On 29/07/2011 02:45, Jerome Baum wrote: >> The very purpose of smartcards is to keep secret keys confidential and >> secure. This is achieved by physical protection, different layers, >> puzzling structure etc. This makes it very, very difficult to extract >> the keys. For a state-of-the-art smart card like the OpenPGP Card 2, I >> guess the price tag would be around 100.000 Euros. > > Any data on that? > > (and before you say it, I know you said "guess" and my question was > more rhetorical)
This is where my confidence fades a little. If the key is on my laptop, as long as my laptop hasn't been compromised, the key is secured by math. If it's on a smartcard, I have to trust that when people tell me it's prohibitively expensive, that they are right and up to date, and then I also have to trust that my adversary doesn't have the money/inclination to do it. I'd *expect* lots of organisations to have worked on processes to quickly and "cheaply" pull PGP keys off various brands of smart card, just in case they need to. And I'd expect many of them to not publish their results. >> The beauty is that this protection can be provided without the burden >> for the user to remember a long passphrase, since this is not required >> to encrypt the keys. > > Agree that it's nice, but I don't think that was the intention behind > smart cards. The problem with not encrypting the keys is that a > read-out is possible -- if the keys are encrypted, the read-out > becomes a tad more difficult, depending on the length of the PIN. There is another attack vector here. If someone observes me entering my pin, they can obtain my smart card at a later date and use it to decrypt my files. I am thinking of hard coding *part* of my pin into gpg on my primary system, so I can only be observed typing in part of the pin. Every little helps. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
