justina at colmena.biz
Thu Dec 13 09:36:21 CET 2018
On December 12, 2018 10:13:58 PM AKST, Werner Koch <wk at gnupg.org> wrote:
>On Tue, 11 Dec 2018 19:27, arthur at ulfeldt.com said:
>> using openkeychain with a yubikey nfc is totally solid, and
>> I've been using them for years. they also plug into the bottom of the
>> phones which some people prefer.
>You should keep in mind that you can eavesdrop on NFC communication
>within several meters. Right, it is required that the card is niot
>than about 10cm away from the reader but that is only to convey the
>power to the card, the HF is readable from several meters as soon as
>card is powered up.
>If you care about side channel attacks, NFC communication is a bad idea
>because the decrypted session key can easily be picked up. To avoid
>this, /secure communication/ needs to be used but that is cumbersome
>because this requires a shared secret between host and card. But well,
>smartphones are not a safe device anyway.
I agree that smartphones are not safe, but I am not particularly in favor of smartcards, dongles, and security tokens like yubikeys, either.
Any kind of special-purpose cryptographic *hardware* is essentially proprietary, and too attractive and soft a target for various nations' spy agencies to covertly backdoor. "Don't look at me! I've got something to hide, and nowhere to protect it!"
There's a secure phone on the President's desk, and not even the Secret Service can say it's all that "secure."
Open-source cryptographic software that runs on general purpose computer hardware is generally much more difficult to backdoor.
If you plug some little doohickey or thingamagig into your computer to do *crypto*, of all things, your computer is liable to become infected with spyware over the USB bus via BadUSB and various firmware- and device-related security vulnerabilities.
A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.
More information about the Gnupg-users