Crypto device where I need to confirm every operation?

Sandeep Murthy s.murthy at
Thu Jan 22 22:36:09 CET 2015

There are degrees of “control over your hardware” and
complete control hardware is rarely going to happen.

If the concerns voiced by some developers about the
randomness quality of Intel’s hardware random
number generator (RNG) around the time of the
Snowden leaks are true

then we are all compromised, so why are we even
bothering to use tools like GnuPG, which according
to the documentation uses Intel’s RDRAND CPU
instruction (which calls its hardware RNG) among its
entropy sources?  Because it is using other ones, like
dev/random, so there is no one point of weakness and
from a practical point of view there is little risk.

Sandeep Murthy
s.murthy at

> On 22 Jan 2015, at 18:44, Robert J. Hansen <rjh at> wrote:
>> To prevent such an attack, I imagine a device where I have to
>> confirm every transaction with a simple push on a hardware button.
> This attack can't be prevented.
> Once the attacker has control over your hardware, you're done.  Game
> over.  People keep on trying to invent ways to do crypto even on
> compromised hardware, but it's a completely lost cause.  The attacker
> has too many options at that point for you to make any sort of effective
> defense.
> If I were Eve and I wanted to defeat your pushbutton setup, here's what
> I'd do:
> 1.  Figure out exactly your operating system
> 2.  Figure out which forums you look for help on
> 3.  Start posting messages on forums for your operating system, saying I
> was having problems with your specific card reader and how it wasn't
> responding to a pushbutton
> 4.  Post answers, under a different name, saying this was a known
> problem with your model of card reader under the most recent USB driver
> update, and that unplugging and replugging the device was usually enough
> to reboot the card reader and make it work
> 5.  Under yet more fake account names, upvote the answer and talk about
> how it works for me
> 6.  Repeat #s 3-5 over several different web forums
> 7.  A couple of weeks later, subvert your machine
> 8.  Replace your copy of GnuPG with one that caches the PIN.  When you
> enter your PIN and push the button, it silently substitutes my message
> for yours.  You sign it, and this compromised GnuPG deposits the signed
> message in some hidden file/directory somewhere awaiting my later collection
> 9.  You'd be understandably concerned.  You'd check web forums and see,
> "ah, this bug has been reported by five different people, and a lot of
> people are confirming that unplugging and replugging the USB device
> solves the problem."
> 10. You unplug and replug the card reader.  My malware detects the
> unplug/replug and uses that as its "clean up and get out of there"
> trigger.  It erases itself and leaves behind a clean GnuPG in its wake.
> 11. You re-try signing your message.  It works correctly.  However,
> you've already signed a message of my choosing, and I can pick it up off
> your machine at my leisure.
> ... I understand the wish to make a system that's secure even if the
> underlying hardware is compromised.  I really do.  But it's a fantasy.
> Can't be done.  Once you lose control over the hardware the attacker has
> a near-limitless number of possible attacks, and there's absolutely no
> way for you to defend against all of them, or even to effectively
> anticipate what it will be.
> Please don't tell me how, "well, to defend against your attack I'd
> just..."; that misses the point.  The point is there are literally
> *hundreds*, if not *thousands*, of attacks like this that could be
> levied against you, and there is absolutely no way for you to anticipate
> or defend against even a significant fraction of them.
> Once you lose control of the hardware, you're done.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 873 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: </pipermail/attachments/20150122/83354961/attachment.sig>

More information about the Gnupg-users mailing list