USB key form-factor smart-card readers with pinpads?

NdK ndk.clanbo at
Mon Jan 6 13:16:09 CET 2014

Il 06/01/2014 10:34, Werner Koch ha scritto:

> To make use of the decryption key the smartcard first requires that a
> VERIFY command is send to the card.  This is what asks for the PIN.
> After a successful verification of the PIN the card allows the use of
> the PSO Decrypt command until a power down or a reset operation.  Thus
> an attacking malware only needs to trick you info decrypt an arbitrary
> message and is then free to use the smartcard without having the reader
> ask you again for a PIN.
Is it just convenience or enforcing it (e.g. adding a "forcedecauth"
flag) would lead to usability issues (maybe because sometimes decryption
is called many times in sequence)? That would be the case for auth key,
I think: using it to auth against a web page would ask auth for every
sub-request of objects on the page.


More information about the Gnupg-users mailing list