reviewing wiki / shortlist PIN-pad readers
Daniel Pocock
daniel at pocock.pro
Tue Oct 18 12:31:52 CEST 2016
On 18/10/16 10:58, NIIBE Yutaka wrote:
> Please note that OpenPGP card requires specific card readers. Its
> users usually use RSA-2048, RSA-3072, or RSA-4096. For those key
> sizes, the communication is somewhat difficult for old standard of ISO
> 7816. (For RSA-1024, most smart card readers work well.)
>
> I recommend TPDU readers, because readers which support extended APDU
> level communication tend to have issues for larger size communication.
>
Of those readers with PIN-pads on the wiki shortlist[1], which of them
are TPDU readers, or all of them?
> On 10/18/2016 04:51 PM, Daniel Pocock wrote:
>> I was looking at this page:
>>
>> https://wiki.gnupg.org/CardReader/PinpadInput
>>
>> Are any of these more outstanding than the others, or it doesn't matter
>> which one somebody chooses?
>>
>> Could anybody comment on which of those are easily available in small
>> quantities for developers, or suppliers who are cost effective for small
>> quantities?
>
> I implemented the pinpad input support in scdaemon. While I know some
> claims that it is good feature, I, for myself, don't think it's worth
> to have.
>
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader. If such an attack is possible, a user already
> would be defeated.
>
I thought that if the PIN is entered in the PIN-pad, it is never sent
over the USB connection?
> It is common for such card readers to have only numeric pads. That
> limits the entropy of passphrase, considerably. And, as far as I
> know, I don't know any implementation of card readers in the market,
> which firmware is Free Software. With user interface like pinpad
> input, it is more difficult for me to trust an implementation of such
> a card reader.
Isn't it more a case of choosing the lesser evil:
- a PIN-pad reader with some proprietary firmware
- the possibility that the user's OS has been compromised or that
somebody fit a keystroke logger to their keyboard
There is no such thing as perfect security and I wasn't claiming that a
PIN-pad implies perfection.
Regards,
Daniel
1. https://wiki.gnupg.org/CardReader/PinpadInput
More information about the Gnupg-users
mailing list