Smartcards and tokens

Damien Goutte-Gattat dgouttegattat at incenp.org
Thu Dec 15 22:17:48 CET 2016 

On 12/15/2016 08:35 PM, sivmu wrote:
> From what I understand, a malicious token can e.g. perform encryption
> operations with weak randomness to create some kind of backdoor that is
> hard to detect.

The token is normally not used to perform any *encryption*. You encrypt 
with the public key of your correspondant, which is stored on your 
computer, not on your token (there's no need to protect it since it is a 
*public* key). You use your token to *decrypt* messages that were sent 
to you--and at that time, even if the token is malicious there's nothing 
it can do to mess with the encryption.

What a malicious (or faulty) token *could* do is generate a weak key, 
that your opponent could break once and for all and then use to decrypt 
all messages sent to you. Smartcards generating weak keys have already 
been observed in the wild [1]. If you worry about that, simply generate 
your keys on a computer you trust, then load them onto the token, 
without ever using the token's own random number generator.


> Maybe there is also a way to secretly send the secret
> keys loaded onto the smartcard/token to the adversary using the PC and
> network it is used on.

I'll admit readily that I am not an expert on this, but I don't see how 
that could be feasible without the help of the host PC--meaning your 
opponent would have to both (1) compromise your PC and (2) send you a 
malicious token. But if he could compromise your PC, he would have no 
need for a malicious token.

I guess your attacker could use a USB token as the mean to compromise 
your PC (names like "Bad USB" come to mind), but if you worry about such 
attacks, you should be wary of *any* USB device you buy (keyboards, 
mice, mass storage sticks... or even desktop missile launchers), not 
only cryptographic devices.


Damien

[1] https://eprint.iacr.org/2013/599

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161215/3365d5c3/attachment.sig>

More information about the Gnupg-users mailing list