Hi Guys Your emails on the Datacard RSA 2002 exhibition have been splashed all over the Internet and today were given to me by one of our customers for comment.
Security relies not only on the software, but also the underlying hardware. You cannot SPA/DPA proof a smart card where the underlying hardware has weaknesses. The SPA/DPA breaches are very old and most card companies are aware of these attacks. The first reported incidence of breaching a card using SPA/DPA probably occurred about three years ago and was big news at the time. Made news in all the IT papers in Australia. What has now openly been performed at a show, we have been able to do for a number of years in our labs, i.e extracting T-DES keys from cards with a poor algorithm implementation and weak underlying hardware. There are also a number of other attack methods that we are aware of and have made our cards immune to. As to the inviolablility of smart cards: There will never be 100% security. Given enough time, money, resources and know-how any system can be comprimised. What is considered secure today may not be secure in 5 years. The Datacard demo simply showed that poorly designed cards could be cracked, the same way that poorly designed firewalls can be breached. They used a method that all reputable smartcard manufactures proofed against over two years ago. Whilst the Datacard demo was probably meant to be a good marketing ploy, it is of doubtful use and certainly alarmist. I am suprised that Datacard's marketing team allowed the demo considering that they also sell smartcard solutions. Perhaps they were trying to extoll the virtues of their card as compared to others? People use smartcards to protect their own privacy and that of their systems. In the same manner that you can buy a $2.00 padlock or $20.00 padlock that works, you can do the same with smartcards. If it matters to you, then use the best protection available. The lesson is don't use crappy, poorly designed cards. If it has a CC or ITSEC evaluation higher that CC3 or ITSEC 3 then it is not subject to SPA or DPA intrusion and has been tested to ensure it is not. Paul McBow Business Development Manager Industry & Government Cards and Card Services G&D Australasia Pty, Ltd Suite 6, 11th Floor 60 Marcus Clarke Street CANBERRA ACT 2601 Telephone: (61 2) 6243 5142, Facsimile: (61 2) 6243 5149 Mobile: 0418 145 758, Email: [EMAIL PROTECTED]
