Am 18.12.2016 um 10:49 schrieb Peter Lebbing:
> On 18/12/16 01:56, Robert J. Hansen wrote:
>> Nope. OpenPGP requires each RSA encryption add at least eight random
>> bytes to the data pre-encryption in order to make even identical
>> messages encrypt to different ciphertexts.
>
> However, this
On 18/12/16 01:56, Robert J. Hansen wrote:
> Nope. OpenPGP requires each RSA encryption add at least eight random
> bytes to the data pre-encryption in order to make even identical
> messages encrypt to different ciphertexts.
However, this randomness is added by the host, not by the smartcard.
Am 18.12.2016 um 01:30 schrieb Andrew Gallagher:
>
>> On 18 Dec 2016, at 00:17, sivmu wrote:
>>
>> ... that this means RSA encrzption is reproducable, meaning encrypted
>> files of the same plaintext result in the same ciphertext, as this woul
>> make the process reproduceable
>> The smartcard itself only RSA-decrypts the session key (or hash),
>> and this doesn't require an RNG.
>
> ... that this means RSA encrzption is reproducable, meaning
> encrypted files of the same plaintext result in the same ciphertext,
> as this woul make the process reproduceable and any
> On 18 Dec 2016, at 00:17, sivmu wrote:
>
> ... that this means RSA encrzption is reproducable, meaning encrypted
> files of the same plaintext result in the same ciphertext, as this woul
> make the process reproduceable and any malfunction can be easily noticed.
No, because the
Am 16.12.2016 um 13:36 schrieb Andrew Gallagher:
> On 16/12/16 02:30, sivmu wrote:
>> If the token does the encryption (and signing) operations,
>
> Smartcards perform signing and DEcryption (which in the case of RSA are
> mathematically identical).
>
>> it needs randomness.
>
> That's true
On 16/12/16 18:33, Lou Wynn wrote:
> A brute force attack doesn't need to read the card, and
> it simply enumerates keys in the key space used by the SmartCard.
Yes, but the key space of the smartcard is much larger than the key
space of a USB drive encrypted using a key derived from a
On 12/15/2016 04:18 PM, Andrew Gallagher wrote:
>> On 15 Dec 2016, at 19:24, Lou Wynn wrote:
>>
>> If the host machine is compromised, what's the purpose of doing encryption
>> on the SmartCard? Attackers don't need to know the key to get your plaint
>> ext, because it is on
On 16/12/16 02:30, sivmu wrote:
> If the token does the encryption (and signing) operations,
Smartcards perform signing and DEcryption (which in the case of RSA are
mathematically identical).
> it needs randomness.
That's true of DSA and ElGamal, but smartcards normally implement RSA.
Remember
On 15/12/16 22:17, Damien Goutte-Gattat wrote:
> I'll admit readily that I am not an expert on this, but I don't see how
> that could be feasible without the help of the host PC--meaning your
> opponent would have to both (1) compromise your PC and (2) send you a
> malicious token. But if he could
Am 15.12.2016 um 22:17 schrieb Damien Goutte-Gattat:
> On 12/15/2016 08:35 PM, sivmu wrote:
>> From what I understand, a malicious token can e.g. perform encryption
>> operations with weak randomness to create some kind of backdoor that is
>> hard to detect.
>
> The token is normally not used
sivmu writes:
> it seems using those specific devices actually decreases
> security, assuming it is easy to manipulate specialised vendors of
> security hardware compared to manipulating electronic hardware in general.
Exactly, that's my point. This is the reason why my approach
> On 15 Dec 2016, at 19:24, Lou Wynn wrote:
>
> If the host machine is compromised, what's the purpose of doing encryption on
> the SmartCard? Attackers don't need to know the key to get your plaint ext,
> because it is on the host machine.
The difference is that if you
On 12/15/2016 08:35 PM, sivmu wrote:
From what I understand, a malicious token can e.g. perform encryption
operations with weak randomness to create some kind of backdoor that is
hard to detect.
The token is normally not used to perform any *encryption*. You encrypt
with the public key of
Hi Martinho,
After I thought about it more, I have kind of drawn the conclusion that
even for signing, only using a SmartCard cannot achieve authenticity.
With a write-only SmartCard which computes signature on the card, it's
true that it can protect the signing key. However, if it's used in a
Am 15.12.2016 um 02:35 schrieb NIIBE Yutaka:
> sivmu wrote:
>> One question remaining is what is the difference between the openpgp
>> smartcard and the USB based tokens.
>
> I think that the OpenPGP card (the physical smartcard) is included in
> Nitrokey Pro USB Token. So, it's
If the host machine is compromised, what's the purpose of doing
encryption on the SmartCard? Attackers don't need to know the key to get
your plaint ext, because it is on the host machine.
I guess that what you meant was signing, using a SmartCard to sign has
the benefits you mentioned, but not
There's an important distinction to be made between using this approach
and using a SmartCard. The encrypted USB drive approach leaks the keys
into the machine you're using it from; they're accessible by simply
reading the filesystem (thus the claim that "When you unplug the USB,
your keys are
I've come cross a simple and secure approach at this post:
http://zacharyvoase.com/2009/08/20/openpgp/
In the MAKING BACKUPS section, this method simply places your gnupg
directory in an encrypted usb drive and make a symlink to it like this:
ln -s /Volumes/EncDrive/gnupg ~/.gnupg
That's all.
sivmu wrote:
> One question remaining is what is the difference between the openpgp
> smartcard and the USB based tokens.
I think that the OpenPGP card (the physical smartcard) is included in
Nitrokey Pro USB Token. So, it's exactly same from the view point of
smartcard.
When you
Hi,
recently I came across the toptic of hardware tokens for pgp keys and I
am thinking about getting one myself.
From what I have found so far there are several candidates such as the
Openpgp smartcard, Yubikey and Nitrokey USB tokens.
One question remaining is what is the difference between
21 matches
Mail list logo