Trezor - Could this be the model for a PGP crypto device?

Antoine Michard michard.antoine at gmail.com
Fri Mar 6 14:05:42 CET 2015 

Hi Felix,

I've got one of this device ! Work like a charm !
Love the idea that everything was encrypt inside of the device, nothing on
the computer.
Try to restore my wallet, again no problem !!!

I will love to see one of this device for PGP.
I'm thinking to use a smartcard inside Gemalto K50 but on a computer
without GPG is useless...
Same thing about NitroKeys

Last thing: For Trezor, you have to install a bridge compatible on Windows,
MacOSX and Linux.
Of course, source code is available: https://github.com/trezor/trezord

2015-03-06 13:50 GMT+01:00 Felix E. Klee <felix.klee at inka.de>:

> Yesterday in Las Palmas de Gran Canaria, I attended a [talk][1] by Marek
> Palatinus, one of the relatively early Bitcoin miners and cofounder of
> [SatoshiLabs][2]. He gave an introduction to his path into Bitcoin, and
> things that went wrong, and then he presented the [Trezor][3] crypto
> device.
>
> The Trezor has a little display and two buttons. It generates and stores
> your private key which is used for identifying your address in the
> Bitcoin network. The Bitcoins that you own are associated with your
> address. Connected via USB to a computer, the Trezor signs Bitcoin
> transactions.
>
> Marek later explained to me that the Bitcoin crypto standard is
> different from those used with PGP.
>
> After the talk, I hammered him with questions:
>
>   * What if I lose the device or if it breaks? For backup, the device
>     presents a list of 24 English words, that the user should write down
>     and keep on paper in a safe place. Using this list, the private key
>     can be recreated.
>
>   * What if Eve wants to access the device without my authorization?
>     There is a PIN.
>
>   * How is the key generated? With an RNG on the device, using entropy
>     gathered from the connected computer.
>
>   * There’s no PIN pad on the device; Couldn’t malware sniff the PIN?
>     The device has a little screen that displays a matrix of nine
>     numbers. On the computer’s screen appears the same matrix without
>     numbers, and one clicks on these with the mouse.
>
>   * Do I have to enter the PIN for every transaction? Only once, then
>     the device remains activated.
>
>   * Once the device is activated, couldn’t malware do arbitrary
>     transactions? For every transaction there is information displayed
>     on the device’s display, and it has to be confirmed with the press
>     of a button on the device.
>
>   * Can I trust the firmware? [Source code][4] is available. Users can
>     check the code, compile it, and flash their own version.
>
>   * What if Eve modifies the firmware in a malignant way and flashs it
>     to the device? Flashing unsigned firmware causes the private key to
>     be erased by the bootloader.
>
>   * Can I trust the bootloader? Source code is available as well.
>
> Of course there could still be backdoors. However, at the moment I
> cannot see what can be done better, other than building your own
> hardware, ideally down to chip manufacturing level.
>
> [1]: http://www.meetup.com/lpa-tech/events/220413356/
> [2]: http://satoshilabs.com/
> [3]: http://satoshilabs.com/trezor/
> [4]: https://github.com/trezor/
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>



-- 
Antoine Michard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150306/00da536f/attachment.html>

More information about the Gnupg-users mailing list