Anonymous payment for hardware tokens

Brian Minton brian at minton.name
Wed Feb 4 12:59:05 CET 2015


Showing a hash wouldn't prevent a malicious entity from making a fake token
that prints whatever hash the user expects. There's no way to verify that
the hash is if code actually on the device, or that the hashed code is the
only code on the device. The only way I could see to prevent it is to have
the tokens encrypted be the manufacturer with a well known public key pair,
but that does present key distribution problems (see for example, every DRM
system).

On Wed, Feb 4, 2015, 3:58 AM NIIBE Yutaka <gniibe at fsij.org> wrote:

> On 02/04/2015 03:50 PM, georgeorwellhardwired at riseup.net wrote:
> > Is there anyone that knows where you can buy yubikeys or smartcards
> > anonymously?
>
> I'm afraid it's not practical for you...
>
> You can buy Gnuk Token in Maebashi, Gunma, Japan by cash from me.
>
>         Buy FST-01 with Gnuk 1.1.4 (in Japanese):
>         http://www.gniibe.org/shop/gnuk_1_1_x-on-fst-01.html
>
> I can speak Japanese (native) and English, and I can read/write
> Chinese a little.
>
> Some people bought it in Tokyo by cash when I visited there.
>
> When I join some conference and it is allowed, I can sell it by cash.
> I am considering to join LibrePlanet 2015 and Debconf15, this year.
>
> In case it is difficult for you to trust the product, you can compile
> Gnuk 1.1.4 by yourself and install it to other supported hardware:
> Olimex STM32-H103, STBee, or STBee Mini.  (Porting Gnuk to some board
> of STM32F103 is not that difficult, too.)
>
> In either cases, it is recommended to compile and install Gnuk to your
> board by yourself, as there is some risk where some malicious
> (possibly middle) person has installed fake firmware already.  (I
> don't know some technology to prevent such an attack to MCU.  It would
> be good if MCU has a built-in feature to show it's SHA256 hash somehow
> for its program so that user can check it.)
>
> When/if enough people can gather together, it would be great to have
> some hands-on workshop for building Gnuk Token (hardware-wise and
> compiling/installing the firmware) and/or one for using Gnuk Token.
> Once, we had an event in Tokyo for using Gnuk Token (a session of two
> hours) by FSIJ, and a handful people joined.
> --
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150204/a8644672/attachment-0001.html>


More information about the Gnupg-users mailing list