| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: blancher at cartel-securite.fr (Cedric Blancher) Subject: Re: pgp passphrase Le mar 23/03/2004 ? 23:15, Sam Sharpe a ?crit : > I figured I needed a new watch, so i might as well get one that was > useful. I realise that this doesn't provide the security of a > smartcard, however a USB flash key is a damn sight cheaper. (except > when it's built into a watch) Just to justify smart cards prices... Problem with external storage is that stored credentials remain accessible just as they were on local HDD the time they're connected to the system. This means someone/a worm can steal both passphrase and private key when the time you use them. A smart card (a real one) stores your key _and_ provides crypto operations that need it once it's unlocked using passphrase/PIN. And there's no way for the system to extract keys[1]. BTW, having its keys on a removable medium is a good idea anyway, for it limits the time they're accessible from the system. [1] unless keys are flaged extractible (bad idea) -- http://www.netexit.com/~sid/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
Powered by blists - more mailing lists