On 2015-02-05 10:38, Peter Lebbing wrote: > On 04/02/15 23:12, Matthias-Christian Ott wrote: >> You could protect against this scenario by signing the firmware. > > Yes, you /could/. However, we were talking about Rainer smartcard readers, > which > /don't/.
Do you have evidence for this? If they provably don't sign their firmware or incorrectly check the signature and are not responsive, perhaps it would be helpful to talk to them through third parties like BSI or S-CERT (Deutscher Sparkassen Verlag exclusively sells Reiner SCT readers for HBCI and I'm sure that it would be in their interest to only allow firmware updates that are signed) with Reiner SCT instead of speculating about backdoors. Moreover, why should the readers accept unsigned firmware if "the government" requested the ability to install "modified" firmware? The manufacturer could simply handover the keys. At least the cyberJack RFID komfort conforms to BSI-TR 03119 [1,2] and is in the reader category that requires signed firmware updates (see sections 3.1 and A.8) and the certification report also mentions this. You can of course speculate what "authorised persons or systems" means. However, I think it is safe to assume that the German government is not outright crazy and does not try to undermine the security of their eID cards because fake eID cards are not in their interest and they can issue themselves fake eID cards without the need to compromise a smartcard reader. So at least for this particular model your statement seems wrong and the fact that Werner Koch claimed this doesn't make it right. Of course without the source code it requires a major reverse engineering effort to verify that the statements of the certification companies are correct or that the code is bug-free. Moreover, the certification report does not mention that the certification companies verified the source code or even looked at it. > I think I see some source of confusion. You wrote: > >> You speculated that Rainer SCT might cooperate with the German intelligence >> agency BND. You gave the following reason for your suspicion: >> "microcontrollers are smaller and writing malware for them is harder". > > I never read it that way. To me, it were two spearate arguments, one on how > trustworthy Rainer appears in its dealings, and the other on the hackability > of > their hardware. So I might have misinterpreted what you wrote following that. Only Werner Koch knows how this statement was meant. I read it the way I described it and think that there is no contradiction between both aspects. > Oh, by the way: > >> But will a smartcard solve the problem that the host computer might be >> infected with malware? > > I'm absolutely sure nobody made that claim. More miscommunication galore? ;) Werner Koch suggested it (<87y4oen5lx....@vigenere.g10code.de>). If I'm not mistaken the OpenPGP card is proprietary software and runs on a proprietary operating system (BasicCard). If this is true, why should you trust it and why does the FSFE distribute these cards even though they conflict with their core values? What is the threat model in which a smartcard is an effective defense and what are attacks that smartcards protect against? How are smartcards supposed to protect against malware on the host computer? If somebody wants to discuss or answer these questions that I'm asking myself for years, I will be happy to continue the discussion otherwise I'm out of it. Regards, Matthias-Christian [1] https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr03119/index_htm.html [2] https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Zertifizierung/Konformitaetsreporte/BSI-K-TR-0068-2011.pdf?__blob=publicationFile _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
