On Monday, August 18, 2003, at 12:39 PM, Scott Guthery wrote:
I wonder how many smart card manufacturers would be willing to give their source code to any government that requested it as Microsoft is doing with their source code.
Doesn't it already happen for CC evaluations (at least to some extent)?
I don't doubt that smart card manufactures at one time possessed special expertise in countering environmental attacks. Whether this understanding was effectively implemented in the software in the smart card is another question. I have no evidence here. I have seen a card that burped up its keys when given valid sequences of commands so the trip from expertise to implementation does deserve attention.
This sounds like a nasty bug more than an intentional back-door. I agree that the result is the same...
Furthermore, it must be noted that the half-life of physical attack expertise is about two years so a relevant question is how quickly can the manufactureres respond. In the case of both timing and power attacks, the chip manufacturers responded much more quickly and more effectively than the smart card manufacturers.
I have an opposite view on this issue from my personal experience. I can not comment further unfortunately.
Which brings another point. Hasn't the physical security of the token moved by and large from software to hardware? It the early days of smart cards, the card software did have to worry about these things. But aren't those days long gone and isn't the expertise that created this software obsolete? As far as today's environmental attacks go, the expertise is with the chip manufactureres and the counter measures are largely in the silicon, not in the software.
I would have 2 remarks about this:
- I don't think that the days where software countermeasures are useless are here yet
- there is no harm in having more than one layer of protection: Hardware, Software and even functional (there are ways to thwart DPA using mutual authentication and ratification counters)
IMHO, as always.
IMHO as well :).
Cheers, JLuc.
_______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.musclecard.com/mailman/listinfo/muscle
