USB key form-factor smart-card readers with pinpads?

Werner Koch wk at gnupg.org
Tue Jan 7 17:27:51 CET 2014 

On Tue,  7 Jan 2014 16:28, sam.kuper at uclmail.net said:

> "PSO:DEC" but does not define it. That document also mentions
> "PSO:DECRYPT" but does not define it. And finally, that document
> defines "PSO: DECIPHER". Are these three terms synonyms, or do they

I guess so.

> 2. I assume that your "PSO Decrypt" means the same as "PSO:Decrypt" in
> the specification document mentioned above. Is this assumption
> correct?

Yep.

> 3. When you say, "a power down or a reset operation", do you mean (a)
> "the card is powered down or reset", or (b) "the host computer is
> powered down or reset", or (c) something else?

With "power down" I mean that you remove power from the card.  Thus the
next time you access the card it will do a cold start.

By reset I mean a couple of commands.  For example selecting a different
application or selecting again the OpenPGP app should reset the card
state.  But you better check the specs.

>> an attacking malware only needs to trick you [into decrypting] an arbitrary
>> message and is then free to use the smartcard without having the reader
>> ask you again for a PIN.
>
> That is somewhat disappointing to me, although perhaps that is because
> my knowledge is limited and I am simply unaware of a good reason for
> this behaviour.

Without that you won't like to read a bunch of encrypted mails.

> the card from the reader, or both), would cause subsequent malicious
> attempts to call PSO Decrypt, to result in failure (at least until the

Right.  Most likely they the PIN retry counter goes down until the card
is locked.  Thus attacking malware may easily DoS your card - however
malware is commonly not interested in getting noticed by the user.  I
heard that some pinpad equipped readers have filters for the VERIFY
command so that the HOST may not issue a plain VERIFY command to bypass
the pinpad.

> I can't find the string "PSO Sign" in [1]. Are you using it
> synonymously with "PSO: COMPUTE DIGITAL SIGNATURE" (and/or "PSO:CDS")?

Yep.  Apologies for my non-standard compliant terms.

> I can't find the string "forcesig" in [1]. Please can you tell me
> where it is documented?

See the card HOWTO or try gpg --card-edit, admin, help.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list