On 25/08/18 21:25, Felix E. Klee wrote: > When I decrypt a file using an OpenPGP card, is the communication
> between a USB card reader and the GnuPG daemon encrypted?
The OpenPGP smartcard and generic smartcard protocols do define "Secure
Messaging", but I don't think this is commonly used for cabled OpenPGP
smartcards. So: no, I think in most cases data is unencrypted in USB wires.
On 26/08/18 09:48, Felix E. Klee wrote: > This thought coincided with me reading about [doctored USB
> cables]. I don’t want to be required to trust three devices:
> phone, reader, and now cable
I think you'll need to trust the cable anyway, since a malicious USB
device by someone with the means and motivation to attack your OpenPGP
smartcard will most likely be able to compromise your phone instead.
Securely using cryptography on a compromised operating system is simply
So in the end, it doesn't seem to make a difference: if the cable is
malicious, you're done anyway.
Even if it were encrypted, I think we still need to think about
man-in-the-middle resistance of Secure Messaging. I think there's a
distinct possibility it is only meant to thwart passive attacks, but I
haven't looked into it.
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter