On 18/10/16 10:58, NIIBE Yutaka wrote: > I don't think the attack to USB communication could be mitigated by > pinpad card reader. If such an attack is possible, a user already > would be defeated.
It would IMO not prevent key usage, so in that sense the user is defeated. It would still limit the time of exposure, since key extraction should still be prohibitively difficult. This is a contentious topic I think :-). People put different amounts of stock in the protection afforded by smartcards, and the likelihood of attack scenarios. > It is common for such card readers to have only numeric pads. That > limits the entropy of passphrase, considerably. But luckily, entropy demands on a smartcard PIN are really low. The card locks after three tries. Conversely, if you protect your on-disk key with a 10-digit decimal number, an attacker having the encrypted file could do the required average of 500 million tries in less time than it takes you to make a cup of coffee. A PIN just needs to be unguessable, i.e., properly random. It doesn't have to withstand keyspace enumeration. My 2 cents, Peter. Note to self: make cup of coffee. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupgfirstname.lastname@example.org http://lists.gnupg.org/mailman/listinfo/gnupg-users