Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: Smart card proposal
From: Rogan Dawes (discarddawes.za.net)
Date: Thu Feb 03 2005 - 07:59:06 CST
> I wonder with these smartcards that have PIN pads so you authenticate to the
> Can they be "hotwired", i.e., have an emulator that grabs their data but pretends
> to have the PIN and just talks to whatever? (Obviously nobody would likely
> alter the actual smartcard, but if the data thereof could be dumped, what assures
> a back end that the real smartcard, and not an emulator with its data, is there?
> Thus what assures the card has been authenticated to?
The whole point of using a smart card is that it cannot be copied. (That
is, without tunneling electron microscopes, acid baths, etc). The
firmware in the smart card does not support a "give me the bitstream of
the private key" operation.
So, it really is "something you have, and something you know".
The above statement *does* assume that the private key is generated in
the card itself. This is the "correct" way to do it. However, I believe
that it may be possible to load a private key generated elsewhere onto a
smart card. In that case, if someone were able to get a copy of that
original private key, they would certainly be able to emulate the smart card
*ALL* messages to discarddawes.za.net will be dropped, and added
to my blacklist. Please respond to "lists AT dawes DOT za DOT net"