How secure are smartcards?

Jay Litwyn brewhaha at freenet.edmonton.ab.ca
Thu Jul 28 13:00:58 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----

In my entry on a related thread, I was thinking that one of the simpler
ways to foil attacks on bank cards would be to make a smart card play
dumb and accept any old pin (symmetric encryption key for a private
key). That would (almost) force attackers to communicate with a bank on
every trial, except there *might* be a way for attackers to get the
public key for a pair off a card. Since attackers can't read the private
key (at least not without frying or bridging key bits), they can't tell
that it iz no longer based upon probable primes. The bank would come up
with "no such ID", or "BAD signature", and they might be watching for a
lot of noise like that. Now, I am thinking that for a card to reveal its
public key more than once might actually be a weakness, however
interoperable.

A bank card does only hav to communicate with one other entity, so I am
not sure that this can't be done with symmetric keys throughout.

The other way iz to introduce increasing delays for bad PINs.
I like my first impulse better, though, forcing attackers to actually
use a badly decrypted private key to communicate with a bank.
_______
That boy so horny, even the Crack of Dawn ain't safe!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: http://ecn.ab.ca/~brewhaha/gpg/Keyprint_Biometric.mp3.pgp
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQCVAwUBTjFBYx47apzXdID2AQFP8wP/eT5sYDOjdgVRbuHOdbc8JkJ/1wG/d6nQ
oW1SvdtXQjTnVDNEpcLop11ibTVqiCkddQTWXazso9B1CPwPAGIA+z6ipfFCYCBm
DGp09oEZw9BO52Qhb09GwL+ykXxlgHUcx70rTNDlXM/GlusodQEPbkyFCQ+Dow3p
+YffVJbfyyU=
=Rs2c
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list