reviewing wiki / shortlist PIN-pad readers

Peter Lebbing peter at
Tue Oct 18 13:25:32 CEST 2016

On 18/10/16 10:58, NIIBE Yutaka wrote:
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.

It would IMO not prevent key usage, so in that sense the user is defeated. It
would still limit the time of exposure, since key extraction should still be
prohibitively difficult.

This is a contentious topic I think :-). People put different amounts of stock
in the protection afforded by smartcards, and the likelihood of attack scenarios.

> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.

But luckily, entropy demands on a smartcard PIN are really low. The card locks
after three tries.

Conversely, if you protect your on-disk key with a 10-digit decimal number, an
attacker having the encrypted file could do the required average of 500 million
tries in less time than it takes you to make a cup of coffee.

A PIN just needs to be unguessable, i.e., properly random. It doesn't have to
withstand keyspace enumeration.

My 2 cents,


Note to self: make cup of coffee.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list