USB key form-factor smart-card readers with pinpads?
david at systemoverlord.com
Sat Jan 11 23:33:45 CET 2014
On Sat, Jan 11, 2014 at 1:05 PM, Sam Kuper <sam.kuper at uclmail.net> wrote:
> On Jan 9, 2014 7:16 PM, "David Tomaschik" <david at systemoverlord.com>
> > if the machine you are using for crypto operations is compromised, you
> have lost (at least for the operations conducted while it is compromised)
> Perhaps I'm wrong, but I don't entirely accept this. Surely if you are
> signing with a key stored in an OpenPGP card being used via a
> pinpad-protected reader, then - because the malware will not learn the
> PIN - although the malware could potentially corrupt the message being
> signed (or prevent it from being sent, etc), it could not do so in
> such a way that a conscientious recipient already in possession of the
> corresponding public key would mistake a tampered message for a
> genuine signed message.
Or replace the message with a message of its choosing? It just needs to
wait for you to want to do a legitimate signature, swap out the plaintext,
and then it has signed data.
> I would *guess* that there are additional operations that could be
> performed, without disclosing secrets (e.g. PIN; raw private key), on
> a compromised machine using a pinpad-protected reader. For instance,
> generating new keys. (Although the existence and correctness of any
> such generated keys would then have to be checked on a trusted machine
> before being used in earnest, so there would not be much point in
> using an untrusted machine for this task.)
> > a smartcard without a PIN pad may compromise your pin (and allow
> arbitrary operations while the smartcard is protected) but still protects
> the key material itself.
> Small comfort if the malware, knowing the PIN, can *use* that key
> material every time the card is connected!
Don't use sensitive keys on machines with malware? (Yes, I realize proving
a machine is malware free is essentially impossible.)
> > Unless the malware has a history of all your previous email, an attacker
> still doesn't have the key to compromise your past email.
> I believe an attacker who knows the PIN and is able to execute
> commands on the machine to which the card is connected (via
> pinpad-less reader) has similar capability to an attacker who has the
> private key file and its passphrase. His/her ability to decrypt any
> messages in his/her possession is limited only by the bandwidth of
> his/her connection to the relevant machine, the resources available on
> that machine, and the alertness of that machine's legitimate
> operator(s). Similarly re: signing and authentication.
> > The smartcard (without a PIN pad) also allows for use of a lower-entropy
> passphrase/PIN than Scenario 1 in the case of theft [...] (as the smartcard
> locks itself after some number of wrong pins).
> True. (Equally true, incidentally, of a smart card being used *with* a
> pinpad-enabled reader.)
Agreed, I was just arguing why a smartcard without a PIN pad still offers
some level of additional security.
> Even so, this is a pretty small advantage, given that it would take me
> only a second or two longer to type a passphrase a couple of dozen
> characters long than it would for me to type a PW1 half a dozen
> characters long.
> And given that a USB flash drive is much more versatile than an
> OpenPGP card, and can be as compact as a SIM card-sized OpenPGP card
> (i.e. *without the reader*) and less expensive in total, it's arguable
> that the overall advantages of such a flash drive outweigh the
> convenience of a low-entropy PW1.
> > Theft of a key stored on disk is vulnerable to offline attack, theft of
> a key on a smartcard is much harder to use (as the smartcard locks itself
> after some number of wrong pins). (This ignores three-letter-agency
> attacks against the smartcard hardware to extract the key material from the
> EEPROM of the smart card itself, bypassing the card applet.)
> Allow me to "unignore" them :-) I assume that any agency likely to
> have a chance of extracting a raw key from a sensibly passphrase
> protected GPG key file, is likely to have a chance of successfully
> extracting a raw key from a smart card's EEPROM; and vice versa. I'd
> hazard a guess that the EEPROM attack is more feasible, but since I
> can only speculate blindly on the matter, I prefer not to assume that
> either technology has an advantage over the other in this particular
You assume people choose good passphrases. While that may be true for
readers of this list, that is not true of the general population.
> Best regards,
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users