More secure than smartcard or cryptostick against remote attacks?
Robert J. Hansen
rjh at sixdemonbag.org
Thu Feb 7 16:02:41 CET 2013
On 02/07/2013 09:26 AM, Hubert Kario wrote:
> Honestly, I'd probably fall victim to such an attack, and IMNSHO I'm
> a bit more knowledgable about crypto and security that regular users of GPG.
Yes -- I'm a fair bit more knowledgeable about these things than most,
and as my story of the smartcard reader shows, I may have *already
fallen victim* to this sort of thing. (Or the reader could just be
buggy. Or maybe I'm trying to exploit someone using an SCM card reader
on a Fedora 18 box and I'm planting seeds to make them think their
system is buggy and their reader won't work, so go ahead and fall back
to cardless usage. Who knows? It could be any of those. I suspect
it's just buggy.)
Admittedly, in the case of a buggy-or-compromised smartcard reader the
attacker isn't looking to compromise the private key on the smartcard:
the attacker is trying to get me to fall back to my alternate keys which
are on my desktop. The principle still stands, though. Cards and
pinpads are great at protecting private keys from being exported off the
smartcard, but that's not the same as preventing exploits.
More information about the Gnupg-users