Smartcard With Pin Pad Better Security?

Hauke Laging mailinglisten at hauke-laging.de
Sun Oct 14 14:02:07 CEST 2012


Am Sa 13.10.2012, 20:14:41 schrieb Jonathan:
> as long as my pinpad is not
> compromised I should be golden right?

Depends on your definition of "golden right". :-)

Even a smartcard PIN pad combination can be abused, not as easily though. 
After you have entered the PIN an attacker controlling your system can decrypt 
as much data as he likes and perhaps (depending on the card configuration) 
even sign as much as he likes. Until you pull out the card (reader).

Even the single signature can be abused (you don't control what data gets 
signed).

Thus a smartcard does not offer more security by itself than a secure system 
(offline hardware booting from a safe medium). Reaching the paranoia level: It 
is possible to extract a key from a smartcard. It is quite expensive and 
requires certain skills though. Recovering a key which is protected by a 
sufficient passphrase can be considered impossible.


> All the pin pads I've seen dont have many possible buttons it looks like
> all numbers. Even with a strong password is it seems it would be easy if
> I could only use pin of 0-9 right? Couldnt that be brute forced quick
> assuming they could get my smartcard?

>From a software perspective that is correct (though you could use a longer 
number). But this scenario is not governed by software rules but by hardware 
rules: The smartcard does not allow you enough tries. It "destroys" itself 
after a few.


Hauke
-- 
☺
PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20121014/ad7d5ab3/attachment.pgp>


More information about the Gnupg-users mailing list