How secure are smartcards?

Jay Litwyn brewhaha at
Thu Jul 28 13:00:58 CEST 2011


In my entry on a related thread, I was thinking that one of the simpler
ways to foil attacks on bank cards would be to make a smart card play
dumb and accept any old pin (symmetric encryption key for a private
key). That would (almost) force attackers to communicate with a bank on
every trial, except there *might* be a way for attackers to get the
public key for a pair off a card. Since attackers can't read the private
key (at least not without frying or bridging key bits), they can't tell
that it iz no longer based upon probable primes. The bank would come up
with "no such ID", or "BAD signature", and they might be watching for a
lot of noise like that. Now, I am thinking that for a card to reveal its
public key more than once might actually be a weakness, however

A bank card does only hav to communicate with one other entity, so I am
not sure that this can't be done with symmetric keys throughout.

The other way iz to introduce increasing delays for bad PINs.
I like my first impulse better, though, forcing attackers to actually
use a badly decrypted private key to communicate with a bank.
That boy so horny, even the Crack of Dawn ain't safe!
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list