Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Smart card proposal

from [Rogan Dawes] Network Security [Permanent Link]
Subject: Re: Smart card proposal
Date: Thu, 03 Feb 2005 14:59:06 +0100
Glenn_Everhart@bankone.com wrote: 
I wonder with these smartcards that have PIN pads so you authenticate to the
card...

Can they be "hotwired", i.e., have an emulator that grabs their data but 
pretends
to have the PIN and just talks to whatever? (Obviously nobody would likely
alter the actual smartcard, but if the data thereof could be dumped, what 
assures
a back end that the real smartcard, and not an emulator with its data, is there?
Thus what assures the card has been authenticated to?



The whole point of using a smart card is that it cannot be copied. (That is, without tunneling electron microscopes, acid baths, etc). The firmware in the smart card does not support a "give me the bitstream of the private key" operation.

So, it really is "something you have, and something you know".

The above statement *does* assume that the private key is generated in the card itself. This is the "correct" way to do it. However, I believe that it may be possible to load a private key generated elsewhere onto a smart card. In that case, if someone were able to get a copy of that original private key, they would certainly be able to emulate the smart card

Rogan
--
Rogan Dawes

*ALL* messages to discard@dawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: php to do input validation..., Griffiths, Ian
Next by Date:  Re: php to do input validation..., Darren Bounds
Previous by Thread:  RE: Smart card proposal, Lyal Collins
Next by Thread:  Re: Smart card proposal, Kevin Kadow
Indexes:  [Date] [Thread] [Top] [All Lists]