New smart card / token alternative
timothy.steiner at yahoo.com
timothy.steiner at yahoo.com
Tue Nov 7 18:15:36 CET 2017
If you are using something like Tails you would probably just install the GPG agent. Tails allows installing additional software - https://tails.boum.org/doc/advanced_topics/additional_software/index.en.html. U2F is available in the new version of Firefox being released later this year so if that is included in future Tails release then there would be in-browser support in Tails.
The risk mentioned with a key-logger/screen capture is the same for all smart cards/tokens, and really all methods of composing a message on a computer. The risk would even apply to Tails if say the user installed malicious software or browsed to a site that exploited a browser vulnerability.
On Monday, November 6, 2017, 5:26:51 PM EST, <vedaal at nym.hush.com> wrote:
On 11/6/2017 at 4:55 PM, "Tim Steiner" <t at crp.to> wrote:
\We have been working on a project to build a direct interface for PGP/GPG usage using U2F for web apps and browser extensions. This is similar to existing smart cards and tokens but no software install is required.
We set out to solve this problem -"Man, I really wish I could read this PGP message, or send this message, or open this file, or sign this file, but I don't have my laptop with me"
With this solution you can keep the key offline, carry it with you and it works even on a computer where you can't install software - https://www.kickstarter.com/projects/1048259057/onlykey-quantum-future-ready-encryption-for-everyo
We are interested to hear feedback on this approach from the community.
=====
Using this on anything except your own computer, or laptop, is problematic,
as the 'host' computer can have a key-logger or screen capturer, and copy the decrypted plaintext, or the plaintext to be encrypted.
Can it be made to work with Tails/Tor which uses GunPG ?
(The 'insecure' browser on Tails not involving Tor, is a Firefox variant.
If it can work on that, then booting from the Tails USB avoids a screencapturer, and using on on-screen keyboard avoids a hardware keyboard logger.
But even so, there are problems with using it on an 'unknown' computer :
https://tails.boum.org/doc/about/warning/index.en.html#index2h1
vedaal
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20171107/8b81cae6/attachment-0001.html>
More information about the Gnupg-users
mailing list