Re: Encryption of data in smart cards
Trei, Peter wrote: John Kelsey[SMTP:[EMAIL PROTECTED] At 11:08 PM 3/12/03 +0100, Krister Walfridsson wrote: This is not completely true -- I have seen some high-end cards that use the PIN code entered by the user as the encryption key. And it is quite easy to do similar things on Java cards... With any kind of reasonable PIN length, though, this isn't all that helpful, because of the small set of possible PINs. And smartcards don't generally have a lot of processing power, so making the PIN->key mapping expensive doesn't help much, either. Every PINned SC I've seen has a very limited (typically 3) number of failed attempts before it locks itself up. Once it's locked up, it can only be reactivated by an administrator PIN, which is held at much higher security by the issuer, and not available to the card user. I think John's point is still valid: encryption is only necessary to protect against people who bypass the standard API and somehow extract the data (microscopes, side channels?). In that case, the lock-out feature is irrelevant, and a short PIN is not much of a barrier. - Nikita - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
On Wed, 12 Mar 2003, Krister Walfridsson wrote: > >On Tue, 11 Mar 2003, Werner Koch wrote: > >> If you want to encrypt the >> data on the card, you also need to store the key on it. And well, if >> you are able to read out the data, you are also able to read out the >> key (more or less trivial for most mass market cards). > >This is not completely true -- I have seen some high-end cards that use >the PIN code entered by the user as the encryption key. And it is quite >easy to do similar things on Java cards... I've seen this too -- a little card that has its own 10key pad so you can enter your key directly to the card, and a little "purge" button next to the zero so you can tell it to forget the key you entered after each use. Also a red LED to tell you that it was "up" with a key entered, and that you needed to purge it before sticking it back in your wallet. The guy would enter his PIN, stick the card in the PCMCIA slot, and the machine would unlock. Slick little device, actually. Now can we get one that uses more than 5 digits for a key? Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
> > With any kind of reasonable PIN length, though, this isn't all that > > helpful, because of the small set of possible PINs. And smartcards don't > > generally have a lot of processing power, so making the PIN->key mapping > > expensive doesn't help much, either. > > > > >/Krister > > > > --John Kelsey, [EMAIL PROTECTED] > > > Every PINned SC I've seen has a very limited (typically 3) number > of failed attempts before it locks itself up. Once it's locked up, it > can only be reactivated by an administrator PIN, which is held > at much higher security by the issuer, and not available to the > card user. > > Peter Yes, but wasn`t the discussion about countermeasure to just reading the contents of the smart card. If you can read the encrypted data, and it`s encrypted under a key derived from a PIN, you have all the time and chances you want to try all PINs. That`s the reason why it doesn`t work. --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Encryption of data in smart cards
At 01:23 PM 3/13/03 -0500, Trei, Peter wrote: Every PINned SC I've seen has a very limited (typically 3) number of failed attempts before it locks itself up. Once it's locked up, it can only be reactivated by an administrator PIN, which is held at much higher security by the issuer, and not available to the card user. Right. Which is good for the PIN-guessing-to-get-access attack, but not much help for the decrypting the extracted data using the PIN-generated key attack. Peter --John Kelsey, [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
At 01:13 PM 3/13/2003 -0500, John Kelsey wrote: At 11:08 PM 3/12/03 +0100, Krister Walfridsson wrote: ... This is not completely true -- I have seen some high-end cards that use the PIN code entered by the user as the encryption key. And it is quite easy to do similar things on Java cards... With any kind of reasonable PIN length, though, this isn't all that helpful, because of the small set of possible PINs. And smartcards don't generally have a lot of processing power, so making the PIN->key mapping expensive doesn't help much, either. /Krister --John Kelsey, [EMAIL PROTECTED] note however, that PIN could be possibly in infrastructure with real secret key and encryption done with derived key. the derived key one-way function is attempting to protect the infrastructure-wide secret key from brute force key search on specific piece of data. The issue is how many bits in a PIN is required to protect the secret key in a one-way function (involving the secret key and the PIN). A simple derived key is sufficient using the secret key and public account number. Adding a (privately known, card specific) PIN to such a derived key function: 1) doesn't increase the ease of attack on the secret key 2) doesn't affect brute force attack on the derived key 3) makes it harder to use a lost/stolen card -- Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Encryption of data in smart cards
> John Kelsey[SMTP:[EMAIL PROTECTED] > > > At 11:08 PM 3/12/03 +0100, Krister Walfridsson wrote: > > ... > >This is not completely true -- I have seen some high-end cards that use > >the PIN code entered by the user as the encryption key. And it is quite > >easy to do similar things on Java cards... > > With any kind of reasonable PIN length, though, this isn't all that > helpful, because of the small set of possible PINs. And smartcards don't > generally have a lot of processing power, so making the PIN->key mapping > expensive doesn't help much, either. > > >/Krister > > --John Kelsey, [EMAIL PROTECTED] > Every PINned SC I've seen has a very limited (typically 3) number of failed attempts before it locks itself up. Once it's locked up, it can only be reactivated by an administrator PIN, which is held at much higher security by the issuer, and not available to the card user. Peter - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
At 11:08 PM 3/12/03 +0100, Krister Walfridsson wrote: ... This is not completely true -- I have seen some high-end cards that use the PIN code entered by the user as the encryption key. And it is quite easy to do similar things on Java cards... With any kind of reasonable PIN length, though, this isn't all that helpful, because of the small set of possible PINs. And smartcards don't generally have a lot of processing power, so making the PIN->key mapping expensive doesn't help much, either. /Krister --John Kelsey, [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
there are a large number of different kinds of cards however the most prevalent smartcards (in terms of numbers deployed) are the institutional smartcards that tend to include stored-value of various kinds that are supported at various kinds of merchant &/or transient terminals (i.e. subway turnstyles). the transient tend to be proximity/contactless (aka iso14443) rather than contact (aka iso7816). these infrastructures use secret keys especially derived secret keys ... that are designed to protect the infrastructure from various kinds of attacks by others (including the people that posses the card) ... typically fraudulent value substitution on the card. -- Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
On Wed, 12 Mar 2003 23:08:26 +0100 (MET), Krister Walfridsson said: > This is not completely true -- I have seen some high-end cards that use > the PIN code entered by the user as the encryption key. And it is quite Sorry my fault, by "read out the data" I meant to do this using a side channel or with a hardware probe. 4 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
On Tue, Mar 11, 2003 at 10:39:17AM +0530, N. Raghavendra wrote: > Can anyone point me to sources about encryption of data in smart > cards. What I am looking for is protocols for encrypting sensitive > data (e.g., medical information about the card-holder), so that > even if the card falls into malicious hands, it won't be easy to > read that data. Hello, My thanks to everyone who has replied to my query above. The consensus seems to be that it is not usually necessary to encrypt data stored in the card, and if one wants to do it, one should use a symmetric key which is not entirely stored in the card. Best regards, Raghu. -- N. Raghavendra <[EMAIL PROTECTED]> | OpenPGP public key available Tata Consultancy Services| at http://www.keyserver.net/ Hyderabad| Key ID: 0x03618806 - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
On Tue, 11 Mar 2003, Werner Koch wrote: > If you want to encrypt the > data on the card, you also need to store the key on it. And well, if > you are able to read out the data, you are also able to read out the > key (more or less trivial for most mass market cards). This is not completely true -- I have seen some high-end cards that use the PIN code entered by the user as the encryption key. And it is quite easy to do similar things on Java cards... /Krister - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
At 10:39 AM 3/11/2003 +0530, N. Raghavendra wrote: Can anyone point me to sources about encryption of data in smart cards. What I am looking for is protocols for encrypting sensitive data (e.g., medical information about the card-holder), so that even if the card falls into malicious hands, it won't be easy to read that data. a lot of cards use derived (symmetric) keys ... similar to the derived key per transaction X9 standards. they are used to protect data from outside examination and in multi-function cards to provide protection domains between the different applications on a card. typically there is a system wide key that you would find in a secure terminal (like transit systems) that read data, decrypt it, update it, re-encrypt it and write it back to the card. this handles situations involving attacks with fraudulent readers that load fraudulent value on the card. given the possibility of a brute force attack on the infrastructure (aka getting the data out of one card, and finding the master system key) ... many systems go to some form of derived keys. They typically amount to one-way function that combines the system-wide key with something like an account number from the card that results in the derived key. A brute force attack on the card data will only result in obtaining the card-specific, derived key and not the system-wide master key. All secured readers, knowing the system wide key and some card identification can always calculate the derived key for a card. misc. derived key stuff ... http://www.garlic.com/~lynn/aadsm3.htm#cstech8 cardtech/securetech & CA PKI http://www.garlic.com/~lynn/aepay10.htm#33 pk-init draft (not yet a RFC) http://www.garlic.com/~lynn/2002e.html#18 Opinion on smartcard security requested http://www.garlic.com/~lynn/2002f.html#22 Biometric Encryption: the solution for network intruders? -- Anne & Lynn Wheelerhttp://www.garlic.com/~lynn/ Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Encryption of data in smart cards
On Tue, 11 Mar 2003 10:39:17 +0530, N Raghavendra said: > Can anyone point me to sources about encryption of data in smart > cards. What I am looking for is protocols for encrypting sensitive > data (e.g., medical information about the card-holder), so that Usually you don't need to encrypt data stored on a card. The files on the card (where you store the data) are protected by ACLs or whatever the card application provides for this. If you want to encrypt the data on the card, you also need to store the key on it. And well, if you are able to read out the data, you are also able to read out the key (more or less trivial for most mass market cards). If you fear an eavesdropper between the box generating the data and the actual smartcard, one uses secure messaging to protect against this. See your card's OS manual (or ISO 7816-8) on how to do it. If your are talking about memory cards, you can use whatever protocol you would use for encrypting files. Salam-Shalom, Werner - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
