More secure than smartcard or cryptostick against remote attacks?

Niels Laukens niels at dest-unreach.be
Fri Feb 8 10:55:20 CET 2013


On 2013-02-08 10:48, Peter Lebbing wrote:
> On 08/02/13 03:12, Josef Schneider wrote:
>> With GnuPG on the other hand someone who has access to my PC can sign
>> whatever he likes and sign as much as he likes, as long as my card
>> reader is attached
> 
> Just so you know, the OpenPGP card has a "forcesig", force signature PIN, flag
> which you can set so you have to enter the PIN for every individual signature.
> Unfortunately (IMHO), there's no such flag for decryption and authentication,
> which can be done multiple times with one PIN entry.

I'm no expert, but isn't that only useful if you have a card-reader with
pin-entry? If you use your compromised PC to enter your PIN, the malware
can just replay that PIN to the card.

Niels




More information about the Gnupg-users mailing list