Yubikey NEO OpenPGP advisory

Andreas Schwier andreas.schwier.ml at cardcontact.de
Wed Apr 22 20:27:26 CEST 2015

On 04/22/2015 08:05 PM, Werner Koch wrote:
> On Wed, 22 Apr 2015 18:06, andreas.schwier.ml at cardcontact.de said:
>> And contrary to the Yubico position that this is a minor issue, I would
>> call the circumvention of the PIN mechanism a major issue. If you loose
>> the device, then you loose the key.
> You mean anyone can use the key, right.  However, any simple malware can
> be used to sniff on a user entering the PIN.  I doubt that most pinpad
> readers can protect against this: It is easy to trick most users into
> entering the PIN using the regular keyboard instead of the pinpad.  In
> fact old version of GnuPG required this in certain cases.
Not sure about that. If I loose my card on the street or someone picks
it from my pocket or my PC, than that is different from a malware attack
which I can protect myself against.

I would consider this a major bug, in particular if I purchase a device
to get this specific kind of protection.

Imagine a bank, SIM or electronic signature card with a malfunctioning
PIN. Would you consider that a minor bug ? I don't see that this is
different for an OpenPGP card.

> Salam-Shalom,
>    Werner


    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de

More information about the Gnupg-users mailing list