How secure are smartcards?

Olav Seyfarth olav at enigmail.net
Mon Jul 25 12:05:01 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Hi Mike,

> I just ordered an OpenPGP smartcard from Kernel Concepts as per 
> http://www.g10code.com/p-card.html Does anyone else have one of these?

yes, I use these cards for several years now. This Email is signed by one.

> At the moment, my secret key is stored on my hard drive and is encrypted by a
> long passphrase. When I transfer my subkeys to the smartcard, will they
> actually be encrypted whilst they're on there?

The overall security of a crypto system often isn't defined by the strength of
the crypto algo or the possibilities for a forensic analysis of the hardware.
In that sense, it is less important how secure the card itself is (taken that
as Hubert already stated the efforts that need to be taken to scratch info off
the circuit is high opposed to other attack vectors) but how it is used. So I
focus on another security aspect here:

One key advantage of a card is that the private keys does not need to be
accessible to the computer itself at any time if it is generated on-card. That
way, you know for sure, that *only* you hold the private key as long as you
physically own the card. The knowledge of "that no copy of it has been made"
is important.

I did so but unfortunately my (old) card broke. So I was busted. To avoid that
in the future, I now generated my new key for usage in the card on an offline
system (e.g. Live-CD in RAM disk) and copied it on an old small memony card (to
allow to easily decrypt by importing the whole key to my keyring after revoking
it) which I encrypted differently and physically locked securely. I imported
the key to 2 SmartCards while also locking one away as easy backup and another
one for daily use. After shutting down the offline system, only the one card is
used with computers connected to the net. If this one is lost or stolen, I'd
revoke the key (with a rev cert that I also generated separately).

Olav
- -- 
The Enigmail Project - OpenPGP Email Security For Mozilla Applications
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Dies ist eine elektronische Signatur - http://enigmail.mozdev.org/

iQGcBAEBAwAGBQJOLT/KAAoJEKGX32tq4e9WV48L+gN6bLDexmqjL178/GVmHPH7
GYQ7Uh9/oDhEaVQLR5XNBG/KrunvvfksMYWu4uYhk7l6xJkknp/kk9kzrjLFrutS
36cexAUtvS/+wWrRAdEOqtliH2++G4msewfZHqeRK/yvH/Sy5oSP4HGxeeAtS/dZ
cUjO7ah6ZVzQDw89qbju6dpz1yHmDGzxKjxD6QZ/EX+hz1plhVdxElTIIugQ3j9b
89rYeoNHB5nADZI+gfnGumELdHyFwHmXLW20dE/4RN2AjCTI0qOCq8hKCYM23sPD
DiGI0s4bTCH6WcPI1sHGFf/Se4QFK2esiAYfCVEI+WeiTkYit0cgqkWRiSD0eDE6
6ptkgxxsxtOlUmizag/VdnzfC+Tw/P8FYAxJ5RzIK5CFJnpxerLURaHSfGee6CN4
DfUeTWl6KDl7/RVxm+MJhid2Z893WsZhXLHDsD++dJur7x/nSzOq8hslwdQ1/DNc
QN+5y4oEMJ9yRipfEvaMioZsC0ebxF91BUIUIIe/ww==
=H/Np
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list