On Tue, May 22, 2012 at 4:01 PM, NdK <ndk.cla...@gmail.com> wrote: > Il 22/05/2012 14:32, Martin Paljak ha scritto: > >> Regarding PIN codes, communication is protected with AES, in addition >> to BT pairing. > How does the AES key exchange work? 'cause it's the weak link... > If the attacker can obtain the AES key (for example if it's printed on > the unit and the attacker could see it), then it's the same as cleartext.
Actually I just installed the latest toolkit to my new android phone and it requires initial pairing through USB (but IIRC it was possible without it as well) Nevertheless, the "NSA approved" devices all require/suggest pairing in a secure location, with adequate pairing passwords etc. Which is anyway a generally useful suggestion. I'd guess those guys know as well what they are doing and what is wrong and what is right: http://www.nsa.gov/ia/_files/factsheets/I732-016R-07.pdf http://www.nsa.gov/ia/_files/wireless/BlueToothDoc.pdf Then again, considering using convenience solutions (like a bluetooth smart card reader at the moment mostly seems to be) vs "being paranoid to the level of radio-sniffing-and-key-agreement-intercepting adversary" is IMHO out of balance. I don't think that there are that many scenarios where a bluetooth reader is a must have showstopper. Martin _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel