Philipp Gühring wrote:
Does anyone know of software available to make an old PC into something
like a hardware security module.
Yes, I developed exactly such software.
Great. What is it called? Is it available?
It´s called CommModule. It isn´t publically available yet, but it could be
Werner Koch wrote:
On Mon, 14 May 2007 16:15, [EMAIL PROTECTED] said:
Why doesn't it make sense? The chip's security features make it fairly
secure. But having the keys encrypted on the card would make it highly
secure. As long as the passphrase hadn't been captured, like after being
I apologize if I sound terse here, but this conversation has (IMO)
jumped the shark.
But how can we be confident?
Cf. Thompson, K. _Reflections on trusting trust_. Comm. ACM 27, 8
(Aug. 1984), 761-763.
A digital version of it is currently available at http://www.acm.org/
classics/sep95/,
On Tue, 15 May 2007 08:58, [EMAIL PROTECTED] said:
Cf. Thompson, K. _Reflections on trusting trust_. Comm. ACM 27, 8
(Aug. 1984), 761-763.
David Wheeler recently published a paper which explains how to overcome
this problem:
Countering Trusting Trust through Diverse Double-Compiling
David Wheeler recently published a paper which explains how to
overcome
this problem:
Fascinating. I'm not sure that it overcomes the problem, but
detection is probably 90% of the fight anyway. Thanks for the link!
[goes off to read the paper again]
Robert J. Hansen wrote:
I apologize if I sound terse here, but this conversation has (IMO)
jumped the shark.
But how can we be confident?
Cf. Thompson, K. _Reflections on trusting trust_. Comm. ACM 27, 8
(Aug. 1984), 761-763.
A digital version of it is currently available at
Is it not legitimate then to discuss what level of trust it
deserves and what level of trust is sufficient for what purpose?
'Legitimate' is a bad word to use. Is it legitimate? Sure, I guess,
as long as you live in a nation with strong freedom of speech laws.
If you live in Cuba, you
On Mon, May 14, 2007 at 01:23:13PM -0500, Andrew Berg wrote:
Sven Radde wrote:
unless you can calculate SHA-1 values in your head...
I know it's off topic, but how hard would that be? I've never looked
over the algorithm.
As someone who has just implemented a hardware SHA-1/256 engine, hard
Does anyone know of software available to make an old PC into something
like a hardware security module. OpenHSM.org looks like what I want, but
the site says they're still in the design phase, and the last update was
in 2004.
I can't stand the thought of storing my private key on my main
Hi!
Casey Jones schrieb:
Does anyone know of software available to make an old PC into something
like a hardware security module.
What about Knoppix?
It supports GnuPG and you can easily have your keys on a (dedicated) USB
drive while booting your (regular or dedicated) PC with Knoppix to do
Does anyone know of software available to make an old PC into
something
like a hardware security module.
What particular type of HSM do you mean?
I can't stand the thought of storing my private key on my main
computer.
I use my main computer for things like web browsing and email,
What prevents the keylogger in your first example to snarf the PIN
code
for the OpenPGP card and send decryption requests to the OpenPGP card,
using the PIN code, in the background, possibly remotely controlled
over
the network?
There exist cryptographic smart cards you can actually be
Robert J. Hansen [EMAIL PROTECTED] writes:
What prevents the keylogger in your first example to snarf the PIN
code
for the OpenPGP card and send decryption requests to the OpenPGP card,
using the PIN code, in the background, possibly remotely controlled
over
the network?
There exist
On Mon, 14 May 2007 10:44, [EMAIL PROTECTED] said:
something's wrong. Can the OpenPGP Card be set to do one operation per
pin entry when used with a card reader that has a keypad? This seems
Yes, use the command forcesig in the --card-edit menu to toggle this
feature. However it does not
Robert J. Hansen [EMAIL PROTECTED] writes:
I've been considering getting an OpenPGP Card, but there are three
reasons I'm reluctant to. The main one is that I want something that
will only do one signature or decryption at a time. That way if my
machine is compromised, I'll only suffer one
Sven Radde wrote:
Casey Jones schrieb:
Does anyone know of software available to make an old PC into something
like a hardware security module.
What about Knoppix?
It supports GnuPG and you can easily have your keys on a (dedicated) USB
drive while booting your (regular or dedicated) PC
Werner Koch wrote:
On Mon, 14 May 2007 10:44, [EMAIL PROTECTED] said:
something's wrong. Can the OpenPGP Card be set to do one operation per
pin entry when used with a card reader that has a keypad? This seems
Yes, use the command forcesig in the --card-edit menu to toggle this
feature.
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Robert J. Hansen wrote:
I've been considering getting an OpenPGP Card, but there are
three reasons I'm reluctant to. The main one is that I want
something that will only do one signature or decryption at a
time. That way if my machine is
How do they work?
A (very) small display to show the hash that's being signed and an
integrated PINpad. PC sends data to the smartcard unit for signing,
then signals the SC unit okay, I'm done, sign now, please. SC
pauses to display to the user the hash and get the PIN directly on
its
Robert J. Hansen [EMAIL PROTECTED] writes:
What prevents the keylogger in your first example to snarf the PIN
code
for the OpenPGP card and send decryption requests to the OpenPGP card,
using the PIN code, in the background, possibly remotely controlled
over
the network?
There exist
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Sven Radde wrote:
unless you can calculate SHA-1 values in your head...
I know it's off topic, but how hard would that be? I've never looked
over the algorithm.
How hard would it be to calculate MD5?
MD4? CRC32?
- --
Windows NT 5.1.2600 |
On Mon, 14 May 2007 16:21, [EMAIL PROTECTED] said:
My personal opinion is that, at the current state of security in today's
OS-es, smart cards give just a false sense of security in typical usage
scenarios (= when used on a general-purpose, networked workstation).
Smart cards have one
On Mon, 14 May 2007 16:15, [EMAIL PROTECTED] said:
Why doesn't it make sense? The chip's security features make it fairly
secure. But having the keys encrypted on the card would make it highly
secure. As long as the passphrase hadn't been captured, like after being
No, you are required to
Zeljko Vrba wrote:
there's NO WAY to prevent this attack. Not even
separate PIN entry device helps,
The attack that I'm referring to here which the PIN pad is meant to
prevent, is only the unlimited use of the smart card. An attacker can
still make a signature or decrypt something, but only
24 matches
Mail list logo
