reviewing wiki / shortlist PIN-pad readers

Stephan Beck stebe at
Tue Oct 18 13:11:00 CEST 2016


NIIBE Yutaka:
> Sorry, I didn't have time to reply your call the other day.
> I think that Gemalto Shelltoken Card Reader, which is available
> at is good one.
> Please note that OpenPGP card requires specific card readers.  Its
> users usually use RSA-2048, RSA-3072, or RSA-4096.  For those key
> sizes, the communication is somewhat difficult for old standard of ISO
> 7816.  (For RSA-1024, most smart card readers work well.)
> I recommend TPDU readers, because readers which support extended APDU
> level communication tend to have issues for larger size communication.
> On 10/18/2016 04:51 PM, Daniel Pocock wrote:
>> I was looking at this page:
>> Are any of these more outstanding than the others, or it doesn't matter
>> which one somebody chooses?
>> Could anybody comment on which of those are easily available in small
>> quantities for developers, or suppliers who are cost effective for small
>> quantities?
> I implemented the pinpad input support in scdaemon.  While I know some
> claims that it is good feature, I, for myself, don't think it's worth
> to have.
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.
> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.  And, as far as I
> know, I don't know any implementation of card readers in the market,
> which firmware is Free Software.  With user interface like pinpad
> input, it is more difficult for me to trust an implementation of such
> a card reader.

Just one note for now:
For example, The Nitrokey Storage (1,2), a usb crypto stick with
integrated card reader) is 100% open source, free software, verifiable
firmware. On the other hand, it has no pinpad.
There may be others (with free software), but I don't know of them. I
just use the Nitrokey, without having any ties with its makers.
If lack of PIN-pad device is not a knock-out criteria, you might ask
them about quantities and conditions.

(1) (comparison table at bottom of page)
(3) (quick overview)
(with links to the actual security audit pdf's)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x4218732B.asc
Type: application/pgp-keys
Size: 4089 bytes
Desc: not available
URL: </pipermail/attachments/20161018/ae4e1d22/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161018/ae4e1d22/attachment-0001.sig>

More information about the Gnupg-users mailing list