Hello Markus,
Markus Schatzl schrieb:
> Hello,
>
> I'd be interested if somebody here has practical experience with
> "Secure Messaging" modes in general and would be so kind to
> answer a few questions:
Yes, we have. See [1] / IsoSecureChannel class for how that works.
>
> In authentic as well as in combined mode, the use of symmetric
> ciphers seems to be the standard approach. To migitate simple MITM
> techniques, at least one keypair must be already integrated into
> ROM/EEPROM at the production/personalization stage and kept secret.
I assume you mean protection of integrity and confidentiality.
>
> As a result, SM can only be used with designated terminals
> from a single emitting instance (or partner organizations)
> that have knowledge about this secret key. This defeats
> interoperability as a whole and reminds me to the infamous
> "security by obscurity" solutions popular in former decades.
>
> Are there any practical attempts to negotiate keys for SM by
> use of public keys?
Yes, there is. Google for the e-SignK / CWA 14890 draft CEN standard.
This describes secure messaging based on a shared secret key or using a
hybrid scheme with card verifiable certificates (CVCs) (all based on ISO
7816-4). That is the procedure used by several smart card applications
(eGK, ECC).
>
> What is the impact in terms of computation time for encrypted
> transfer at the moment, compared to a plain transmission?
> (Last info: x4)
Depends on the card, but x4 seems realistic.
>
> Plain signature functionality is neither time-critical and
> generally uses basic facilities available on nearly every
> token. As digital signatures slowly gain acceptance outside
> specialized applications, are there any ambitions to secure the
> card-to-terminal communication by default?
This is what is called trusted-channel and can be found in CWA 14890 for
electronic signature applications in an untrusted environment.
>
> Isn't it urgently necessary to use ad-hoc interoperable
> security routines in the light of the legal status of digital
> signatures within the EU?
That is what standards are for ;-)
Andreas
[1] www.openscdp.org/scsh3/index.html
--
--------- CardContact Software & System Consulting
|.##> <##.| Andreas Schwier
|# #| Schülerweg 38
|# #| 32429 Minden, Germany
|'##> <##'| Phone +49 171 8334920
--------- http://www.cardcontact.de
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
