On Jan 9, 2014 7:16 PM, "David Tomaschik" <da...@systemoverlord.com> wrote: > > if the machine you are using for crypto operations is compromised, you have > lost (at least for the operations conducted while it is compromised)
Perhaps I'm wrong, but I don't entirely accept this. Surely if you are signing with a key stored in an OpenPGP card being used via a pinpad-protected reader, then - because the malware will not learn the PIN - although the malware could potentially corrupt the message being signed (or prevent it from being sent, etc), it could not do so in such a way that a conscientious recipient already in possession of the corresponding public key would mistake a tampered message for a genuine signed message. I would *guess* that there are additional operations that could be performed, without disclosing secrets (e.g. PIN; raw private key), on a compromised machine using a pinpad-protected reader. For instance, generating new keys. (Although the existence and correctness of any such generated keys would then have to be checked on a trusted machine before being used in earnest, so there would not be much point in using an untrusted machine for this task.) > a smartcard without a PIN pad may compromise your pin (and allow arbitrary > operations while the smartcard is protected) but still protects the key > material itself. Small comfort if the malware, knowing the PIN, can *use* that key material every time the card is connected! > Unless the malware has a history of all your previous email, an attacker > still doesn't have the key to compromise your past email. I believe an attacker who knows the PIN and is able to execute commands on the machine to which the card is connected (via pinpad-less reader) has similar capability to an attacker who has the private key file and its passphrase. His/her ability to decrypt any messages in his/her possession is limited only by the bandwidth of his/her connection to the relevant machine, the resources available on that machine, and the alertness of that machine's legitimate operator(s). Similarly re: signing and authentication. > The smartcard (without a PIN pad) also allows for use of a lower-entropy > passphrase/PIN than Scenario 1 in the case of theft [...] (as the smartcard > locks itself after some number of wrong pins). True. (Equally true, incidentally, of a smart card being used *with* a pinpad-enabled reader.) Even so, this is a pretty small advantage, given that it would take me only a second or two longer to type a passphrase a couple of dozen characters long than it would for me to type a PW1 half a dozen characters long. And given that a USB flash drive is much more versatile than an OpenPGP card, and can be as compact as a SIM card-sized OpenPGP card (i.e. *without the reader*) and less expensive in total, it's arguable that the overall advantages of such a flash drive outweigh the convenience of a low-entropy PW1. > Theft of a key stored on disk is vulnerable to offline attack, theft of a key > on a smartcard is much harder to use (as the smartcard locks itself after > some number of wrong pins). (This ignores three-letter-agency attacks > against the smartcard hardware to extract the key material from the EEPROM of > the smart card itself, bypassing the card applet.) Allow me to "unignore" them :-) I assume that any agency likely to have a chance of extracting a raw key from a sensibly passphrase protected GPG key file, is likely to have a chance of successfully extracting a raw key from a smart card's EEPROM; and vice versa. I'd hazard a guess that the EEPROM attack is more feasible, but since I can only speculate blindly on the matter, I prefer not to assume that either technology has an advantage over the other in this particular respect. Best regards, Sam _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
