Talking about Cryptodevices... which one?

Andreas Schwier at
Sat Jan 24 17:57:15 CET 2015

On 01/24/2015 12:05 AM, Matthias-Christian Ott wrote:
> The same is true for the OpenPGP smart card or for almost any other
> smart card available on the market. They could all contain a secret key
> escrow mechanism and some probably do. Proprietary smart cards are hard
> to audit and verify and are easy targets for backdoors and bugdoors.
Can you provide any evidence for that claim or is this just paranoia ?

Working in the smart card industry for close to 30 years now, I've never
come across an incident where a smart card was deliberately backdoor'ed.

Most smart cards used today in security sensitive mass applications like
banking cards, signature cards, national id cards or passports must be
independently evaluated and certified under the Common Criteria scheme.
I can not image a way to introduce a backdoor without being detected
during evaluation or in the secure delivery procedure. I can hardly
imagine a smart card manufacturer or evaluator that has to take
liability for a security product with a deliberately introduced backdoor.

I agree, that we've seen bad implementations in smart cards. We've even
seen certified products, that generated not so random numbers (Even
though this was the classical case of a developer trying to be smarter
than the user guidance allowed him to be).

Still smart cards have a case: They link the private key to a protective
and controllable piece of hardware. I can disconnect the card from the
PC and I can rest assured that no copies of the key exist and the key
can not be misused (Unless someone steals card and PIN). That is an
important security attribute that no software keys can provide for - at
some point in time the software key must be somewhere in memory.



    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149

More information about the Gnupg-users mailing list