re: Status of SRP UK Detects Chip-And-PIN Security Flaw Google Architecture

as i mentioned, the x9a10 financial standards working group had been given the requirement to preserve the integrity of the financial infrastructure for all retail payments .... this included at least all kinds of internet, all kinds of POS, and all kinds of payments (debit, credit, stored-value, etc).

part of the resulting x9.59 financial standard was transaction authentication. session authentication had been looked at, and it was felt (compared to transaction authentication) it was much more vulnerable to end-point threats, mitm threats, as well as insider threats.

from at least some retailers comments that chip&pin wasn't appropriate for internet transactions ... it might be implied that chip&pin does session-like (as opposed to transaction) authentication ... regardless of whether it is SDA or DDA (possibly making it vulnerable to some of the end-point threats, mitm threats, and/or insider threats considered by the x9a10 financial standard effort).

UK Detects Chip-And-PIN Security Flaw

using the x9.59 transaction authentication paradigm, i had started on the aads chips strawman.

at the NISSC conference in 98, i had quiped that I was going to take a mil-spec security token, cost reduce it by two orders of magnitude while increasing its security. in a chip&pin reference this met having a chip doing "DDA" at higher integrity than the chip&pin DDA chip ... but at lower cost than the chip&pin SDA chip. The aads chip strawman also needed to be able to do x9.59 transaction authentication within iso14443 contactless power profile and within the transit industry turnstyle timing requirements. a number of aads strawman chips were demonstrated in dec. 1999 at the world-wide retail banking show in miami, authenticating a variety of different kinds of financial and non-financial transactions.

i gave a presentation on assurance at the 2001 intel developer's forum (in the tpm track). I happened to quip during the presentation that it was nice to see that the TPM chip design had started to look more and more like the aads chip strawman over the previous year or so. the guy leading the TPM chip effort was in the front row and quiped back that it was because i didn't have a committee of 200 people helping me with my design.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to