OpenPGP Smartcard + SCR3110 Reader combo - 4.5 BTC

[kgo]

Between trojans, hackers, and sites getting hacked, recent incidents have shown that you can never be too secure.  Why leave your critical gpg keys sitting on you disk when you can secure them on a smartcard?

A smart card provides several advantages over a traditional file-based secret key:

• Once your key is loaded to a card, it cannot be extracted.  Even if you're on a compromised machine, an attacker can't get your key.
• Crypto operations occur on the card itself.  Even if you're on a compromised machine, an attacker can't install trojan softare on the smart card.  The integrity of the operations is protected.
• The cards contents cannot be duplicated, providing true two-factor authentication.  Compare that to storing your keys on a USB drive that can easily be duplicated.
• The card features a self-destruct option that makes brute-forcing impossible.  If you enter an incorrect pin 3 times, the card locks.  If you enter the incorrect password three times, the card self-destructs.  This means you no longer need a 40 character password to be secure.  (Note, the 'self-destruct' simply wipes the card's memory.  It can be reset to factory defaults and re-used.  You just need to re-load or re-create a key)
• The card can be used for ssh authentication, giving you two factor authentication to any sensitive servers you may ssh into.

This package consists of:

• 1 OpenPGP v.2 SmartCard http://www.g10code.de/p-card.html
• 1 SCR-3110 Reader http://www.scmmicro.com/products-services/smart-card-readers-terminals/smart-card-reader/scr3310.html#c590

I've personally used this combo on Linux, Windows, and OSX without any issues.

Price also includes priority mail shipping anywhere in the US, and technical support if needed.

[Note: These cards only support 2048-3072 bit RSA keys.  If your existing keys are DSA and ElGamal, or RSA-4096, you won't be able to transfer them to the card.]

[1715065202]

1715065202

[haydent]

+1 looks good  im a bit poor to buy this at moment + im in AU

[kgo]

I'm willing to ship internationally, but would need to get a price quote on shipping first.

[kgo]

Only 8 more left!

[netrin]

kgo, pretty cool. What's your connection to this? Or you just happen to have a short dozen you want to sell?

How does this relate to bitcoin? Do you encrypt your wallet to yourself? I conventionally/symetrically encrypt the wallet, so I'm vulnerable to key loggers and of course during the few minutes while the wallet remains in use on my disk.

[kgo]

kgo, pretty cool. What's your connection to this? Or you just happen to have a short dozen you want to sell?

How does this relate to bitcoin? Do you encrypt your wallet to yourself? I conventionally/symetrically encrypt the wallet, so I'm vulnerable to key loggers and of course during the few minutes while the wallet remains in use on my disk.

I had two or three spare cards around.  They were the only thing was able to reliably sell on #bitcoin-otc.  Since the cards come from Germany, shipping can get expensive.  I decided to order a ten pack along with some readers and see if I could sell them all for bitcoins.

You can use gpg to encrypt wallet backups.  I do.  But there are other methods that are just fine.  But there's no direct integration with gpg.

gpg is used more extensively on the #bitcoin-otc web of trust.  If you're unfamiliar, it's a feedback system like Ebay, but based around gpg.  It also lets you ensure that the person you're talking to is indeed the person with the good rating, since someone could log onto the channel with your name.

It's also used some to digitally sign contracts.  You can write out a statement like:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I will deliver one OpenPGP + SmartCard combo to you via priority mail for 3 BTC.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJOGjILAAoJEP5F5V2hilTWxl0H/ip6+3WrXoK8rI+YghnIOJle
gNoW6+xygv8pP4oBR77pYqOtOzQP0LF1GCLX30sPi4tZoAHAAPnpsCdNGCYMKYN/
Sb3fVgH0KEN+4uo+pPm5PmGAdLp9K5kr3U2m+5yUb/ygWjJbTB4nCl4vbxkdhDnN
f0jZIywnbl/mzyWJ664ZAn8Zn2ITX08pUK9VAGsxkuHmoKKfJKMkdkqf+ky09IKc
VVz+LuHolsjkh1+Qi3k4y0ic1+9XbHsreF+wUIP3e11Ao6X+aEEPxZG/dDY2xdIA
jLCYs4ulb5m2r1uDS+1/Eph1iZOsDjfH2KueDt+NBPAkpsX1zYR4mt4AqH9leAI=
=6yS6
-----END PGP SIGNATURE-----

A user can use gpg to verify that you wrote this.  And if you try to deny it down the road they can prove you signed it.  A concept called non-repudiation.

If someone tries to forge the content:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I will deliver a one ounce gold nugget to you via priority mail for 0.3 BTC.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJOGjILAAoJEP5F5V2hilTWxl0H/ip6+3WrXoK8rI+YghnIOJle
gNoW6+xygv8pP4oBR77pYqOtOzQP0LF1GCLX30sPi4tZoAHAAPnpsCdNGCYMKYN/
Sb3fVgH0KEN+4uo+pPm5PmGAdLp9K5kr3U2m+5yUb/ygWjJbTB4nCl4vbxkdhDnN
f0jZIywnbl/mzyWJ664ZAn8Zn2ITX08pUK9VAGsxkuHmoKKfJKMkdkqf+ky09IKc
VVz+LuHolsjkh1+Qi3k4y0ic1+9XbHsreF+wUIP3e11Ao6X+aEEPxZG/dDY2xdIA
jLCYs4ulb5m2r1uDS+1/Eph1iZOsDjfH2KueDt+NBPAkpsX1zYR4mt4AqH9leAI=
=6yS6
-----END PGP SIGNATURE-----

Then it can be proven that the document has been tampered with.

These cards just provide a more secure way to store your gpg keys.

[netrin]

kgo, pretty cool. What's your connection to this? Or you just happen to have a short dozen you want to sell?

How does this relate to bitcoin? Do you encrypt your wallet to yourself? I conventionally/symetrically encrypt the wallet, so I'm vulnerable to key loggers and of course during the few minutes while the wallet remains in use on my disk.

I had two or three spare cards around.  They were the only thing was able to reliably sell on #bitcoin-otc.  Since the cards come from Germany, shipping can get expensive.  I decided to order a ten pack along with some readers and see if I could sell them all for bitcoins.

You can use gpg to encrypt wallet backups.  I do.  But there are other methods that are just fine.  But there's no direct integration with gpg.

gpg is used more extensively on the #bitcoin-otc web of trust.  If you're unfamiliar, it's a feedback system like Ebay, but based around gpg.  It also lets you ensure that the person you're talking to is indeed the person with the good rating, since someone could log onto the channel with your name.

I'm intimately familiar with PGP and OTC. Don't get me wrong, this sounds cool (though without integration now I wonder about the work flow/use case). My question is this:

Currently I use GPG to symmetrically encrypt my wallet (gpg -ca wallet.dat). This requires me to create a passphrase as it is not encrypted with my public key. I delete the plaintext wallet.dat. When I want to use the wallet, I (gpg wallet.dat.asc). Then I can use the bitcoin client and when I'm done, I delete the wallet.dat file (perhaps I re-encrypt for backup). This work flow makes me vulnerable to (1) key logging attack and (2) malicious copy while the wallet.dat is on the disk in plaintext.

Now, suppose instead, I use the smart card. Somehow I manage to securely place a copy of my private key on the smart card. Now, when I want to decrypt a wallet (encrypted to me as recipient using public key cryptography) I send the passphrase from my computer to the smart card. The smart card decrypts my wallet.dat and drops it in plain text on my disk.

In both cases, I have exposed myself to the exact same two attack vectors. No?

[kgo]

Now, suppose instead, I use the smart card. Somehow I manage to securely place a copy of my private key on the smart card. Now, when I want to decrypt a wallet (encrypted to me as recipient using public key cryptography) I send the passphrase from my computer to the smart card. The smart card decrypts my wallet.dat and drops it in plain text on my disk.

In both cases, I have exposed myself to the exact same two attack vectors. No?

Sorry for explaining everything, didn't realize what you were asking.

Yes, you'd still be exposed.  This would only protect you from someone who got your encrypted wallet.dat, and your .gnupg directory.  In this case the key wouldn't be in your .gnupg directory anymore.  But it wouldn't protect you while wallet.dat is unencrypted.

[netrin]

the key wouldn't be in your .gnupg directory anymore

Ah yeah I guess gpg itself would be much more secure. Cool.

[kgo]

For this week only, I'll knock 10% off the price if you use my new escrow site to pay.  Offer ends Friday.

(Yes, I know that using my escrow site to send me money doesn't provide additional security.  I just want people to test drive the site.)

[netrin]

kgo, thanks for the chat on OTC.

As a side note, are you familiar with the technical details of the proposed 'encrypted keys' in bitcoin client 0.3.25||0.4 ? I would posit that the private bitcoin elliptic keys on a smart card would be the most secure form of currency/transaction in existence today. Perhaps you could discuss this with the core developers. Why should they invent their own implementations when we already have decade+ proven technologies?

[kgo]

Repriced at 3.25 now that bitcoins are below 14.  I'll continue to offer a 10% discount if you test drive my new escrow service when paying.  See my sig for details.

[netrin]

Repriced at 3.25 now that bitcoins are below 14.  I'll continue to offer a 10% discount if you test drive my new escrow service when paying.  See my sig for details.

I think I'll take one off of you when the price of bitcoins is back up to $15.

[sal002]

I don't need the reader - do you only have the card for sale?

[kgo]

I don't need the reader - do you only have the card for sale?

I'll sell the card only for 1.75.  Shoot me a pm if you're interested.

[netrin]

Repriced at 3.25 now that bitcoins are below 14.  I'll continue to offer a 10% discount if you test drive my new escrow service when paying.  See my sig for details.

Hi kgo, I'd like to take a combo OpenPGP card and reader off your hands, and willing to use an escrow service with the owner.

[kgo]

Repriced at 3.25 now that bitcoins are below 14.  I'll continue to offer a 10% discount if you test drive my new escrow service when paying.  See my sig for details.

Hi kgo, I'd like to take a combo OpenPGP card and reader off your hands, and willing to use an escrow service with the owner.

Couldn't hold out for the price to go to 15?  I'll pm you.

[kgo]

Only three more sets left!

The offer for a 10% discount is you test drive my escrow site when paying is still good.

[sal002]

I bought one and got it in the mail quickly!  And even used the mybitsafe escrow site.  Professional and thorough thru and thru.

[kgo]

Last chance.  Only one more of these left.  I will not order another batch once it's gone.