USB key form-factor smart-card readers with pinpads?

Werner Koch wk at
Mon Jan 6 10:34:06 CET 2014

On Sun,  5 Jan 2014 16:18, sam.kuper at said:

>> The question is whether this is really helpful.  Yes, it protects your
>> PIN but it does not protect the use of your decryption key.
> Please could you elaborate?

To make use of the decryption key the smartcard first requires that a
VERIFY command is send to the card.  This is what asks for the PIN.
After a successful verification of the PIN the card allows the use of
the PSO Decrypt command until a power down or a reset operation.  Thus
an attacking malware only needs to trick you info decrypt an arbitrary
message and is then free to use the smartcard without having the reader
ask you again for a PIN.

For the signature key we have this "forcesig" command which switches the
card into a mode which requires a VERIFY command before each PSO Sign
command.  There is also the signature counter to tell you how often the
signature key has been used.

But for the other two keys we don't have such features.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list