Making the case for smart cards for the average user
2014-667rhzu3dc-lists-groups at riseup.net
Mon Mar 16 02:24:42 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On Sunday 15 March 2015 at 10:24:29 PM, in
<mid:354B50B8-9726-487A-A7A5-E7FD5839F95C at gmail.com>, Jose Castillo
> Sorry about the improper threading; I’ve switched off
> digest mode, hopefully this will help.
That one threaded properly. Thanks.
> I may have phrased my point inartfully. I think the
> goal here is to minimize the harm done in the case of
That should be a goal everywhere. (-;
> You do
> have to trust the firmware and the operating system on
> the smart card,
I thought there were some open-source smart cards around.
> but that’s made easier by the fact that
> chips in these cards  and the operating system 
> are certified to be secure based on international
> standards, and are widely deployed in sensitive areas
> like access control, payments and telephone SIM cards.
It's quite a few years since I heard of SIM cards being cloned. I
guess the spec was improved. (-;
> With NFC the main mitigation is physical rather than
> cryptographic in nature. Since the card has no battery,
> the attacker would have to supply an RF field
> sufficient for powering up the chip to perform the math
> and transmit a response. In theory, that maxes out at
> 10 centimeters; in practice, it’s about half that.
I thought it could be done from a few yards away, if the attacker used
bigger aerials.  says that for passports, the RFID tag can be
powered up from about 50cm away and messages can be sent and received
over several metres.
> can negate this attack with an RF blocking sleeve,
> which I’ll almost certainly be adding to the kit after
> this conversation.
Glad to hear it. Shame the banks who issue NFC-enabled payment cards
don't provide such sleeves. Although, Faraday-cage wallets and
passport holders are available.
> Thank you for your critical responses, by the way; I
> appreciate the chance to be transparent about the
> challenges involved.
Thank you. I have enjoyed the discussion, and hope to have
MFPA <mailto:2014-667rhzu3dc-lists-groups at riseup.net>
Dollar sign - An S that's been double crossed
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Gnupg-users