Philipp Gühring wrote:
Does anyone know of software available to make an old PC into something
like a hardware security module.
>>> Yes, I developed exactly such software.
>> Great. What is it called? Is it available?
>
> It´s called CommModule. It isn´t publically available yet, but it
On Mon, May 14, 2007 at 01:23:13PM -0500, Andrew Berg wrote:
> Sven Radde wrote:
> > unless you can calculate SHA-1 values in your head...
> I know it's off topic, but how hard would that be? I've never looked
> over the algorithm.
As someone who has just implemented a hardware SHA-1/256 engine, "
> Is it not legitimate then to discuss what level of trust it
> deserves and what level of trust is sufficient for what purpose?
'Legitimate' is a bad word to use. Is it legitimate? Sure, I guess,
as long as you live in a nation with strong freedom of speech laws.
If you live in Cuba, you
Robert J. Hansen wrote:
> I apologize if I sound terse here, but this conversation has (IMO)
> jumped the shark.
>
>> But how can we be confident?
>
> Cf. Thompson, K. _Reflections on trusting trust_. Comm. ACM 27, 8
> (Aug. 1984), 761-763.
>
> A digital version of it is currently available
> David Wheeler recently published a paper which explains how to
> overcome
> this problem:
Fascinating. I'm not sure that it overcomes the problem, but
detection is probably 90% of the fight anyway. Thanks for the link!
[goes off to read the paper again]
_
On Tue, 15 May 2007 08:58, [EMAIL PROTECTED] said:
> Cf. Thompson, K. _Reflections on trusting trust_. Comm. ACM 27, 8
> (Aug. 1984), 761-763.
David Wheeler recently published a paper which explains how to overcome
this problem:
Countering Trusting Trust through Diverse Double-Compiling
h
I apologize if I sound terse here, but this conversation has (IMO)
jumped the shark.
> But how can we be confident?
Cf. Thompson, K. _Reflections on trusting trust_. Comm. ACM 27, 8
(Aug. 1984), 761-763.
A digital version of it is currently available at http://www.acm.org/
classics/sep95/,
Werner Koch wrote:
> On Mon, 14 May 2007 16:15, [EMAIL PROTECTED] said:
>
>> Why doesn't it make sense? The chip's security features make it fairly
>> secure. But having the keys encrypted on the card would make it highly
>> secure. As long as the passphrase hadn't been captured, like after bein
Zeljko Vrba wrote:
> there's NO WAY to prevent this attack. Not even
> separate PIN entry device helps,
The attack that I'm referring to here which the PIN pad is meant to
prevent, is only the unlimited use of the smart card. An attacker can
still make a signature or decrypt something, but only
On Mon, 14 May 2007 16:15, [EMAIL PROTECTED] said:
> Why doesn't it make sense? The chip's security features make it fairly
> secure. But having the keys encrypted on the card would make it highly
> secure. As long as the passphrase hadn't been captured, like after being
No, you are required t
On Mon, 14 May 2007 16:21, [EMAIL PROTECTED] said:
> My personal opinion is that, at the current state of "security" in today's
> OS-es, smart cards give just a false sense of security in typical usage
> scenarios (= when used on a general-purpose, networked workstation).
Smart cards have one imp
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Sven Radde wrote:
> unless you can calculate SHA-1 values in your head...
I know it's off topic, but how hard would that be? I've never looked
over the algorithm.
How hard would it be to calculate MD5?
MD4? CRC32?
- --
Windows NT 5.1.2600 | Thun
Robert J. Hansen schrieb:
>> How do they work?
>
> A (very) small display to show the hash that's being signed and an
> integrated PINpad.
Pointless given the attack scenario (PC subverted with a trojan to
specifically attack GnuPG and its smartcard), unless you can calculate
SHA-1 values in yo
"Robert J. Hansen" <[EMAIL PROTECTED]> writes:
>>
>> What prevents the keylogger in your first example to snarf the PIN
>> code
>> for the OpenPGP card and send decryption requests to the OpenPGP card,
>> using the PIN code, in the background, possibly remotely controlled
>> over
>> the networ
> How do they work?
A (very) small display to show the hash that's being signed and an
integrated PINpad. PC sends data to the smartcard unit for signing,
then signals the SC unit "okay, I'm done, sign now, please". SC
pauses to display to the user the hash and get the PIN directly on
it
-BEGIN PGP SIGNED MESSAGE-
Hash: RIPEMD160
Robert J. Hansen wrote:
>> I've been considering getting an OpenPGP Card, but there are
>> three reasons I'm reluctant to. The main one is that I want
>> something that will only do one signature or decryption at a
>> time. That way if my machine
Werner Koch wrote:
> On Mon, 14 May 2007 10:44, [EMAIL PROTECTED] said:
>> something's wrong. Can the OpenPGP Card be set to do one operation per
>> pin entry when used with a card reader that has a keypad? This seems
>
> Yes, use the command "forcesig" in the --card-edit menu to toggle this
> f
Sven Radde wrote:
> Casey Jones schrieb:
>> Does anyone know of software available to make an old PC into something
>> like a hardware security module.
>
> What about Knoppix?
> It supports GnuPG and you can easily have your keys on a (dedicated) USB
> drive while booting your (regular or dedicat
"Robert J. Hansen" <[EMAIL PROTECTED]> writes:
>> I've been considering getting an OpenPGP Card, but there are three
>> reasons I'm reluctant to. The main one is that I want something that
>> will only do one signature or decryption at a time. That way if my
>> machine is compromised, I'll only su
On Mon, 14 May 2007 10:44, [EMAIL PROTECTED] said:
> something's wrong. Can the OpenPGP Card be set to do one operation per
> pin entry when used with a card reader that has a keypad? This seems
Yes, use the command "forcesig" in the --card-edit menu to toggle this
feature. However it does not
"Robert J. Hansen" <[EMAIL PROTECTED]> writes:
>> What prevents the keylogger in your first example to snarf the PIN
>> code
>> for the OpenPGP card and send decryption requests to the OpenPGP card,
>> using the PIN code, in the background, possibly remotely controlled
>> over
>> the network?
Robert J. Hansen wrote:
>> Does anyone know of software available to make an old PC into something
>> like a hardware security module.
>
> What particular type of HSM do you mean?
Basically I'm looking for something that does what the OpenPGP Card
does, but with a button to limit signatures and
> What prevents the keylogger in your first example to snarf the PIN
> code
> for the OpenPGP card and send decryption requests to the OpenPGP card,
> using the PIN code, in the background, possibly remotely controlled
> over
> the network?
There exist cryptographic smart cards you can actuall
> Does anyone know of software available to make an old PC into
> something
> like a hardware security module.
What particular type of HSM do you mean?
> I can't stand the thought of storing my private key on my main
> computer.
> I use my main computer for things like web browsing and email,
Hi!
Casey Jones schrieb:
> Does anyone know of software available to make an old PC into something
> like a hardware security module.
What about Knoppix?
It supports GnuPG and you can easily have your keys on a (dedicated) USB
drive while booting your (regular or dedicated) PC with Knoppix to do
Does anyone know of software available to make an old PC into something
like a hardware security module. OpenHSM.org looks like what I want, but
the site says they're still in the design phase, and the last update was
in 2004.
I can't stand the thought of storing my private key on my main compu
26 matches
Mail list logo
