Hello everybody,
thank you for the many answers. Actually this thread should have been called
"Save use of gnuPG for everybody". From what I've learned here so far I come
to the following conclusions:
1. It should be to hard for the average user to configure windows such that
it is a secure system. Hence a linux/unix distribution which is trustworthy,
easy to use and very secure is needed. To me debian seems like a good choice
because it seems to be watched by many people and runs on almost any PC.
2.1 Most people have only one PC and windows as operating system, so the
linux/unix distribution should be installed on an USB device. This device
must not be plugged into the PC if windows is running, in order to avoid a
manipulation. Further I would uninstall the network drivers on the USB
device, so it is almost an offline PC. If the user receives an encrypted
file via email, he saves it to hard disk. Then he turns off the PC, plugs in
the USB drive and boots off it. He copies the file from the hard disk to the
USB drive (this should cause no trouble). Only if the file is of a simple
file format (jpg, RTF, mp3, PDF(?), etc.(?)) he accepts it and opens it with
a secure minimalistic tool. He might even first run a program like an anti
virus software(?) in order to check whether the structure of the file agrees
with the official definition of the sated file format.
2.2 If the user has two PCs, he might install the linux/unix distribution on
his offline PC. Files would be transferred between the two PCs by means of
CD-RWs(?), not by means of insecure USB devices. Auto-Play for CDs would be
disabled.
Do you see any reasonable attack vectors? What do you think?
Kind regards,
Jan
----- Original Message -----
From: "NdK" <ndk.cla...@gmail.com>
To: <gnupg-users@gnupg.org>
Sent: Thursday, September 12, 2013 8:43 AM
Subject: Re: Why trust gpg4win?
Il 11/09/2013 11:48, Pete Stephenson ha scritto:
Actually, I was thinking of something that was the exact opposite:
some device (which I don't think exists) that would allow one to
connect a USB flash drive to the device, and have the device convert
that into RS232 serial data for the computer, thus avoiding any USB
interaction with the computer itself. The computer would then need to
process the serial data to read or write files on the drive. As far as
I know, nothing like that exists and I'm not sure if it'd be possible
to do. Even if it was possible, it'd be immensely slower than normal
USB connections.
Actually such a module exists, and is used to add flash disk access to
small microcontrollers: it's VDrive2 (VNC1L module) by Vinculum
http://www.ftdichip.com/Documents/DataSheets/Modules/DS_VDRIVE2.pdf
I don't think it adds anything to security, but at least it's doable :)
If you are *so* concerned about key security, it's better to use an HSM.
BYtE,
Diego.
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
