Subject: openpgp card and basiccard RNG

NdK ndk.clanbo at gmail.com
Fri Feb 14 06:42:03 CET 2014


Il 13/02/2014 23:20, Werner Koch ha scritto:

[JavaCards]
> I am not interested in those small applications on the smartcard as long
> as I can't scrutinize the real code, i.e. the OS.  Whether those
> applications are written for a p-code system (JavaCard, BasicCard) or
> for the native CPU doesn't change anything in the equation.
Then where would you stop analyzing?
If you look at the OS code, there could be a backdoor in the CPU
microcode. Or in the chip firmware uploader (is there an HV programming
mode available? was it disabled or physically removed from the die?).

And these are just the most obvious. The best we can do is trust the
manufacturer and read the fine print on the datasheets. It will be more
secure than a sw only implementation that runs on a connected PC.

ByTE,
 Diego



More information about the Gnupg-users mailing list