GPF Crypto Stick vs OpenPGP Card

[Grant Olson]

On 12/6/10 2:21 PM, Marcio B. Jr. wrote:
> Hello,
> sorry for this insistence. I just want to get it clearly.
> 
> So, you mean those devices certainly protect information better than a
> regular computer (even if making proper use of disk encryption
> software)?
> 

Yes.  Ultimately a malicious user with 'root' access can compromise any
software solution.  Maybe that means downloading your keys and mounting
an offline attack.  Maybe that means downloading your keys and
installing a keylogger to get your passphrase.  Or finding your
unencrypted key that's been cached by gpg-agent in system memory.  Full
Disk Encryption doesn't provide protection there when your system is up
and running, it only helps when someone steals your laptop, or tries to
access the system while it's powered down.

By moving the keys to a dedicated hardware device, it creates a
partition between your (possibly compromised) computer's OS and and the
device.  The key information never gets loaded into the OS and is opaque
to the system.  So now a malicious user would need to 'root' your card,
or card reader, which would probably involve something like trying to
access or change the physical chips on the device, and is much much
harder than installing a root-kit, or creating a virus, or developing
some other malicious software.

That's also why people are talking about readers with pin-pads.  That
prevents someone from installing a general-purpose keyboard sniffer to
get your pin, stealing your physical token, and having the two pieces of
info they need to use your keys.


-- 
Grant

"I am gravely disappointed. Again you have made me unleash my dogs of war."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 559 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101206/c43652ce/attachment-0001.pgp>