Talking about Cryptodevices... which one?

Andreas Schwier andreas.schwier.ml at cardcontact.de
Fri Feb 6 09:12:22 CET 2015


On 02/06/2015 01:21 AM, Matthias-Christian Ott wrote:
> If I'm not mistaken the OpenPGP card is proprietary software and runs on
> a proprietary operating system (BasicCard). If this is true, why should
> you trust it and why does the FSFE distribute these cards even though
> they conflict with their core values?
And it doesn't even have undergone any independent security evaluation.
> 
> What is the threat model in which a smartcard is an effective defense
> and what are attacks that smartcards protect against? How are smartcards
> supposed to protect against malware on the host computer?
Smart cards (if done well) protect from unwanted key duplication or
disclosure. It's much harder to break into someones home to steal the
card than it is to steal a file and a number of key strokes.

Of course a smart card can not protect against malware on the host
computer, but it can prevent that the key is gone after malware has
infected the host. If my card is suddenly missing from my desk, than
that is much easier to spot than an illegal copy of my key file - which
I can't really detect.

And we are talking about the average user that can not easily control
what processes are running on their computer and if it's good or bad.
For them it's much easier to lock important keys away in their desk than
it is to keep a computer free from malware.
> 
> If somebody wants to discuss or answer these questions that I'm asking
> myself for years, I will be happy to continue the discussion otherwise
> I'm out of it.
> 
> Regards,
> Matthias-Christian
> 
> [1]
> https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03119/index_htm.html
> [2]
> https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Konformitaetsreporte/BSI-K-TR-0068-2011.pdf?__blob=publicationFile
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com




More information about the Gnupg-users mailing list