Steven Bellovin wrote:
On Aug 18, 2011, at 9:19 40PM, Bob Lloyd wrote:
Has anyone performed an analysis of the security of any of the available smart
card reader/external pin pad solutions? Are they effective at keeping the pin
from being accessible at the host to which the reader is connected? Does
anyone have any concerns about the security of these products? If you were to
test the security of such a solution, any suggestions as to what you'd look for
or would be concerned about?
The question you've asked is unanswerable because you haven't
said anything about what you want to protect and against whom.
Are you talking about chip-and-pin credit cards in a store?
Turnstile access to a high-security facility? Contact or
contactless cards? Log in to a workstation? To a laptop?
May I suggest another point of view on the question ...
An external keyboard for PIN entry in a smart card has the *stated* goal
of "keeping the pin from being accessible at the host to which the
reader is connected." If this goal is met, then the two factor
authentication principle (something you have / something you know) is
never directly accessible in the "host".
The definition of "host" is almost irrelevant since it is (almost
always) vulnerable to malignant code. This obviously raises the question
of the external pin pad protocol/API, but it is a slightly broader
question than the one asked.
Similarly, the application on the host is outside the scope of the question.
If there were devices meeting the stated goal (commercially available
with a reasonable cost structure), they would be a very useful security
solution element for high security contexts. The user guidance would be:
never enter the PIN anywhere else than on one of these devices. Gone the
phishing threat!
About the answer to the question with the narrower point of view, it
really depends on having access to the design and implementation details
and being able to make a security/technological review.
Regards,
--
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
Tel. +1-514-385-5691
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
