USB key form-factor smart-card readers with pinpads?
ndk.clanbo at gmail.com
Mon Jan 6 13:16:09 CET 2014
Il 06/01/2014 10:34, Werner Koch ha scritto:
> To make use of the decryption key the smartcard first requires that a
> VERIFY command is send to the card. This is what asks for the PIN.
> After a successful verification of the PIN the card allows the use of
> the PSO Decrypt command until a power down or a reset operation. Thus
> an attacking malware only needs to trick you info decrypt an arbitrary
> message and is then free to use the smartcard without having the reader
> ask you again for a PIN.
Is it just convenience or enforcing it (e.g. adding a "forcedecauth"
flag) would lead to usability issues (maybe because sometimes decryption
is called many times in sequence)? That would be the case for auth key,
I think: using it to auth against a web page would ask auth for every
sub-request of objects on the page.
More information about the Gnupg-users