On 25/07/2011 11:05, Olav Seyfarth wrote: >> I just ordered an OpenPGP smartcard from Kernel Concepts as per >> http://www.g10code.com/p-card.html Does anyone else have one of these? > > yes, I use these cards for several years now. This Email is signed by one. > >> At the moment, my secret key is stored on my hard drive and is encrypted by a >> long passphrase. When I transfer my subkeys to the smartcard, will they >> actually be encrypted whilst they're on there? > > The overall security of a crypto system often isn't defined by the strength of > the crypto algo or the possibilities for a forensic analysis of the hardware. > In that sense, it is less important how secure the card itself is (taken that > as Hubert already stated the efforts that need to be taken to scratch info off > the circuit is high opposed to other attack vectors) but how it is used. So I > focus on another security aspect here: > > One key advantage of a card is that the private keys does not need to be > accessible to the computer itself at any time if it is generated on-card. That > way, you know for sure, that *only* you hold the private key as long as you > physically own the card. The knowledge of "that no copy of it has been made" > is important.
Yes, I agree that smartcards have several advantages. The major one being that if your laptop is compromised by a trojan or something, even if it has a keylogger installed, your keys can't be stolen. However, it is important to note that if you have a rich/powerful adversary, and the key isn't encrypted on the smart card. Then they can just "read" it off, if they get hold of it. In that circumstance, you *might* actually be more secure leaving the key on your laptop encrypted with a strong pass phrase. It's a judgement call. When I say a rich/powerful adversary, this could include industrial espionage as well as governments. Ideally the key would be encrypted on the smartcard. I haven't found anything specifying that this is the case, so I have to assume it's not. -- Mike Cardwell https://grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
