Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: pgp passphrase
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Wed, 24 Mar 2004 00:12:04 +0100

Le mar 23/03/2004 à 23:15, Sam Sharpe a écrit :
I figured I needed a new watch, so i might as well get one that was
useful. I realise that this doesn't provide the security of a
smartcard, however a USB flash key is a damn sight cheaper. (except
when it's built into a watch)

Just to justify smart cards prices...

Problem with external storage is that stored credentials remain
accessible just as they were on local HDD the time they're connected to
the system. This means someone/a worm can steal both passphrase and
private key when the time you use them.

A smart card (a real one) stores your key _and_ provides crypto
operations that need it once it's unlocked using passphrase/PIN. And
there's no way for the system to extract keys[1].

BTW, having its keys on a removable medium is a good idea anyway, for it
limits the time they're accessible from the system.

[1] unless keys are flaged extractible (bad idea)

PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]