reviewing wiki / shortlist PIN-pad readers

Stephan Beck stebe at mailbox.org
Tue Oct 18 13:11:00 CEST 2016


Hi,

NIIBE Yutaka:
> Sorry, I didn't have time to reply your call the other day.
>
> I think that Gemalto Shelltoken Card Reader, which is available
> at http://shop.kernelconcepts.de/ is good one.
>
> Please note that OpenPGP card requires specific card readers.  Its
> users usually use RSA-2048, RSA-3072, or RSA-4096.  For those key
> sizes, the communication is somewhat difficult for old standard of ISO
> 7816.  (For RSA-1024, most smart card readers work well.)
>
> I recommend TPDU readers, because readers which support extended APDU
> level communication tend to have issues for larger size communication.
>
> On 10/18/2016 04:51 PM, Daniel Pocock wrote:
>> I was looking at this page:
>>
>> https://wiki.gnupg.org/CardReader/PinpadInput
>>
>> Are any of these more outstanding than the others, or it doesn't matter
>> which one somebody chooses?
>>
>> Could anybody comment on which of those are easily available in small
>> quantities for developers, or suppliers who are cost effective for small
>> quantities?
>
> I implemented the pinpad input support in scdaemon.  While I know some
> claims that it is good feature, I, for myself, don't think it's worth
> to have.
>
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.
>
> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.  And, as far as I
> know, I don't know any implementation of card readers in the market,
> which firmware is Free Software.  With user interface like pinpad
> input, it is more difficult for me to trust an implementation of such
> a card reader.
>

Just one note for now:
For example, The Nitrokey Storage (1,2), a usb crypto stick with
integrated card reader) is 100% open source, free software, verifiable
firmware. On the other hand, it has no pinpad.
There may be others (with free software), but I don't know of them. I
just use the Nitrokey, without having any ties with its makers.
If lack of PIN-pad device is not a knock-out criteria, you might ask
them about quantities and conditions.


(1) https://www.nitrokey.com/ (comparison table at bottom of page)
(2) https://www.nitrokey.com/news/2016/nitrokey-storage-available
(3) https://www.nitrokey.com/introduction (quick overview)
(4)
https://www.nitrokey.com/news/2015/nitrokey-storage-got-great-results-3rd-party-security-audit
(with links to the actual security audit pdf's)

Cheers

Stephan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161018/ae4e1d22/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161018/ae4e1d22/attachment-0001.sig>


More information about the Gnupg-users mailing list