Making the case for smart cards for the average user

[MFPA]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi


On Sunday 15 March 2015 at 10:24:29 PM, in
<mid:354B50B8-9726-487A-A7A5-E7FD5839F95C at gmail.com>, Jose Castillo
wrote:


> Sorry about the improper threading; I’ve switched off
> digest mode, hopefully this will help.

That one threaded properly. Thanks.


> I may have phrased my point inartfully. I think the
> goal here is to minimize the harm done in the case of
> compromise.

That should be a goal everywhere. (-;



> You do
> have to trust the firmware and the operating system on
> the smart card,

I thought there were some open-source smart cards around.



> but that’s made easier by the fact that
> chips in these cards [2] and the operating system [3]
> are certified to be secure based on international
> standards, and are widely deployed in sensitive areas
> like access control, payments and telephone SIM cards.

It's quite a few years since I heard of SIM cards being cloned. I
guess the spec was improved. (-;



> With NFC the main mitigation is physical rather than
> cryptographic in nature. Since the card has no battery,
> the attacker would have to supply an RF field
> sufficient for powering up the chip to perform the math
> and transmit a response. In theory, that maxes out at
> 10 centimeters; in practice, it’s about half that.

I thought it could be done from a few yards away, if the attacker used
bigger aerials. [0] says that for passports, the RFID tag can be
powered up from about 50cm away and messages can be sent and received
over several metres.



> You
> can negate this attack with an RF blocking sleeve,
> which I’ll almost certainly be adding to the kit after
> this conversation.

Glad to hear it. Shame the banks who issue NFC-enabled payment cards
don't provide such sleeves. Although, Faraday-cage wallets and
passport holders are available.


> Thank you for your critical responses, by the way; I
> appreciate the chance to be transparent about the
> challenges involved.

Thank you. I have enjoyed the discussion, and hope to have

[0] <http://www.cs.bham.ac.uk/~tpc/Papers/PassportTrace.pdf>




- --
Best regards

MFPA                  <mailto:2014-667rhzu3dc-lists-groups at riseup.net>

Dollar sign - An S that's been double crossed
-----BEGIN PGP SIGNATURE-----

iQF8BAEBCgBmBQJVBjDtXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw0gkIAItIP08Cr44QNmVAowjUgcFs
/Ln2sB2Qrgee5089W60Dtq7iEKH3NPPvIHGbf/uz0v02jUNzkIPM94/kftZzWOIC
Ve7JKwPn3xGGdgh7IBQ6MrSMe5LruhwpaWZrbzZOnT9oagCJJzmwaD3HLafHqnym
FALwqhyiCOqsz9J0FUrPh95AYPctgsx9lEaEdAlQGCniUf4sW1fIszCYYiqe+rXW
hOAlJRXYUv3PMXyoHQ9X8AbTlZlsxI8yMRCtorBC8hGxQ+7ndbLjk1lBn3Nes/y+
BJswSsI1rTxg1nValmH5Qv7TLNNUUFg6xYs9hDPUamnIq+6q5HS4bZZpFCrNdReI
vgQBFgoAZgUCVQYw9V8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45GocAQDCo1BmBbKYnyP93IcEm9+63Qac
1PeXIlB2FxYCDPICBAEAK9zz53rrVMJi1IabIsZkEIdDDJVt/0IIyHdEQy30egc=
=O4LR
-----END PGP SIGNATURE-----