[Gnuk-users] gnuk-users Digest, Vol 107, Issue 3
Peter Lebbing
peter at digitalbrains.com
Thu Jan 11 09:04:35 UTC 2018
On 11/01/18 07:48, Mike Tsao wrote:
> If I'm understanding the current gnuk code, the key-before-PIN policy is also
> the mechanism of the implementation ("Gnuk 1.2 does validation of user PIN by
> successful decryption of private key"), so it doesn't appear that someone with a
> perspective like mine can easily or elegantly reconfigure gnuk accordingly.
Well, this could be solved by representing the "no key" state with dummy data
that is encrypted to the PIN.
When there is a key, the PIN encrypts the key, and succesful decryption
indicates success.
When there is no key, the PIN encrypts the literal string "Nothing to see here,
move along"[1] and succesful decryption indicates success. The PIN that was then
verified in this way can be kept in RAM and used to subsequently encrypt the
uploaded key. I suppose this is roughly what happens when keys are uploaded to a
GnuK that already has some keys?
HTH,
Peter.
[1] Well, that would give me a chuckle if I were reading the code. A string of
zeroes would work just as well and occupy no flash memory in the controller, but
it wouldn't be funny, damn it!
--
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20180111/44b0db1e/attachment.sig>
More information about the gnuk-users
mailing list