Re: Smart card proposal

[Rogan Dawes <discard () dawes za net>]

Glenn_Everhart () bankone com wrote:
> I wonder with these smartcards that have PIN pads so you authenticate to the
> card...
>
> Can they be "hotwired", i.e., have an emulator that grabs their data but pretends
> to have the PIN and just talks to whatever? (Obviously nobody would likely
> alter the actual smartcard, but if the data thereof could be dumped, what assures
> a back end that the real smartcard, and not an emulator with its data, is there?
> Thus what assures the card has been authenticated to?

The whole point of using a smart card is that it cannot be copied. (That 
is, without tunneling electron microscopes, acid baths, etc). The 
firmware in the smart card does not support a "give me the bitstream of 
the private key" operation.

So, it really is "something you have, and something you know".

The above statement *does* assume that the private key is generated in 
the card itself. This is the "correct" way to do it. However, I believe 
that it may be possible to load a private key generated elsewhere onto a 
smart card. In that case, if someone were able to get a copy of that 
original private key, they would certainly be able to emulate the smart card

Rogan
--
Rogan Dawes

*ALL* messages to discard () dawes za net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"