Communication with card reader encrypted?
Peter Lebbing
peter at digitalbrains.com
Sun Aug 26 10:41:33 CEST 2018
On 25/08/18 21:25, Felix E. Klee wrote:
> When I decrypt a file using an OpenPGP card, is the communication
> between a USB card reader and the GnuPG daemon encrypted?
The OpenPGP smartcard and generic smartcard protocols do define "Secure
Messaging", but I don't think this is commonly used for cabled OpenPGP
smartcards. So: no, I think in most cases data is unencrypted in USB wires.
On 26/08/18 09:48, Felix E. Klee wrote:
> This thought coincided with me reading about [doctored USB
> cables][3]. I don’t want to be required to trust three devices:
> phone, reader, and now cable
I think you'll need to trust the cable anyway, since a malicious USB
device by someone with the means and motivation to attack your OpenPGP
smartcard will most likely be able to compromise your phone instead.
Securely using cryptography on a compromised operating system is simply
impossible.
So in the end, it doesn't seem to make a difference: if the cable is
malicious, you're done anyway.
Even if it were encrypted, I think we still need to think about
man-in-the-middle resistance of Secure Messaging. I think there's a
distinct possibility it is only meant to thwart passive attacks, but I
haven't looked into it.
HTH,
Peter.
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20180826/1eda0c3c/attachment-0001.sig>
More information about the Gnupg-users
mailing list