On 25/08/18 21:25, Felix E. Klee wrote: > When I decrypt a file using an OpenPGP card, is the communication > between a USB card reader and the GnuPG daemon encrypted?
The OpenPGP smartcard and generic smartcard protocols do define "Secure Messaging", but I don't think this is commonly used for cabled OpenPGP smartcards. So: no, I think in most cases data is unencrypted in USB wires. On 26/08/18 09:48, Felix E. Klee wrote: > This thought coincided with me reading about [doctored USB > cables][3]. I don’t want to be required to trust three devices: > phone, reader, and now cable I think you'll need to trust the cable anyway, since a malicious USB device by someone with the means and motivation to attack your OpenPGP smartcard will most likely be able to compromise your phone instead. Securely using cryptography on a compromised operating system is simply impossible. So in the end, it doesn't seem to make a difference: if the cable is malicious, you're done anyway. Even if it were encrypted, I think we still need to think about man-in-the-middle resistance of Secure Messaging. I think there's a distinct possibility it is only meant to thwart passive attacks, but I haven't looked into it. HTH, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
