reviewing wiki / shortlist PIN-pad readers

Daniel Pocock daniel at
Tue Oct 18 12:31:52 CEST 2016

On 18/10/16 10:58, NIIBE Yutaka wrote:

> Please note that OpenPGP card requires specific card readers.  Its
> users usually use RSA-2048, RSA-3072, or RSA-4096.  For those key
> sizes, the communication is somewhat difficult for old standard of ISO
> 7816.  (For RSA-1024, most smart card readers work well.)
> I recommend TPDU readers, because readers which support extended APDU
> level communication tend to have issues for larger size communication.

Of those readers with PIN-pads on the wiki shortlist[1], which of them
are TPDU readers, or all of them?

> On 10/18/2016 04:51 PM, Daniel Pocock wrote:
>> I was looking at this page:
>> Are any of these more outstanding than the others, or it doesn't matter
>> which one somebody chooses?
>> Could anybody comment on which of those are easily available in small
>> quantities for developers, or suppliers who are cost effective for small
>> quantities?
> I implemented the pinpad input support in scdaemon.  While I know some
> claims that it is good feature, I, for myself, don't think it's worth
> to have.
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.

I thought that if the PIN is entered in the PIN-pad, it is never sent
over the USB connection?

> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.  And, as far as I
> know, I don't know any implementation of card readers in the market,
> which firmware is Free Software.  With user interface like pinpad
> input, it is more difficult for me to trust an implementation of such
> a card reader.

Isn't it more a case of choosing the lesser evil:

- a PIN-pad reader with some proprietary firmware

- the possibility that the user's OS has been compromised or that
somebody fit a keystroke logger to their keyboard

There is no such thing as perfect security and I wasn't claiming that a
PIN-pad implies perfection.




More information about the Gnupg-users mailing list