Communication with card reader encrypted?

Peter Lebbing peter at
Sun Aug 26 10:41:33 CEST 2018

On 25/08/18 21:25, Felix E. Klee wrote:
> When I decrypt a file using an OpenPGP card, is the communication 
> between a USB card reader and the GnuPG daemon encrypted?

The OpenPGP smartcard and generic smartcard protocols do define "Secure
Messaging", but I don't think this is commonly used for cabled OpenPGP
smartcards. So: no, I think in most cases data is unencrypted in USB wires.

On 26/08/18 09:48, Felix E. Klee wrote:
> This thought coincided with me reading about [doctored USB
> cables][3]. I don’t want to be required to trust three devices:
> phone, reader, and now cable

I think you'll need to trust the cable anyway, since a malicious USB
device by someone with the means and motivation to attack your OpenPGP
smartcard will most likely be able to compromise your phone instead.
Securely using cryptography on a compromised operating system is simply

So in the end, it doesn't seem to make a difference: if the cable is
malicious, you're done anyway.

Even if it were encrypted, I think we still need to think about
man-in-the-middle resistance of Secure Messaging. I think there's a
distinct possibility it is only meant to thwart passive attacks, but I
haven't looked into it.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list