On 21/11/15 18:23, NdK wrote: > I didn't look at the code (so this could be completely wrong and I'd be > happy!), but if the OTP key is decrypted using a key in the chip after > verifying that the card accepts the PIN, then it's even worse, since > that master key is in cleartext somewhere outside the smartcard. So, > with some efforts and a good lab the OTP keys can be extracted.
My guess is the OTP shared secret is stored in the non-volatile memory of the microcontroller (in plaintext). That memory is reasonably well protected against reading out (when properly configured). Sure, it's possible with a lab, but it's not cheap. If such adversaries are in your threat model, my guess (again) is that the OTP feature of this stick is not aimed at you. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
