On 06/08/14 16:24, Robert J. Hansen wrote: > >> I do not get your point here. My proposal is to operate the keyring >> from a USB stick. What is the difference with operating it from a >> smart card? > > Exactly what I said. USB is completely broken as far as security goes. > A USB device cannot be made secure. Thumb drives are malware vectors > par excellence, and with some of the recent attacks which work by > exploiting the firmware things get even nastier and harder to defend > against. If you're concerned about a remote attacker exploiting your > system from afar, you should also be concerned about a remote attacker > rooting your box and exploiting the hell out of your USB stack. > > Smart cards work by storing the key in a method where it cannot be read > by the host computer. Once a key is moved to the smart card, it ceases > to exist as anything other than a black box. Data can be sent to the > smart card to be decrypted or signed, but the host computer has > literally no access to the cryptographic key stored on the smart card. > > In a USB model, an attacker who can compromise your box can easily > acquire your private key: wait for you to plug in the USB dongle and > make a covert copy of your keyring. In a smartcard model, an attacker > can't easily acquire your private key.
Does the recent news about vulnerability of usb devices to attacks such as described in 'badusb' [*] mean that the usb reader into which the gnupg smart card is inserted is also vulnerable to exploits ? If not, what is the essential difference that would make a usb memory stick compromisable but not the usb smart card reader ? [*] /srlabs.de/badusb/
0x23543A63.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ enigmail-users mailing list [email protected] To unsubscribe or make changes to your subscription click here: https://admin.hostpoint.ch/mailman/listinfo/enigmail-users_enigmail.net
