Opion requested: should smartcards be used for ID and pension payout systems
norman
I use a few cryptology tools. Recently I was asked in a meeting about using
smart cards for pensions fund payouts. I was not given the details, but it
did seem that the system was secured by one cryptographic key which would be
on every card (No its not my design). I know for sure that techniques (at a
cost) exist to get that key. My immediate answer was "no" as if the system
relies ONLY on a smart card, then the data is worth getting. (in other
words, just cracking one cards keys would give ability to crack and defeat
the whole system as it was explained to me. Lets assume the information is
valuable (guess $100 000) and if the keys are on every card. May I ask for
this groups opinion on the security of such a system.
(FYI) my answer was that a barcode (the 2d kind) that was encrypted with a
suitably long key was in fact far more secure that what can be done on a
smart card.
JH
bet, with a SAM used in the terminals to assist with the access to the cards,
and perhaps even a set of keys so when one might become compromised the terminal
would just need new SAMs instead of all cards being recalled.
JH
In article <3c747...@batman.vip-za.com>, nor...@freemail.absa.co.za (norman)
wrote:
Tom Sarai
Forget barcode, mag stripe or optical memory everybody can crack it
for $100000.
If they are not cracking the code of the card they will crack your
application.
The main problem that everybody can read everything on these devices.
The smatcards hide the information, they are giving it out, only after
successful authentication.
If you are storing some info on the card worth so much, you should use
diversified keys on every card to protect the data.
Every card has a unique number wich is public. An application on an
other card can count the secret key of this card from the unique key.
Then the healthcard and your 'SAM' card can argue for a session key to
communicate.
If you want the card to use only for authentication, then U sholuld
consider using PKI capable cards. Banks don't use this technology,
they are using secret key crypto instead.
Tom
Rodrigue GIL
did you ever heard about key diversification ?
i mean:
- normally, each Smartcard chip has a unique serial number - cannot be
altered and unique for 10 years-
- the "system" knows the "Master Key" Km
- by use of a simple algorithm, like 3DES, you encrypt the "unique
serial number" with the "Master Key" Km (just need to be 112-bit long)
you obtain a "Unique Diversified Key" that is being stored in each
card.
Thus, each card has a different key = cracking of one card means that
you cracked your own card. What is the benefit for the attacker ? -->
just know the key of its own card, the Master Key Km has not been
found.
Choice of algorithm should be done in the way that access to
"decrypted" information is fast enough. For example, today a 3DES
encryption/decryption takes max. 30盜 for an 8-bytes message (with
SPA, DPA, DFA counter measures)
Then, as a good add-on, i would use a "mutual authentication" using
Random Numbers used by the smartcard... then, it becomes really
difficult to attack the system because each "transaction of data" is
different... and this even if data are transmitted in plain later on!
I noticed you are from South africa so, please contact Prism
http://www.prism.co.za/
they are really good and might help you.
Hope it helped,
Rod
"norman" <nor...@freemail.absa.co.za> wrote in message news:<3c747...@batman.vip-za.com>...
norman
the diversified keys are certainly an option. what I find really strange is
that the system of smartcards is so popular in the first case. If I
understand the data below, the 112bit number is only 112/8=14 characters
long... in encryption terms that is quite poor (but still quite difficult to
brute force). Cut a long story short, a 2d barcode can hold quite a few
hundred characters which all the techniques of encryption/ hashing apply for
the cost of ink. I heard that smart cards in volume cost sort of 5$and more.
(I have no idea what a reader costs) therefore a barcode can have the same
technology, but at a higher security level... more bits of both key and
data?) and a hugely lower cost. The bar codes have built in error correction
etc and can tolerate 20% plus damage and are dirt cheap. I wonder why it is
not a technically better solution all round.. Maybe the scanners... they
cost say $800 each.
Rodrigue GIL <rodrig...@yahoo.com> wrote in message
news:92e93e57.0202...@posting.google.com...
norman
that's in fact only 7 characters long... easily brute forced? I will do
further research and thank you for your repliesnews:3c758...@batman.vip-za.com...
Jeffrey A. Wormsley
news:3c758...@batman.vip-za.com:
> the 112bit number is only 112/8=14 characters long... in encryption terms
that is quite poor (but still quite difficult to brute force).
Not really poor, but certainly not the best available either. The
tradeoffs are high security vs. high speed vs. low cost. You can pick only
two.
> I wonder why it is not a technically better solution all round..
> Maybe the scanners... they cost say $800 each.
Smartcards are read/write, bar codes are read only. Smart card reader
cost, typically, in the $20 - $75 range. The read/write ability is the
number one reason that smartcards are better than barcodes, but if you app
doesn't need to ever change the data, then barcodes may be sufficient.
-----= Posted via Newsfeeds.Com, Uncensored Usenet News =-----
http://www.newsfeeds.com - The #1 Newsgroup Service in the World!
Check out our new Unlimited Server. No Download or Time Limits!
-----== Over 80,000 Newsgroups - 19 Different Servers! ==-----
A Dark Germ
> they are using secret key crypto instead.
1. Static Data Authentication
Static data authentication is performed by the terminal using a digital signature
based on public key techniques to confirm the legitimacy of critical ICC-resident
static data identified by the AFL.2. Dynamic Data AuthenticationDynamic data authentication is performed by the terminal using a digital signaturebased on public key techniques to authenticate the ICC, and confirm the legitimacyof critical ICC-resident data identified by the ICC dynamic data and data receivedfrom the terminal identified by the Dynamic Data Authentication Data Object List (DDOL).
PKI is not a standard but a concept that uses Private key cryptography.
Please read EMV 96 v3.1.1 & EMV 2000 v4
A Dark Germ
A Dark Germ
Tom Sarai
OK.
It is in EMV how to use PKI.
But the card issuers are not using it. Everybody uses the cheapest
platform you can find, and there is no money for a crypto professor
aaa.. processor.
You know money comes first, security comes only after the first
cheating, if you loose to much money or reputation. Sometimes if you
loose too much money the bank comes and closes your working place. But
you spared some money in the begining.
So usually no PKI on bank cards. (Actually no chip on most bank cards)
And your bank is charging you for your new magstipe card 1 euro (3 if
you lost it), which it gets for 0.1 eu. I just hate this.
Tom
norman
of the replies would be of interest to the contributors to this thread.news:3c747...@batman.vip-za.com...
Anne & Lynn Wheeler
> I posted the same question at the cryptology newsgroup (sci.crypt) and many
> of the replies would be of interest to the contributors to this thread.
> norman <nor...@freemail.absa.co.za> wrote in message
and other parts of it also
http://www.garlic.com/~lynn/2002c.html#7 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002c.html#10 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002c.html#15 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002c.html#21 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002c.html#22 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002c.html#23 Opinion on smartcard security requested
http://www.garlic.com/~lynn/2002c.html#24 Opinion on smartcard security requested
somewhat related postings here
http://www.garlic.com/~lynn/99.html#224 X9.59/AADS announcement at BAI this week
http://www.garlic.com/~lynn/99.html#229 Digital Signature on SmartCards
http://www.garlic.com/~lynn/2000.html#33 SmartCard with ECC crypto
http://www.garlic.com/~lynn/2000.html#35 SmartCard with ECC crypto
http://www.garlic.com/~lynn/2000.html#65 Cybersafe & Certicom Team in Join Venture (x9.59/aads press release at smartcard forum)
http://www.garlic.com/~lynn/2000b.html#53 Digital Certificates-Healthcare Setting
http://www.garlic.com/~lynn/2000c.html#55 Java and Multos
http://www.garlic.com/~lynn/2000e.html#27 OCF, PC/SC and GOP
http://www.garlic.com/~lynn/2000f.html#77 Reading wireless (vicinity) smart cards
http://www.garlic.com/~lynn/2001m.html#4 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001m.html#5 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001m.html#6 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001m.html#9 Smart Card vs. Magnetic Strip Market
http://www.garlic.com/~lynn/2001n.html#8 Future applications of smartcard.
--
Anne & Lynn Wheeler | ly...@garlic.com - http://www.garlic.com/~lynn/
A Dark Germ
Over two years ago i worked on an EMV chip for a German company.
They are using both DDA & SDA on many euro projects,
i know this as i have tested these cards for EMV 96 compliance.
Here in the UK, i have also had a chip on my HSBC credit card for a few
years.
Yes, it is true they are not using the chip yet, as much as the strip,
but once the cards are in place the next phase will be to upgrade the
hardware/software infrastructure.
Strip readers have been around for years, not all POS devices can read
smartcards.
Here in the UK replacement cards are free, so far.
After all they have to provide you with access to your account!
$0.02
Wim Ton
"A Dark Germ" <ma...@edgarindustries.ltd.uk> wrote in message news:a553bo$ih1$1...@newsg3.svr.pol.co.uk...
Anne & Lynn Wheeler
>Hi,
>
>The use of public key is limited if the relations between the parties
>are fixed. The advantage of public key lays in the fact that you don't
>need to agree a key with every possible communication partner, like
>e-mail and e-commerce. If the only releation is between cardholder and
>card-.issuer, one migth as well use symmetric cryptography on a
>cheaper card.
there are advantages to using public key in almost all situations
(even if unique per account, and not some of the card infrastructures
that are shared-secret based ... but have to use multiple layers of
shared secrets ... some global and therefor represents systemic risk)
since it eliminates shared secrets and the problem that shared secret
can be used to both authenticate as well as originate transactions.
eliminating the ability to have shared secrets capable of originating
fraudulent transactions simplifies everybody's infrastructures
(controlling modification of records is simpler than preventing
viewing records or dealing with audit trail of everybody that might
have ever view the record).
the issue then becomes key registration .... key registration can be
similar to all the current operations for key (authentication material
registration) registration.
if you are taling digital signature authentication with ec/dsa with a
secure chip that provides reasonable protection of the key material
... the des accelerator for ec/dsa and des is effectively the same
cost in those class of chips. it is only when you get into the
no-security class of chips (effectively no key protection), that you
might see a little cost difference between ec/dsa and des.
the primary distinction between ec/dsa and des is the requirement in
dsa for high quality random number generator (not present in a straight
des requirement). however, the higher security chips have high
quality randomizer as part of other security features (which then
effectively eliminates it as being a unique cost differentiation
between ec/dsa and des or other symmetric key algorithm)
things change if you are talking about rsa signature ... rsa signature
can be done on no-security chip because it doesn't directly require a
high quality random number generator (especially if keys are injected
as opposed to generated on chip). however, rsa signature performance
does typically lead to a unique accelerator ... which does take a lot
of silicon and increases cost.
I would prefer a high quality hardware randomizer in support of
various security features as well as random number generator
supporting ec/dsa for authentication (and common accelerator for both
des/symmetric and ec/dsa) ... which then also supports on-chip key
generation ... and allows for key not being divulged outside the chip
(compared to a no-security chip with huge silicon area in support of
rsa acceleration).
then w/o compromising security (current security guidelines that
require unique password/key/pin for each security domain) the same
simple chip/hardware-token with the same public key can be used for
authentication in multiple, different security domains.
random refs:
http://www.garlic.com/~lynn/index.html#aads