USB key form-factor smart-card readers with pinpads?

Mon Jan 13 10:38:04 CET 2014

On 12/01/14 00:18, Sam Kuper wrote:
> Again, perhaps I am wrong. But if I am not, then the use of OpenPGP
> cards with non-pinpad readers still makes no sense (at least, not to
> me).

Since most readers don't filter VERIFY commands and additionally you can't force
the OpenPGP smartcard to require a VERIFY before each decryption anyway, the
pinpad really doesn't add much at all for decryption.

With regard to the PIN not being known to the attacker when using a pinpad:
Werner disagrees that a pinpad can reliably accomplish that. I did a feature
request about a year ago, you should read this thread: [1]. And especially
Werners answer in [2]. So according to him, it doesn't add much for signatures
either.

A bugged reader firmware (certainly a possibility) would even still work in the
face of a reader filtering VERIFY commands. I think most readers have
upgradeable firmware. If an attacker has your PC and knows a vulnerability in
the firmware upgrade method, they can just flash their own firmware in your
smartcard reader. This is a really difficult to solve scenario. I do think it
requires a rather capable attacker.

So at least in its current state, a pinpad doesn't add that much. Over to the
actual advantages of a smartcard. I disagree that an 8-digit PIN isn't a
usability advantage over a good passphrase; it's much easier to enter. But the
one big advantage of smartcards: you know that (ignoring very capable attackers)
there is only one copy of the key in existence, and that's inside your
smartcard[3]. It in principle can't be copied. While the card is connected, an
attacker may do as they wish, but once you regain control of your systems, your
key is safe again. Doing crypto on a compromised machine is in so many ways a
lost cause that this is the best it is going to get in reality: containment of
the problem to the compromised machine(s).

> I would *guess* that there are additional operations that could be
> performed, without disclosing secrets (e.g. PIN; raw private key), on
> a compromised machine using a pinpad-protected reader. For instance,
> generating new keys.

This requires the admin PIN. It's also more of a denial of service than anything
else. A denial of service is trivial by doing 3 false Admin PIN attempts,
locking the card.

By the way, all in all, I'm not convinced a pinpad reader with the ability to
force a VERIFY for each decryption wouldn't add a substantial amount of security
to the overall system, albeit not perfect. But this feature has been requested
and denied. So that's where I agree with you. I disagree that a smartcard
without a pinpad isn't useful.

HTH,

Peter.

[1] http://lists.gnupg.org/pipermail/gnupg-users/2013-February/046051.html
[2] http://lists.gnupg.org/pipermail/gnupg-users/2013-February/046060.html

[3] Okay, for primary and decryption keys maybe some more backups inside a safe,
but hey, that's safe ;).

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>