Several questions about SmartCards
alon.barlev at gmail.com
Mon May 28 19:42:38 CEST 2007
You can review the optional PKCS#11 support.
On 5/28/07, Jim Berland <berland at gmail.com> wrote:
> Hi everybody,
> I tried to research most of my questions concerning the use of
> smartcards, but I have a few things that I want to make sure.
> _About smart cards:_
> I understand that OpenPGP is a smart card specification that is not
> very common among smart cards, so I should stick with the ones from
> kernel concepts. It is similar with the card readers.
> Is it correct, that this limitation changed with Gnupg2? I read that I
> could use other cards now, but it wasn't clear enough (for me), which
> ones those are. It's about PGP/MIME that is making it possible to use
> other cards or something.
> What would be the benefits of non-OpenPGP cards? Longer Keys? Different keys?
> _About card readers:_
> Did I understand it correctly, that card readers with a pin-pad don't
> add extra security when used with GPG? I read that the benefit of the
> pin-pad readers used with some applications is, that the pin never
> reaches the computer and thus cannot be sniffed. Used with GPG this
> doesn't apply though. Or is a pin-pad card reader used with GPG(2)
> still a possible counter-measure to a keylogger attack?
> Now assuming that pin-pad card readers don't add extra security, isn't
> the number-only passphrase, that you would use with them, even riskier
> than a simple card reader and a good passphrase?
> Could I buy pin-pad readers, but ignore the pin-pad and use them like
> simple card readers?
> To make life not too hard for our people I would like to either have
> long passphrase caching times with the gpg-agent (thinking of 4 hours)
> or have them enter a shorter pin on the key-pad each time it's needed.
> Which solution would you prefer?
> I guess you are now going to ask me what the threat model is and I'm
> afraid that I can't give a perfectly precise answer. Anyhow, the
> computers are running MS Windows and are networked. I can definitely
> see people opening email attachments to let a virus or whatever
> strike. For that reason I liked the pin-pad readers, if they did what
> they promise. The smart cards might be stored in a company safe or
> actually taken home by everybody. I don't know yet. Storing the cards,
> that are only to be used as an employee of the company, at the company
> sounds reasonable to me and considering who has access to the safe a
> short pin would (in my opinion) still be good enough. Please don't get
> caught up trying to get this threat model perfectly right, but rather
> concentrate on the other questions. I can figure this out by myself, I
> _About other uses of the cards:_
> To do something else with the smart cards other than using it for GPG
> is not important, but might be very interesting. For example, would it
> be possible to use it to authenticate for a Windows Remote Desktop
> _At last, a possible technical problem:_
> I read on the Microsoft website that it is possible to use smart cards
> (readers) in a Remote Desktop session. Does this apply for the OpenPGP
> card and an appropriate card reader? This is a requirement, because
> all the work is done on a terminal server. The employee's computers
> are complete computers and not thin-clients, although they don't do
> more than a thin client would, I think.
> Thank you very much for your help
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
More information about the Gnupg-users