USB key form-factor smart-card readers with pinpads?

David Tomaschik david at systemoverlord.com
Sat Jan 11 23:33:45 CET 2014 

On Sat, Jan 11, 2014 at 1:05 PM, Sam Kuper <sam.kuper at uclmail.net> wrote:

> On Jan 9, 2014 7:16 PM, "David Tomaschik" <david at systemoverlord.com>
> wrote:
> >
> > if the machine you are using for crypto operations is compromised, you
> have lost (at least for the operations conducted while it is compromised)
>
> Perhaps I'm wrong, but I don't entirely accept this. Surely if you are
> signing with a key stored in an OpenPGP card being used via a
> pinpad-protected reader, then - because the malware will not learn the
> PIN - although the malware could potentially corrupt the message being
> signed (or prevent it from being sent, etc), it could not do so in
> such a way that a conscientious recipient already in possession of the
> corresponding public key would mistake a tampered message for a
> genuine signed message.
>

Or replace the message with a message of its choosing?  It just needs to
wait for you to want to do a legitimate signature, swap out the plaintext,
and then it has signed data.


>
> I would *guess* that there are additional operations that could be
> performed, without disclosing secrets (e.g. PIN; raw private key), on
> a compromised machine using a pinpad-protected reader. For instance,
> generating new keys. (Although the existence and correctness of any
> such generated keys would then have to be checked on a trusted machine
> before being used in earnest, so there would not be much point in
> using an untrusted machine for this task.)
>
> > a smartcard without a PIN pad may compromise your pin (and allow
> arbitrary operations while the smartcard is protected) but still protects
> the key material itself.
>
> Small comfort if the malware, knowing the PIN, can *use* that key
> material every time the card is connected!
>

Don't use sensitive keys on machines with malware?  (Yes, I realize proving
a machine is malware free is essentially impossible.)


>
> > Unless the malware has a history of all your previous email, an attacker
> still doesn't have the key to compromise your past email.
>
> I believe an attacker who knows the PIN and is able to execute
> commands on the machine to which the card is connected (via
> pinpad-less reader) has similar capability to an attacker who has the
> private key file and its passphrase. His/her ability to decrypt any
> messages in his/her possession is limited only by the bandwidth of
> his/her connection to the relevant machine, the resources available on
> that machine, and the alertness of that machine's legitimate
> operator(s). Similarly re: signing and authentication.
>
> > The smartcard (without a PIN pad) also allows for use of a lower-entropy
> passphrase/PIN than Scenario 1 in the case of theft [...] (as the smartcard
> locks itself after some number of wrong pins).
>
> True. (Equally true, incidentally, of a smart card being used *with* a
> pinpad-enabled reader.)
>
>
Agreed, I was just arguing why a smartcard without a PIN pad still offers
some level of additional security.


> Even so, this is a pretty small advantage, given that it would take me
> only a second or two longer to type a passphrase a couple of dozen
> characters long than it would for me to type a PW1 half a dozen
> characters long.
>
> And given that a USB flash drive is much more versatile than an
> OpenPGP card, and can be as compact as a SIM card-sized OpenPGP card
> (i.e. *without the reader*) and less expensive in total, it's arguable
> that the overall advantages of such a flash drive outweigh the
> convenience of a low-entropy PW1.
>
> > Theft of a key stored on disk is vulnerable to offline attack, theft of
> a key on a smartcard is much harder to use (as the smartcard locks itself
> after some number of wrong pins).  (This ignores three-letter-agency
> attacks against the smartcard hardware to extract the key material from the
> EEPROM of the smart card itself, bypassing the card applet.)
>
> Allow me to "unignore" them :-) I assume that any agency likely to
> have a chance of extracting a raw key from a sensibly passphrase
> protected GPG key file, is likely to have a chance of successfully
> extracting a raw key from a smart card's EEPROM; and vice versa. I'd
> hazard a guess that the EEPROM attack is more feasible, but since I
> can only speculate blindly on the matter, I prefer not to assume that
> either technology has an advantage over the other in this particular
> respect.
>

You assume people choose good passphrases.  While that may be true for
readers of this list, that is not true of the general population.


>
> Best regards,
>
> Sam
>



-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140111/d25a352d/attachment-0001.html>

More information about the Gnupg-users mailing list