Smart cards

justina colmena justina at
Thu Dec 13 09:36:21 CET 2018

On December 12, 2018 10:13:58 PM AKST, Werner Koch <wk at> wrote:
>On Tue, 11 Dec 2018 19:27, arthur at said:
>> using openkeychain with a yubikey nfc is totally solid, and
>> I've been using them for years. they also plug into the bottom of the
>> phones which some people prefer.
>You should keep in mind that you can eavesdrop on NFC communication
>within several meters.  Right, it is required that the card is niot
>than about 10cm away from the reader but that is only to convey the
>power to the card, the HF is readable from several meters as soon as
>card is powered up.
>If you care about side channel attacks, NFC communication is a bad idea
>because the decrypted session key can easily be picked up.  To avoid
>this, /secure communication/ needs to be used but that is cumbersome
>because this requires a shared secret between host and card.  But well,
>smartphones are not a safe device anyway.
>   Werner

I agree that smartphones are not safe, but I am not particularly in favor of smartcards, dongles, and security tokens like yubikeys, either.

Any kind of special-purpose cryptographic *hardware* is essentially proprietary, and too attractive and soft a target for various nations' spy agencies to covertly backdoor. "Don't look at me! I've got something to hide, and nowhere to protect it!"

There's a secure phone on the President's desk, and not even the Secret Service can say it's all that "secure."

Open-source cryptographic software that runs on general purpose computer hardware is generally much more difficult to backdoor.

If you plug some little doohickey or thingamagig into your computer to do *crypto*, of all things, your computer is liable to become infected with spyware over the USB bus via BadUSB and various firmware- and device-related security vulnerabilities.

A well regulated Militia, being necessary to the security of a free State, the right of the people to keep and bear Arms, shall not be infringed.

More information about the Gnupg-users mailing list