Possible to combine smartcard PIN with key password?

Peter Lebbing peter at digitalbrains.com
Fri Dec 27 11:16:21 CET 2013 

On 2013-12-27 01:41, adrelanos wrote:
> The latter often requires breaking into a flat or an office. While
> smartcards are carried around.

The solution in this scenario is so simple: don't take your smartcard 
with you; at all times leave it next to your PC.

I'm not saying this solves all problems, but it solves this 
scenario[1]. The thing is: you assume your house is a fortress, since 
you assume your PC won't get bugged with a keylogger or anything when 
you leave it at home. Your assumption is irrealistic, but even if you 
make that assumption, the smartcard is still safe inside your fortress. 
The on-disk key still adds nothing.

> Breaking into a a flat/office and
> installing a hardware keylogger and/or miniature camera requires much
> more criminal energy than theft/robbery of a smartcard.

Possibly, when you only consider the theft. But after that, extracting 
the key from the smartcard is much, much more energy than installing the 
keylogger or camera.

> That is also my point. If you enough capabilities to the adversary,
> anything can be broken.

You're building an adversary that has a very strange mix of qualities. 
They're unable to break into a house and start a computer from their 
USB-stick that infects the operating system, but they can pickpocket 
something on a lanyard around your neck and spend a lot of money very, 
very carefully grinding down a chip in a laboratory and then using 
equipment to measure the charge trapped in the transistors of the 
non-volatile memory.

I liked the suggestion by MFPA to have a laser projected keyboard! It 
should be possible to make it small enough to hang the whole computer 
and the keyboard on a lanyard around your neck. Only thing left seems 
the monitor. Good luck hacking my PC over a VGA connection (I'll cut the 
wires for the DDC data just to be sure). Not that I will do this, but 
it's a nice thought experiment.

HTH,

Peter.

[1] In fact, I find it not unreasonable. If nasty people get physical 
access to my PC, they've pretty much won. They can make my computer 
theirs, and bundle their RSA crypto with the requests I send to my 
smartcard. Werner once suggested recording audio while I type the PIN on 
my smartcard reader to deduce the PIN, I suppose by listening for 
changes in the time between keypresses. Anyway, the point is that you've 
lost when they get physical access to your PC.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 
<http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list