On Sat, Jan 11, 2014 at 1:05 PM, Sam Kuper <sam.ku...@uclmail.net> wrote:
> On Jan 9, 2014 7:16 PM, "David Tomaschik" <da...@systemoverlord.com> > wrote: > > > > if the machine you are using for crypto operations is compromised, you > have lost (at least for the operations conducted while it is compromised) > > Perhaps I'm wrong, but I don't entirely accept this. Surely if you are > signing with a key stored in an OpenPGP card being used via a > pinpad-protected reader, then - because the malware will not learn the > PIN - although the malware could potentially corrupt the message being > signed (or prevent it from being sent, etc), it could not do so in > such a way that a conscientious recipient already in possession of the > corresponding public key would mistake a tampered message for a > genuine signed message. > Or replace the message with a message of its choosing? It just needs to wait for you to want to do a legitimate signature, swap out the plaintext, and then it has signed data. > > I would *guess* that there are additional operations that could be > performed, without disclosing secrets (e.g. PIN; raw private key), on > a compromised machine using a pinpad-protected reader. For instance, > generating new keys. (Although the existence and correctness of any > such generated keys would then have to be checked on a trusted machine > before being used in earnest, so there would not be much point in > using an untrusted machine for this task.) > > > a smartcard without a PIN pad may compromise your pin (and allow > arbitrary operations while the smartcard is protected) but still protects > the key material itself. > > Small comfort if the malware, knowing the PIN, can *use* that key > material every time the card is connected! > Don't use sensitive keys on machines with malware? (Yes, I realize proving a machine is malware free is essentially impossible.) > > > Unless the malware has a history of all your previous email, an attacker > still doesn't have the key to compromise your past email. > > I believe an attacker who knows the PIN and is able to execute > commands on the machine to which the card is connected (via > pinpad-less reader) has similar capability to an attacker who has the > private key file and its passphrase. His/her ability to decrypt any > messages in his/her possession is limited only by the bandwidth of > his/her connection to the relevant machine, the resources available on > that machine, and the alertness of that machine's legitimate > operator(s). Similarly re: signing and authentication. > > > The smartcard (without a PIN pad) also allows for use of a lower-entropy > passphrase/PIN than Scenario 1 in the case of theft [...] (as the smartcard > locks itself after some number of wrong pins). > > True. (Equally true, incidentally, of a smart card being used *with* a > pinpad-enabled reader.) > > Agreed, I was just arguing why a smartcard without a PIN pad still offers some level of additional security. > Even so, this is a pretty small advantage, given that it would take me > only a second or two longer to type a passphrase a couple of dozen > characters long than it would for me to type a PW1 half a dozen > characters long. > > And given that a USB flash drive is much more versatile than an > OpenPGP card, and can be as compact as a SIM card-sized OpenPGP card > (i.e. *without the reader*) and less expensive in total, it's arguable > that the overall advantages of such a flash drive outweigh the > convenience of a low-entropy PW1. > > > Theft of a key stored on disk is vulnerable to offline attack, theft of > a key on a smartcard is much harder to use (as the smartcard locks itself > after some number of wrong pins). (This ignores three-letter-agency > attacks against the smartcard hardware to extract the key material from the > EEPROM of the smart card itself, bypassing the card applet.) > > Allow me to "unignore" them :-) I assume that any agency likely to > have a chance of extracting a raw key from a sensibly passphrase > protected GPG key file, is likely to have a chance of successfully > extracting a raw key from a smart card's EEPROM; and vice versa. I'd > hazard a guess that the EEPROM attack is more feasible, but since I > can only speculate blindly on the matter, I prefer not to assume that > either technology has an advantage over the other in this particular > respect. > You assume people choose good passphrases. While that may be true for readers of this list, that is not true of the general population. > > Best regards, > > Sam > -- David Tomaschik OpenPGP: 0x5DEA789B http://systemoverlord.com da...@systemoverlord.com
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
