Hi, Sorry, I didn't want get too far from the subject of the topic. But the previous post raised a doubt on top of my head. Can anybody explain (if it's not too much technical) why people say that once a key is generated inside the smartcard it is impossible to that key get out of it (except of course the Command> generate Make off-card backup of encryption key? (Y/n)?)
Thanks AA On 6 December 2010 19:38, Grant Olson <[email protected]> wrote: > On 12/6/10 2:21 PM, Marcio B. Jr. wrote: >> Hello, >> sorry for this insistence. I just want to get it clearly. >> >> So, you mean those devices certainly protect information better than a >> regular computer (even if making proper use of disk encryption >> software)? >> > > Yes. Ultimately a malicious user with 'root' access can compromise any > software solution. Maybe that means downloading your keys and mounting > an offline attack. Maybe that means downloading your keys and > installing a keylogger to get your passphrase. Or finding your > unencrypted key that's been cached by gpg-agent in system memory. Full > Disk Encryption doesn't provide protection there when your system is up > and running, it only helps when someone steals your laptop, or tries to > access the system while it's powered down. > > By moving the keys to a dedicated hardware device, it creates a > partition between your (possibly compromised) computer's OS and and the > device. The key information never gets loaded into the OS and is opaque > to the system. So now a malicious user would need to 'root' your card, > or card reader, which would probably involve something like trying to > access or change the physical chips on the device, and is much much > harder than installing a root-kit, or creating a virus, or developing > some other malicious software. > > That's also why people are talking about readers with pin-pads. That > prevents someone from installing a general-purpose keyboard sniffer to > get your pin, stealing your physical token, and having the two pieces of > info they need to use your keys. > > > -- > Grant > > "I am gravely disappointed. Again you have made me unleash my dogs of war." > > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users > > _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
