GPF Crypto Stick vs OpenPGP Card
Andre Amorim
andre at amorim.me
Mon Dec 6 22:50:29 CET 2010
Hi,
Sorry, I didn't want get too far from the subject of the topic. But
the previous post raised a doubt on top of my head. Can anybody
explain (if it's not too much technical) why people say that once a
key is generated inside the smartcard it is impossible to that key get
out of it (except of course the Command> generate
Make off-card backup of encryption key? (Y/n)?)
Thanks
AA
On 6 December 2010 19:38, Grant Olson <kgo at grant-olson.net> wrote:
> On 12/6/10 2:21 PM, Marcio B. Jr. wrote:
>> Hello,
>> sorry for this insistence. I just want to get it clearly.
>>
>> So, you mean those devices certainly protect information better than a
>> regular computer (even if making proper use of disk encryption
>> software)?
>>
>
> Yes. Ultimately a malicious user with 'root' access can compromise any
> software solution. Maybe that means downloading your keys and mounting
> an offline attack. Maybe that means downloading your keys and
> installing a keylogger to get your passphrase. Or finding your
> unencrypted key that's been cached by gpg-agent in system memory. Full
> Disk Encryption doesn't provide protection there when your system is up
> and running, it only helps when someone steals your laptop, or tries to
> access the system while it's powered down.
>
> By moving the keys to a dedicated hardware device, it creates a
> partition between your (possibly compromised) computer's OS and and the
> device. The key information never gets loaded into the OS and is opaque
> to the system. So now a malicious user would need to 'root' your card,
> or card reader, which would probably involve something like trying to
> access or change the physical chips on the device, and is much much
> harder than installing a root-kit, or creating a virus, or developing
> some other malicious software.
>
> That's also why people are talking about readers with pin-pads. That
> prevents someone from installing a general-purpose keyboard sniffer to
> get your pin, stealing your physical token, and having the two pieces of
> info they need to use your keys.
>
>
> --
> Grant
>
> "I am gravely disappointed. Again you have made me unleash my dogs of war."
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
>
More information about the Gnupg-users
mailing list