What's the state of the art on open source, auditable OpenPGP smart cards? @flamsmark @micahflee
-
-
Replying to @garrettr_
@garrettr_@flamsmark@micahflee How would you verify that the smart card is executing the audited code, and not some other code?2 replies 0 retweets 2 likes -
Replying to @BRIAN_____
@BRIAN_____@garrettr_@flamsmark@micahflee You compile and load it yourself. That's what we advocate at least: https://subgraph.com/cards2 replies 0 retweets 1 like -
Replying to @bleidl
@bleidl@BRIAN_____@garrettr_@flamsmark@micahflee Card OS backdoors?eg "if selected applet == OpenPGP AID, enable side-channel leaks"1 reply 0 retweets 0 likes -
Replying to @randomoracle
@randomoracle@BRIAN_____@garrettr_@micahflee Yes, as I admitted last time we had this argument, malicious OS (& ASIC) is possibility3 replies 0 retweets 1 like -
Replying to @bleidl
@bleidl@randomoracle@garrettr_@micahflee Could Snowden today order a smartcard online, follow your instructions, & be confidently secure?2 replies 0 retweets 1 like -
Replying to @BRIAN_____
@BRIAN_____@randomoracle@garrettr_@micahflee I can't say for sure, obviously. What attacks are you considering?1 reply 0 retweets 0 likes -
Replying to @bleidl
@BRIAN_____@randomoracle@garrettr_@micahflee I think one way to reason about this is to design hypothetical backdoors in RSA primitives3 replies 0 retweets 0 likes
@bleidl @randomoracle @garrettr_ @micahflee I would start with attacks on the smartcard's key gen.
-
-
Replying to @BRIAN_____
@BRIAN_____@randomoracle@garrettr_@micahflee Generating keys on the card itself seems high risk. Our instructions advise against it.0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.