How secure are smartcards?

Hubert Kario hka at qbs.com.pl
Sun Jul 24 23:37:07 CEST 2011


On Sunday 24 of July 2011 22:14:31 Mike Cardwell wrote:
> Hi,
> 
> I just ordered an OpenPGP smartcard from Kernel Concepts as per
> http://www.g10code.com/p-card.html
> 
> Does anyone else have one of these?
> 
> At the moment, my secret key is stored on my hard drive and is encrypted
> by a long passphrase. When I transfer my subkeys to the smartcard, will
> they actually be encrypted whilst they're on there?
> 
> I understand that you have to enter a PIN between 6 and 32 characters in
> length in order to perform crypto operations on the card via the
> smartcard interface, but I'm just wondering if somebody with sufficient
> skills could read the data off the smartcard chipset by looking directly
> at the circuitry?
> 
> Are the keys on the smartcard perhaps encrypted with the access PIN?
> That still wouldn't be perfect, definitely easier to bruteforce than a
> long passphrase, but it would be better than nothing...

It probably depends on the card's chipset. 

On the other hand, to connect to chipset memory bus to read it you'd need 
diamond saws, very good microscopes, lots of cards for trying out the 
methodology and lots of time to do it. The hardware alone is in the realm of 
tens of thousand of dollars. Not to mention that you have only one try at 
it...

It's at the point that any real attacker would perform rubber hose 
cryptanalysis. Even before trying to break the card.

Regards,
-- 
Hubert Kario
QBS - Quality Business Software
02-656 Warszawa, ul. Ksawerów 30/85
tel. +48 (22) 646-61-51, 646-74-24
www.qbs.com.pl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2346 bytes
Desc: not available
URL: </pipermail/attachments/20110724/6dc875e2/attachment.bin>


More information about the Gnupg-users mailing list