Slightly OT - mobile OpenPGP usage

Peter Lebbing peter at
Wed Aug 28 12:07:05 CEST 2019

On 28/08/2019 00:41, Chris Narkiewicz via Gnupg-users wrote:
> This is not true. Many crypto systems are designed to perform damage
> control and recovery in such cases.

Damage control in the case of GnuPG would be using a smartcard: while
you are using the smartcard, so can the attacker, but once you pull the
smartcard and no longer use the compromised system, the attacker no
longer has access to the key.

In this scenario it makes sense to have an offline primary key: while
the attacker can issue data signatures and decrypt your files, they
cannot change your key, e.g., add another signing subkey to be used
later when the smartcard is no longer available to the attacker.

Recovery... well, damage control already implied there was damage, and
recovery even more so. Stefan asked for a "best strategy for using
OpenPGP [...]". I did not interpret that as asking for how to limit
damage, but rather to avoid it.

Whether a compromise is game over depends on your scenario. However,
what is quite often asked for here is some way to use a compromised
system without compromising confidentiality of encryption or without
enabling an attacker to issue data signatures. These things cannot be
done on a system where the attacker has control over the whole computer
(root access, in *nix parlance, or hypervisor access). If you can show
me an example where the attacker has full access to a computer and a
user can still do decryption and issue signatures *on that computer*
while maintaining confidentiality and signature integrity, I'd love to
hear about it. However, I've heard many wrong solutions, so in actuality
I don't think I would love to hear about it, because it sounds like a
waste of time.

Here are two obviously wrong ones.

"Provide explicit confirmation of each signature issued by a smartcard
with an external button".

Attacker's solution: pretend something went wrong, and make the user do
the actions again. Nothing actually went wrong, the user issued two
signatures. Social engineering to the rescue. Or, demise.

When they're sending an e-mail, simply make it look like the mail client
crashed just after they confirmed the signature, for instance.

The confirmation button doesn't ensure signature integrity, it is
damage control.

"Provide explicit confirmation of decryption with smartcard".

Whenever user decrypts something, store the decryption key in a
database. When the user decrypts the same file twice, use the stored
decryption key and decrypt that interesting file the attacker wants to
read instead.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list