Am 03.12.2010 03:52, schrieb Markus Krainz: > On 2010-12-02 11:00, Łukasz Stelmach wrote: >>> then the PIN pad becomes even more interesting. >> I am not that paranoid to carry a full sized card reader with a PIN pad >> with me. >> > > Even with PIN-pad on a compromised computer you still have no guarantee > WHAT you are signing. > My opinion is that if the computer is compromised you are lost anyway.
Well, yes and no. With a pinpad at least you have to confirm any transaction so that transactions cannot take place "under the hood" without you noticing. Assuming the attacker got hold of the PIN a malicious software could do an almost unlimited number of transactions without the user being able to notice (well, at least most of the card readers I know do not have something like an activity LED). The non-obvious content of the transaction, what you say as "you do not see what you sign even on the PIN-pad" is an issue that has been discussed a lot of times already - yes, it is definitely an issue but very hard to solve. IMHO this would require a card terminal that understands the data to be signed and present the user with a meaningful summary. But it strictly assumes again that this terminal cannot be compromised too. And being more intelligent (in order to display complex data) means to be a more complex device containing more complex device software which again opens new possible security holes. Very difficult... I once worked in a consortium on such a specialised solution where a PDA would be used as a crypto token and was sent a parsable XML which was to be signed. The (parsed) XML could be presented to the user, a hash calculated and be signed, all on the PDA token terminal. But of course this only worked for the project's special XML data... > Regards, > Markus Cheers nils -- kernel concepts GbR Tel: +49-271-771091-12 Sieghuetter Hauptweg 48 D-57072 Siegen Mob: +49-176-21024535 http://www.kernelconcepts.de _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users