WebApp Sec mailing list archives
Re: Smart card proposal
From: Rogan Dawes <discard () dawes za net>
Date: Thu, 03 Feb 2005 14:59:06 +0100
Glenn_Everhart () bankone com wrote:
I wonder with these smartcards that have PIN pads so you authenticate to the card... Can they be "hotwired", i.e., have an emulator that grabs their data but pretends to have the PIN and just talks to whatever? (Obviously nobody would likely alter the actual smartcard, but if the data thereof could be dumped, what assures a back end that the real smartcard, and not an emulator with its data, is there? Thus what assures the card has been authenticated to?
The whole point of using a smart card is that it cannot be copied. (That is, without tunneling electron microscopes, acid baths, etc). The firmware in the smart card does not support a "give me the bitstream of the private key" operation.
So, it really is "something you have, and something you know".The above statement *does* assume that the private key is generated in the card itself. This is the "correct" way to do it. However, I believe that it may be possible to load a private key generated elsewhere onto a smart card. In that case, if someone were able to get a copy of that original private key, they would certainly be able to emulate the smart card
Rogan -- Rogan Dawes *ALL* messages to discard () dawes za net will be dropped, and added to my blacklist. Please respond to "lists AT dawes DOT za DOT net"
Current thread:
- RE: Smart card proposal, (continued)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- Re: Smart card proposal DE Gustafson (Jan 27)
- Re: Smart card proposal Koh Gim Leng (Jan 28)
- RE: Smart card proposal Lyal Collins (Jan 28)
- RE: Smart card proposal Richard M. Smith (Jan 27)
- RE: Smart card proposal maburns (Jan 27)
- RE: Smart card proposal maburns (Jan 27)
- Re: Smart card proposal Miguel Ruiz Velasco Sobrino (Feb 02)
- Security Webcast Series JoeStagner (Feb 02)
- RE: Smart card proposal Glenn_Everhart (Feb 02)
- RE: Smart card proposal Lyal Collins (Feb 03)
- Re: Smart card proposal Rogan Dawes (Feb 03)
- Re: Smart card proposal Kevin Kadow (Feb 16)