Ignoring the fact that if the machine you are using for crypto operations is compromised, you have lost (at least for the operations conducted while it is compromised), a smartcard without a PIN pad may compromise your pin (and allow arbitrary operations while the smartcard is protected) but still protects the key material itself. Unless the malware has a history of all your previous email, an attacker still doesn't have the key to compromise your past email.
The smartcard (without a PIN pad) also allows for use of a lower-entropy passphrase/PIN than Scenario 1 in the case of theft. Theft of a key stored on disk is vulnerable to offline attack, theft of a key on a smartcard is much harder to use (as the smartcard locks itself after some number of wrong pins). (This ignores three-letter-agency attacks against the smartcard hardware to extract the key material from the EEPROM of the smart card itself, bypassing the card applet.) On Thu, Jan 9, 2014 at 9:42 AM, Sam Kuper <sam.ku...@uclmail.net> wrote: > On 07/01/2014, Sam Kuper <sam.ku...@uclmail.net> wrote: > > On 06/01/2014, Werner Koch <w...@gnupg.org> wrote: > >>>> The question is whether this is really helpful. Yes, it protects your > >>>> PIN > > > > That is helpful. No question about this part! > > Perhaps I should be clearer about why I believe it is unquestionably > helpful for OpenPGP-compatible smart card readers to be trustworthy > and to have pinpads. > > **Scenario 1: There is no doubt that the local machine is secure and > completely free of malware.** In this case, there is no need for a > pinpad; but there is also no need for an OpenPGP smart card. To > address other threats (e.g. physical theft), the user's auth/sign/enc > keys should of course be passphrase-protected; and they can > additionally be stored in and/or backed up to an encrypted folder, for > instance on a USB stick if portability is desired. > > **Scenario 2: There is some doubt about the local machine, such that > the procedure outlined in scenario 1 is not considered sufficiently > secure.** In this case, storing the private keys on an OpenPGP card > will prevent them from being stolen; but any machine about which this > level of doubt exists cannot be assumed to safeguard the PIN(s) of an > OpenPGP card. Therefore, the solution here is to use an OpenPGP card > and a card reader with a pinpad. > > I believe that in respect of any local PC, these two scenarios are > exhaustive. It follows that I don't see much (any) value in a card > reader without a pinpad. > > Nevertheless, perhaps that belief is wrong. If so, then I'm happy to > stand corrected. > > In the meantime, I hope I can find a small form-factor > OpenPGP-compatible smart card reader with a pin pad. I would be > grateful for pointers :) > > Regards, > > Sam > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > -- David Tomaschik OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
