Talking about Cryptodevices... which one?

[Peter Lebbing]

On 24/01/15 17:57, Andreas Schwier wrote:
> Can you provide any evidence for that claim or is this just paranoia ?

One man's paranoia is another man's common sense, I suppose. Since those
smartcards are pretty much exclusively used for security purposes, i.e., private
key storage, they're a likely target for an intelligence agency to try to subvert.

> Most smart cards used today in security sensitive mass applications like
> banking cards, signature cards, national id cards or passports must be
> independently evaluated and certified under the Common Criteria scheme.
> I can not image a way to introduce a backdoor without being detected
> during evaluation or in the secure delivery procedure.

I've replied to this statement earlier, I won't repeat myself other than to say
I disagree.

> I can disconnect the card from the
> PC and I can rest assured that no copies of the key exist and the key
> can not be misused (Unless someone steals card and PIN).

Assuming it's not backdoored, yes. In the presence of backdoors this is
obviously not the case.

> That is an
> important security attribute that no software keys can provide for - at
> some point in time the software key must be somewhere in memory.

Yes, I agree.

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>