NIIBE Yutaka:
> Sorry, I didn't have time to reply your call the other day.
> I think that Gemalto Shelltoken Card Reader, which is available
> at http://shop.kernelconcepts.de/ is good one.
> Please note that OpenPGP card requires specific card readers.  Its
> users usually use RSA-2048, RSA-3072, or RSA-4096.  For those key
> sizes, the communication is somewhat difficult for old standard of ISO
> 7816.  (For RSA-1024, most smart card readers work well.)
> I recommend TPDU readers, because readers which support extended APDU
> level communication tend to have issues for larger size communication.
> On 10/18/2016 04:51 PM, Daniel Pocock wrote:
>> I was looking at this page:
>> https://wiki.gnupg.org/CardReader/PinpadInput
>> Are any of these more outstanding than the others, or it doesn't matter
>> which one somebody chooses?
>> Could anybody comment on which of those are easily available in small
>> quantities for developers, or suppliers who are cost effective for small
>> quantities?
> I implemented the pinpad input support in scdaemon.  While I know some
> claims that it is good feature, I, for myself, don't think it's worth
> to have.
> I don't think the attack to USB communication could be mitigated by
> pinpad card reader.  If such an attack is possible, a user already
> would be defeated.
> It is common for such card readers to have only numeric pads.  That
> limits the entropy of passphrase, considerably.  And, as far as I
> know, I don't know any implementation of card readers in the market,
> which firmware is Free Software.  With user interface like pinpad
> input, it is more difficult for me to trust an implementation of such
> a card reader.

Just one note for now:
For example, The Nitrokey Storage (1,2), a usb crypto stick with
integrated card reader) is 100% open source, free software, verifiable
firmware. On the other hand, it has no pinpad.
There may be others (with free software), but I don't know of them. I
just use the Nitrokey, without having any ties with its makers.
If lack of PIN-pad device is not a knock-out criteria, you might ask
them about quantities and conditions.

(1) https://www.nitrokey.com/ (comparison table at bottom of page)
(2) https://www.nitrokey.com/news/2016/nitrokey-storage-available
(3) https://www.nitrokey.com/introduction (quick overview)
(with links to the actual security audit pdf's)



Attachment: 0x4218732B.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: OpenPGP digital signature

Gnupg-users mailing list

Reply via email to