Andreas Schuldei wrote: > * Russell Coker ([EMAIL PROTECTED]) [031203 04:03]: > > I have sent a message to Werner asking if the GPG smart-card device > > could be re-implemented with a USB interface. I think that a USB > > dongle with GPG technology would be a good option as most developer's > > machines already have USB support. > > as discussed in depth in an earlier c't magazine (german) usb is > not a save bus to use for security relevant applications, since > it allows for recording and backplaying of command sequences.
What article was that? Anyhow, a serial port or a PS/2 keyboard port is "unsafe" in the same way. A secure card reader solution would use a challenge/response procedure, so a simple replay attack could never be successful. Additionally, a secure card reader device would be sealed (and deactivate/destroy itself upon physical break-in) and require the user to enter a PIN/password to use the cryptographic key stored on the card. What would make such a card reader solution particularly unsafe when connected through USB?