Is there a chance smartcards have a backdoor? (was Re: Any future for the Crypto Stick?)

[Peter Lebbing]

On 05/12/13 13:20, Paul R. Ramer wrote:
> On that note, why assume that the manufacturer would not do the opposite:
> feign helping the spy agency by giving them a compromised ROM and then
> substituting a secure one on the real product. In either case, we are
> assuming the company would try to supply different bodies with different
> ROMs.

We're debating the risk that a card is backdoored. If there is such a risk, that
risk still exists if we allow for the possibility that manufacturers try to do
what you say. They're not mutually exclusive; how come you infer that I assume
that the manufacturer would not do the opposite?

But anyway:

So the NSA simply buys a card from a shop, and notices that it doesn't respond
to the backdoor command. Or they want to use the backdoor to get a suspect's
private key, and again, the card does not respond. How is the manufacturer going
to talk its way out of that?

However, if you're up against specific investigation by the NSA (not the dragnet
method), I think pretty much anybody will lose, backdoor or not. If they can't
extract your private key, they'll simply hack your computer and batch up
decryption requests to be bundled with your own next access of the card, or
something similar, or something really smart I didn't think of. So it's really a
question if it matters whether the NSA has a backdoor or not :).

Peter.

PS: the new subject line is very verbose because I wanted to avoid the risk that
people interpret "Chance smartcard backdoored" as a statement rather than a
question.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>