What am I missing?

listo factor listofactor at mail.ru
Wed Mar 30 14:16:11 CEST 2016

I do not use this device, so I am wondering if those that are
familiar with it may be kind enough to confirm my understanding
of its security architecture:

The device uses a protected hardware module, which does several

1) It uses it's own secret, etched in silicone, in combination
with a user-supplied secret to generate symmetric encryption key.

2) It never exports either it's own secret or the generated key,
instead it performs all encryption/decryption operations on the
blocks that the general-purpose processor provides to it and
receives from it.

3) It only executes the code signed by a private key for which
it holds a corresponding public key.

4) In order to make brute-forcing of user secret impractical,
it delays successive key-generation requests and erases it's
own secret after a small number of unsuccessful attempts.

All of this is done in order to make it possible for the
majority of device users to opt for the convenience of an
extremely low-entropy user secret (only 4 digits?). However,
there is nothing to prevent the user to opt for a pass-phrase
of such length that brute-forcing it would be impossible, even
on hardware that has no restrictions built into it.

If this is all essentially correct, someone who knows that
the content of his device-at-rest is extremely valuable to an
attacker would surely use a pass-phrase of adequate length, and
thus make a potential cooperation from the device builder to
his adversary inconsequential.

What am I missing in this whole case?

More information about the Gnupg-users mailing list