USB key form-factor smart-card readers with pinpads?

[Sam Kuper]

On Jan 9, 2014 7:16 PM, "David Tomaschik" <david at systemoverlord.com> wrote:
>
> if the machine you are using for crypto operations is compromised, you have lost (at least for the operations conducted while it is compromised)

Perhaps I'm wrong, but I don't entirely accept this. Surely if you are
signing with a key stored in an OpenPGP card being used via a
pinpad-protected reader, then - because the malware will not learn the
PIN - although the malware could potentially corrupt the message being
signed (or prevent it from being sent, etc), it could not do so in
such a way that a conscientious recipient already in possession of the
corresponding public key would mistake a tampered message for a
genuine signed message.

I would *guess* that there are additional operations that could be
performed, without disclosing secrets (e.g. PIN; raw private key), on
a compromised machine using a pinpad-protected reader. For instance,
generating new keys. (Although the existence and correctness of any
such generated keys would then have to be checked on a trusted machine
before being used in earnest, so there would not be much point in
using an untrusted machine for this task.)

> a smartcard without a PIN pad may compromise your pin (and allow arbitrary operations while the smartcard is protected) but still protects the key material itself.

Small comfort if the malware, knowing the PIN, can *use* that key
material every time the card is connected!

> Unless the malware has a history of all your previous email, an attacker still doesn't have the key to compromise your past email.

I believe an attacker who knows the PIN and is able to execute
commands on the machine to which the card is connected (via
pinpad-less reader) has similar capability to an attacker who has the
private key file and its passphrase. His/her ability to decrypt any
messages in his/her possession is limited only by the bandwidth of
his/her connection to the relevant machine, the resources available on
that machine, and the alertness of that machine's legitimate
operator(s). Similarly re: signing and authentication.

> The smartcard (without a PIN pad) also allows for use of a lower-entropy passphrase/PIN than Scenario 1 in the case of theft [...] (as the smartcard locks itself after some number of wrong pins).

True. (Equally true, incidentally, of a smart card being used *with* a
pinpad-enabled reader.)

Even so, this is a pretty small advantage, given that it would take me
only a second or two longer to type a passphrase a couple of dozen
characters long than it would for me to type a PW1 half a dozen
characters long.

And given that a USB flash drive is much more versatile than an
OpenPGP card, and can be as compact as a SIM card-sized OpenPGP card
(i.e. *without the reader*) and less expensive in total, it's arguable
that the overall advantages of such a flash drive outweigh the
convenience of a low-entropy PW1.

> Theft of a key stored on disk is vulnerable to offline attack, theft of a key on a smartcard is much harder to use (as the smartcard locks itself after some number of wrong pins).  (This ignores three-letter-agency attacks against the smartcard hardware to extract the key material from the EEPROM of the smart card itself, bypassing the card applet.)

Allow me to "unignore" them :-) I assume that any agency likely to
have a chance of extracting a raw key from a sensibly passphrase
protected GPG key file, is likely to have a chance of successfully
extracting a raw key from a smart card's EEPROM; and vice versa. I'd
hazard a guess that the EEPROM attack is more feasible, but since I
can only speculate blindly on the matter, I prefer not to assume that
either technology has an advantage over the other in this particular
respect.

Best regards,

Sam