Re: [opensc-devel] Technical Description - Android Embedded SE

2012-11-21 Thread Martin Paljak
On Tue, Oct 2, 2012 at 7:36 AM, Frank Cusack wrote: > There are at least 2 vendors of such cards today, and at least one vendor of > a card that includes a PINpad. $$$ and very niche. Also, no one really > wants to use such a card. Interesting. Do you have pointers? I mean cards that have the

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-10-01 Thread Anders Rundgren
On 2012-10-02 06:36, Frank Cusack wrote: . > I've already seen a smartcard that hosts a battery, a display and a > button in a standard ISO form factor (it uses the sc chip to henerate an > OTP every time the key is pressed), so 'technically' we're quite near to > a card that shows

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-10-01 Thread Frank Cusack
On Sun, Sep 30, 2012 at 5:48 AM, NdK wrote: > Il 29/09/2012 09:01, Frank Cusack ha scritto: > > > I knew something that didn't need "trusted software" (in the PC) > should > > exist. And Finally I found it: > > http://www.ftsafe.com/product/epass/interpass > > Seems quite near to

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-30 Thread Anders Rundgren
On 2012-09-30 14:48, NdK wrote: > Il 29/09/2012 09:01, Frank Cusack ha scritto: > >> I knew something that didn't need "trusted software" (in the PC) should >> exist. And Finally I found it: >> http://www.ftsafe.com/product/epass/interpass >> Seems quite near to my idea of a "reall

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-30 Thread NdK
Il 29/09/2012 09:01, Frank Cusack ha scritto: > I knew something that didn't need "trusted software" (in the PC) should > exist. And Finally I found it: > http://www.ftsafe.com/product/epass/interpass > Seems quite near to my idea of a "really-smart card": big display to > show

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-29 Thread Anders Rundgren
On 2012-09-29 18:23, Frank Cusack wrote: > On Sat, Sep 29, 2012 at 12:40 AM, Anders Rundgren > wrote: > > Right. There is no point in installing applications in the SE; > applications are installed on top of the OS. > The SE only needs to keep keys (like

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-29 Thread Frank Cusack
On Sat, Sep 29, 2012 at 12:40 AM, Anders Rundgren wrote: > Right. There is no point in installing applications in the SE; > applications are installed on top of the OS. > The SE only needs to keep keys (like smart cards in reality do ..) . That's a very limited use of the SE. Keys OTOH will

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-29 Thread Anders Rundgren
On 2012-09-29 09:01, Frank Cusack wrote: > On Fri, Sep 21, 2012 at 11:58 PM, Andreas Jellinghaus > wrote: > > > Am 20.09.2012 21:06 schrieb "Anders Rundgren" >: > > > > > > > http://nelenkov.blogspot.se/2012/08/accessing-

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-29 Thread Frank Cusack
On Fri, Sep 21, 2012 at 11:58 PM, Andreas Jellinghaus wrote: > > Am 20.09.2012 21:06 schrieb "Anders Rundgren" : > > > > > > http://nelenkov.blogspot.se/2012/08/accessing-embedded-secure-element-in.html > > > > Very interesting IMHO. > > Agree, thanks for sharing. > > > > > According to the author

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-27 Thread NdK
Il 23/09/2012 12:04, Andreas Jellinghaus ha scritto: > > In my mind, the SE should take over display and touch controller by > > hardware means, so absolutely no app can snoop user input or fake it. > > Too bad seems nobody really *needs* that level of security... > The problem wit

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-27 Thread Andreas Jellinghaus
2012/9/27 Martin Paljak > On Sat, Sep 22, 2012 at 1:41 PM, Andreas Jellinghaus > wrote: > >> In my mind keys could optionally contain application-oriented ACL > telling > >> which > >> applications they trust so that even if you install a "bad" App, it > would > >> for > >> example not be able t

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-27 Thread Martin Paljak
On Sun, Sep 23, 2012 at 12:52 PM, Andreas Jellinghaus wrote: > 2012/9/22 NdK >> >> Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto: >> >> > In my mind keys could optionally contain application-oriented ACL >> > telling which >> > applications they trust so that even if you install

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-27 Thread Martin Paljak
On Sat, Sep 22, 2012 at 1:41 PM, Andreas Jellinghaus wrote: >> In my mind keys could optionally contain application-oriented ACL telling >> which >> applications they trust so that even if you install a "bad" App, it would >> for >> example not be able to use your bank or eID-key in the background

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread Andreas Jellinghaus
2012/9/25 Peter Stuge > NdK wrote: > > >> IIUC that bit is not authenticated, so a MITM attack can force both > the > > >> reader and the card think the other party doesn't support PIN auth, > > >> making the card sign the transaction anyway, regardless the amount > > >> involved. So IMVHO it's q

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread Peter Stuge
NdK wrote: > >> IIUC that bit is not authenticated, so a MITM attack can force both the > >> reader and the card think the other party doesn't support PIN auth, > >> making the card sign the transaction anyway, regardless the amount > >> involved. So IMVHO it's quite serious... > > http://www.cl.ca

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread NdK
Il 25/09/2012 11:50, Peter Stuge ha scritto: >> IIUC that bit is not authenticated, so a MITM attack can force both the >> reader and the card think the other party doesn't support PIN auth, >> making the card sign the transaction anyway, regardless the amount >> involved. So IMVHO it's quite seri

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread Peter Stuge
NdK wrote: > IIUC that bit is not authenticated, so a MITM attack can force both the > reader and the card think the other party doesn't support PIN auth, > making the card sign the transaction anyway, regardless the amount > involved. So IMVHO it's quite serious... http://www.cl.cam.ac.uk/~sjm217

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread NdK
Il 25/09/2012 07:58, Andreas Jellinghaus ha scritto: >> EMV for sure: there's an unauthenticated bit that tells the card to >> authenticate the transaction without asking for the PIN... > Thats ok, it is a valid feature. If people buy something for less than a > dollar, and the transaction is auth

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-24 Thread Andreas Jellinghaus
2012/9/25 NdK > Il 24/09/2012 21:37, Andreas Jellinghaus ha scritto: > > > no, I was refering to all the magic solutions that make things secure > > suddenly. > there was a good comic strip I can't find just now... > Hackers view: oh, no, this laptop is protected by 4096-bit RSA... no way > we ca

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-24 Thread NdK
Il 24/09/2012 21:37, Andreas Jellinghaus ha scritto: > no, I was refering to all the magic solutions that make things secure > suddenly. there was a good comic strip I can't find just now... Hackers view: oh, no, this laptop is protected by 4096-bit RSA... no way we can recover it even with $1

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-24 Thread Andreas Jellinghaus
2012/9/24 NdK > Il 23/09/2012 11:52, Andreas Jellinghaus ha scritto: > > >> In my mind, the SE should take over display and touch controller by > >> hardware means, so absolutely no app can snoop user input or fake it. > >> Too bad seems nobody really *needs* that level of security... > > like "c

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-24 Thread Andreas Jellinghaus
2012/9/23 Anders Rundgren > On 2012-09-23 12:04, Andreas Jellinghaus wrote: > > 2012/9/22 Anders Rundgren anders.rundg...@telia.com>> > > > > On 2012-09-22 17:27, NdK wrote: > > > Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto: > > > > > >> In my mind keys could optional

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-24 Thread NdK
Il 23/09/2012 11:52, Andreas Jellinghaus ha scritto: >> In my mind, the SE should take over display and touch controller by >> hardware means, so absolutely no app can snoop user input or fake it. >> Too bad seems nobody really *needs* that level of security... > like "credsticks" from scifi novel

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-24 Thread NdK
Il 22/09/2012 19:37, Anders Rundgren ha scritto: >> In my mind, the SE should take over display and touch controller by >> hardware means, so absolutely no app can snoop user input or fake it. >> Too bad seems nobody really *needs* that level of security... > The problem with that is that is impos

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-23 Thread Anders Rundgren
On 2012-09-23 12:04, Andreas Jellinghaus wrote: > 2012/9/22 Anders Rundgren > > > On 2012-09-22 17:27, NdK wrote: > > Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto: > > > >> In my mind keys could optionally contain application-oriented A

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-23 Thread Andreas Jellinghaus
2012/9/22 Anders Rundgren > On 2012-09-22 17:27, NdK wrote: > > Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto: > > > >> In my mind keys could optionally contain application-oriented ACL > >> telling which > >> applications they trust so that even if you install a "bad" App, it >

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-23 Thread Andreas Jellinghaus
2012/9/22 NdK > Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto: > > > In my mind keys could optionally contain application-oriented ACL > > telling which > > applications they trust so that even if you install a "bad" App, it > > would for > > example not be able to use y

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-22 Thread Anders Rundgren
On 2012-09-22 17:27, NdK wrote: > Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto: > >> In my mind keys could optionally contain application-oriented ACL >> telling which >> applications they trust so that even if you install a "bad" App, it >> would for >> example not be a

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-22 Thread NdK
Il 22/09/2012 12:41, Andreas Jellinghaus ha scritto: > In my mind keys could optionally contain application-oriented ACL > telling which > applications they trust so that even if you install a "bad" App, it > would for > example not be able to use your bank or eID-key in the ba

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-22 Thread Andreas Jellinghaus
2012/9/22 Anders Rundgren > On 2012-09-22 08:58, Andreas Jellinghaus wrote: > > > > Am 20.09.2012 21:06 schrieb "Anders Rundgren" > > anders.rundg...@telia.com>>: > >> > >> > http://nelenkov.blogspot.se/2012/08/accessing-embedded-secure-element-in.html > >> > >> Very interesting IMHO. > > > > A

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-22 Thread Anders Rundgren
On 2012-09-22 08:58, Andreas Jellinghaus wrote: > > Am 20.09.2012 21:06 schrieb "Anders Rundgren" >: >> >> http://nelenkov.blogspot.se/2012/08/accessing-embedded-secure-element-in.html >> >> Very interesting IMHO. > > Agree, thanks for sharing. >> >> According t

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-22 Thread Andreas Jellinghaus
Am 20.09.2012 21:06 schrieb "Anders Rundgren" : > > http://nelenkov.blogspot.se/2012/08/accessing-embedded-secure-element-in.html > > Very interesting IMHO. Agree, thanks for sharing. > > According to the author SD-slots are becoming exceptions also for Android so this is > probably what most peop

[opensc-devel] Technical Description - Android Embedded SE

2012-09-20 Thread Anders Rundgren
http://nelenkov.blogspot.se/2012/08/accessing-embedded-secure-element-in.html Very interesting IMHO. According to the author SD-slots are becoming exceptions also for Android so this is probably what most people will be dealing with. Anders ___ opens