OpenPGP Smartcard recommendations

[Peter Lebbing]

On 23/08/16 02:54, Karol Babioch wrote:
> P.S.: I should also mention that there is some debate about the open
>  source nature of the YubiKey 4, since its firmware is not open to 
> review any longer. Should this be a criterion for you, you have to
> go with another solution. You'll find details on the story at [3].

I was quite surprised by this blog post, by one small but, in my eyes,
significant part of it. A lot of the blog post seems not directly
related to being able to review the source and verifying that the loaded
firmware binary is indeed the reviewed source, which is what would
interest me most in a security device. There's a lot of talk about
field-updating firmware securely and related topics, which
is only tangential to the source being /available/.

But the really strange statement is this:

> In this specific context (fault injection and side-channel
> analysis), an open source strategy would provide little or no remedy
> to a serious and growing industry problem. One could say it actually
> works the other way. In fact, the attacker’s job becomes much easier
> as the code to attack is fully known and the attacker owns the
> hardware freely.

I'm with him on the first sentence. The context is broadly that when
your hardware is not secure, no amount of open sourcery would protect
the data the hardware holds. At least if I understood the context.

But then it gets iffy.

The attacker's job becomes easier because he knows the inner workings?
Alert! Alert! Security through obscurity! Prepare for battle stations!

A secure system is secure by having the knowledge of a secret key. It is
not secure because most people do not know how it works; because the
method is secret. This is Cryptography 101. If you want to know
more, I'd say just use your favourite search engine with the phrase
"security through obscurity".

I fully understand that stuff gets complicated when your hardware vendor
forbids you to disclose your source code. That's a nasty problem. I'm
less concerned about not meeting criteria for some certification because
the source is open. Would you rather have a certification stating some
party thinks you're secure, or would you rather actually be secure? I'd
know. Stuff those Common Criteria ;). They're not the holy grail. But
when you say "obscurity helps security", I'm seriously starting to doubt
your reasoning.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>