Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
Limit access to unlocked OpenPGP SmartCard?
felix.klee at inka
Jan 27, 2022, 5:29 AM
Post #1 of 5 (432 views)
Permalink
After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], I can
use it to decrypt as many files as I want. While this is convenient, it
is not great if the system is compromised and I forget to unplug the
card reader.

Is there any way to limit how long the OpenPGP SmartCard remains
unlocked?

[1]: https://github.com/feklee/0.332


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Limit access to unlocked OpenPGP SmartCard? [ In reply to ]
felix.klee at inka
Jan 27, 2022, 1:39 PM
Post #2 of 5 (432 views)
Permalink
On Thu, 27 Jan 2022 at 14:54, Matthias Apitz <guru@unixarea.de> wrote:
> gpgconf --reload scdaemon

Gotta try that, maybe execute it with a timer, better than nothing.

Best would be if the card itself could be configured to only do a
certain number of operations after being unlocked. I think everything
else is pretty much unsafe as well.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Limit access to unlocked OpenPGP SmartCard? [ In reply to ]
gnupg-users at gnupg
Jan 27, 2022, 6:28 PM
Post #3 of 5 (432 views)
Permalink
Felix E. Klee wrote:
> After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], I can
> use it to decrypt as many files as I want. While this is convenient, it
> is not great if the system is compromised and I forget to unplug the
> card reader.
>
> Is there any way to limit how long the OpenPGP SmartCard remains
> unlocked?
>

Does your smartcard reader have its own keypad for entering the PIN? If
not and you are concerned about a possible system compromise, you have
bigger problems, like the possibility for your smartcard PIN to be
stolen as you enter it. If you then leave the card in the reader,
Mallory can abuse it at his leisure. Even if you only insert the card
when you intend its use, Mallory could plant malware that waits for the
card to be inserted, then abuses it.


-- Jacob

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Limit access to unlocked OpenPGP SmartCard? [ In reply to ]
felix.klee at inka
Jan 28, 2022, 1:10 AM
Post #4 of 5 (432 views)
Permalink
Jacob Bachmeyer via Gnupg-users <gnupg-users@gnupg.org> writes:
>> After I unlock an OpenPGP SmartCard V2.1 in my SPR332 [mod][1], […]
>
> Does your smartcard reader have its own keypad for entering the PIN?

yes


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Limit access to unlocked OpenPGP SmartCard? [ In reply to ]
felix.klee at inka
Jan 28, 2022, 2:32 PM
Post #5 of 5 (426 views)
Permalink
Well, I think I could extend my SPR332 [mod][1]:

* Add a push-button that one has to press to close the C7 circuit for
I/O. Without that button pressed, the smart card cannot communicate
with the reader. That means, for every operation, one would need to
hold that button, kind of – but not as elegantly – as with a
YubiKey.

* Using some electronics detect when the green PIN pad ?-button is
pressed to confirm PIN entry on the reader. Let it trigger a timer
that cuts I/O for good after a few minutes.

Very likely there are some issues that I don’t see at the moment.

[1]: https://github.com/feklee/0.332


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal