Crypto device where I need to confirm every operation?

Robert J. Hansen rjh at
Fri Jan 23 00:43:08 CET 2015

> The attack you describe is significantly more complex and more
> visible than the attack the original poster outlined.

Right: that's because the original poster outlined an attack which was,
in my opinion, naive.

If Eve can read arbitrary memory locations on your desktop PC without
your knowledge, then Eve's got root access.  At that point you need to
start thinking like a clever person with root access.

The alternative is to say, "well, assume Eve's got some exotic side
channel that only allows her a limited ability to monitor..."  Okay,
great: what's the side channel?  Defending against a side channel that
you don't know exists is pretty suboptimal, too, since you can always
imagine another hypothetical side channel.

> Yes, in the long run, if you can't trust your endpoint, you can be 
> compromised.

This isn't about not trusting the endpoint: this is about a security
system built on the assumption the endpoint is already compromised.
There is no "in the long run" here.  If your endpoint is compromised and
you're using it to do crypto operations, you're living in sin.

Smartcards exist to keep private keys safe(r) from being stolen.  They
do a pretty good job of that.  But when we expect smartcards to be able
to somehow make a compromised environment safe to operate in, then we've
crossed the line and turned them into magic crypto fairy dust.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3744 bytes
Desc: S/MIME Cryptographic Signature
URL: </pipermail/attachments/20150122/2314d0f9/attachment-0001.bin>

More information about the Gnupg-users mailing list