No, that is ridiculous.  The vendor does not know who will buy the card
and no court is able to a demand that all cards are to be bugged.  Well,
there are some politicans who try to change our political system in this
regard to be simialr to the one they bought out 17 year ago.  But that
is another story and our supreme court won't let such laws pass.

>> JAP has not been backdoored but the organisations running a JAP server
>> have the ability to log the IP addresses.
> OK, not backdoored, just compromised.

They say, it is by design.  JAP is definitely not managened by people
with a strong view on civil rights.  But well, there is TOR.

> According to this article
> http://www.theregister.co.uk/2003/08/21/net_anonymity_service_backdoored/
> it was mandated by the courts.

IIRC, the prosecution office asked for the data and not a court.  For
whatever reasons the JAP folks at the Dresden university decided that
they want to help them.  There was no actual need.  I recall a private
conversation with the resonsible professor where he told me: yes, I am
in favor of anonymity but there needs to be a limit; child porn is
enough of a reason to help the prosecution office.

>> That is basically the same as with a TOR server: It is
>> possible to log things to help the prosecution but no sane person wouild
>> do this.
> Are the authors of the Java Anonymous Proxy not sane? If they would do 
> it, why not ZeitControl?

Indeed, adding a logging feature and using it for more than debugging is
IMHO insane.  Regarding the Zeitcontrol OS used by the card: I have no
idea whether they log things.  But I have enough reasons to believe they
don't: Where should it be saved, what subliminal channels are they using
and how would they make money with such a feature. 

Have you also asked the card reader vendors whether they have a
backdoor?  Or the firmware of your old PC, or....?

> What will you do if the court orders you to turn on logging, hand over 
> the logs, and keep it secret?

I would shutdown the service of course. 

But they can't demand that.  This is a service designed for routing
packets in the Internet and as such explicitly excluded by the
wiretapping laws.



More information about the Gnupg-users mailing list