On 18/10/11 14:53, takethe...@gmx.de wrote: > I read a smartcard is simply a chip card. Why is it save, what's a > PIN? Say I'm using it on a PC with a trojan in the background > that logs my keystrokes (my password) and can send data (my key) > via internet to an attacker. How is access restricted to the key by > the smartcard?
It's simply a chip card. Which means the same as: It's simply a computer. Only small and not very powerful. The key never leaves the smartcard. It does the decryption and signing instead of your computer. Not of the whole file you decrypt or sign: in a hybrid cryptosystem like GnuPG, the private key (on the smartcard) is only used to decrypt or sign a very small piece of data. If you decrypt a file, the only thing decrypted by your private key is the "session key", which is a randomly generated key used to decrypt the actual file with symmetric encryption. If you sign a file, you sign a hash that is computed from the contents of the file. So the actual data transfer between PC and smartcard is small. If someone sniffs your PIN, and has trojaned or rooted your computer, he could use your smartcard while it is still plugged in to your computer, just like you are using your smartcard. But he wouldn't have your raw secret key material and use it without also having access to the smartcard. > Since the PC is "isolated" from the net, I don't need to be afraid of > software keyloggers, trojans etc. I'm only fulnerable to > physical/hardware attacks which are easier to notice for a person > who's no computer expert. A capable enough hacker might infect the USB pendrive while it is in your internet-connected PC and that way still gain access to the non-connected system. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
