Trezor - Could this be the model for a PGP crypto device?
Antoine Michard
michard.antoine at gmail.com
Fri Mar 6 14:05:42 CET 2015
Hi Felix,
I've got one of this device ! Work like a charm !
Love the idea that everything was encrypt inside of the device, nothing on
the computer.
Try to restore my wallet, again no problem !!!
I will love to see one of this device for PGP.
I'm thinking to use a smartcard inside Gemalto K50 but on a computer
without GPG is useless...
Same thing about NitroKeys
Last thing: For Trezor, you have to install a bridge compatible on Windows,
MacOSX and Linux.
Of course, source code is available: https://github.com/trezor/trezord
2015-03-06 13:50 GMT+01:00 Felix E. Klee <felix.klee at inka.de>:
> Yesterday in Las Palmas de Gran Canaria, I attended a [talk][1] by Marek
> Palatinus, one of the relatively early Bitcoin miners and cofounder of
> [SatoshiLabs][2]. He gave an introduction to his path into Bitcoin, and
> things that went wrong, and then he presented the [Trezor][3] crypto
> device.
>
> The Trezor has a little display and two buttons. It generates and stores
> your private key which is used for identifying your address in the
> Bitcoin network. The Bitcoins that you own are associated with your
> address. Connected via USB to a computer, the Trezor signs Bitcoin
> transactions.
>
> Marek later explained to me that the Bitcoin crypto standard is
> different from those used with PGP.
>
> After the talk, I hammered him with questions:
>
> * What if I lose the device or if it breaks? For backup, the device
> presents a list of 24 English words, that the user should write down
> and keep on paper in a safe place. Using this list, the private key
> can be recreated.
>
> * What if Eve wants to access the device without my authorization?
> There is a PIN.
>
> * How is the key generated? With an RNG on the device, using entropy
> gathered from the connected computer.
>
> * There’s no PIN pad on the device; Couldn’t malware sniff the PIN?
> The device has a little screen that displays a matrix of nine
> numbers. On the computer’s screen appears the same matrix without
> numbers, and one clicks on these with the mouse.
>
> * Do I have to enter the PIN for every transaction? Only once, then
> the device remains activated.
>
> * Once the device is activated, couldn’t malware do arbitrary
> transactions? For every transaction there is information displayed
> on the device’s display, and it has to be confirmed with the press
> of a button on the device.
>
> * Can I trust the firmware? [Source code][4] is available. Users can
> check the code, compile it, and flash their own version.
>
> * What if Eve modifies the firmware in a malignant way and flashs it
> to the device? Flashing unsigned firmware causes the private key to
> be erased by the bootloader.
>
> * Can I trust the bootloader? Source code is available as well.
>
> Of course there could still be backdoors. However, at the moment I
> cannot see what can be done better, other than building your own
> hardware, ideally down to chip manufacturing level.
>
> [1]: http://www.meetup.com/lpa-tech/events/220413356/
> [2]: http://satoshilabs.com/
> [3]: http://satoshilabs.com/trezor/
> [4]: https://github.com/trezor/
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
--
Antoine Michard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150306/00da536f/attachment.html>
More information about the Gnupg-users
mailing list