|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joao Pedro (countzero
sapo.pt)
Date: Fri Jul 17 2009 - 09:00:55 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Timothy,
"Miller, Timothy J." <tmillermitre.org> wrote:
> I presume such a scheme would apply a KDF of some kind to the PIN or
> PIN + nonce (e.g., PBKDF2 from PKCS#5) in order to derive the
> symmetric key for this secure channel. This is still subject to
> simple offline attack because PINs don't have enough entropy on
> their own, and the nonce would still have to be shared over the
> insecure channel. I'd also worry about speed of the KDF on the
> card, but that's probably minor.
>
> Maybe SRP would be a better solution.
Could you please explain, or provide a reference to what SRP is?
Thank you.
Regards,
Joao
>
> -- Tim
>
>
>> -----Original Message-----
>> From: muscle-bounceslists.musclecard.com [mailto:muscle-
>> bounceslists.musclecard.com] On Behalf Of Sébastien Lorquet
>> Sent: Friday, July 17, 2009 8:17 AM
>> To: MUSCLE
>> Subject: Re: [Muscle] Protecting a PIN with keyed hashing?
>>
>> I know it, but you can easily write a class implementing the
>> org.globalplatform.SecureChannel interface to mimick the card manager's
>> secure channel, and reuse host-side tools that "talk" this protocol :)
>>
>>
>> On Fri, Jul 17, 2009 at 3:07 PM, Miller, Timothy J. <tmillermitre.org>
>> wrote:
>>
>>
>> As I understand it, the symmetric key secured channel is for card
>> management (e.g., PIN unblock, applet load, key injection, etc.), not
>> for normal access.
>>
>> -- Tim
>>
>>
>>
>> >-----Original Message-----
>> >From: muscle-bounceslists.musclecard.com [mailto:muscle-
>> >bounceslists.musclecard.com] On Behalf Of Sébastien Lorquet
>> >Sent: Friday, July 17, 2009 7:56 AM
>> >To: MUSCLE
>> >Subject: Re: [Muscle] Protecting a PIN with keyed hashing?
>> >
>> >the muscle applet is for global platform javacards right?
>> >
>> >Then about the GP secure channel already implemented
>> >(org.globalplatform.SecureChannel
>> >org.globalplatform.GPSystem.getSecureChannel() ) in these cards
>> for
>> >secure messaging? it provides a mac+tdes encryption. also,
>> writing a
>> >software implementation is not difficult, if needed (to use other
>> keys
>> >than SD's ones)
>> >
>> >sebastien
>> >
>> >ps: the muscle applet also support strong authentication with a
>> >challenge/response exchange. A 128 bits TDES key can be seen as a
>> 16-
>> >character PIN, that can be right padded with zeroes or other if
>> needed.
>> >what do you think of this?
>>
>>
>>
>> _______________________________________________
>> Muscle mailing list
>> Musclelists.musclecard.com
>> http://lists.drizzle.com/mailman/listinfo/muscle
>>
>>
>>
>
>
_______________________________________________
Muscle mailing list
Musclelists.musclecard.com
http://lists.drizzle.com/mailman/listinfo/muscle
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]