Ludovic Rousseau wrote: > Hello, > > On 18/10/05, Peter Tomlinson <[EMAIL PROTECTED]> wrote: > >> From the viewpoint of someone involved in advising on technical content >>of the methods to be used to deliver secure services using smart cards >>(i.e. I'm not a software developer), I am very concerned that such a >>function is even being suggested. > > > What would be the security risk(s) to know how many PIN tries are left > or the total number of tries?
The VERIFY command according to ISO 7816-4 can also return the number of tries left for a PIN: I quote: "P2='00' is reserved to indicate that no particular qualifier is used, in those cards where the VERIFY command references the secret data unambiguously. The reference data number may be for example a password number or a short EF identifier When the body is empty, the command may be used either to retrieve the number 'X' of further allowed retries (SW1-SW2='63CX') or to check whether the verification is not required (SW1-SW2='9000')." So at least also in this specification the same security risk is given, if there is any. The MuscleCardApplet does the same thing in a similar way. So if this function is not implemented the the same functionality can be reached with the following: Try to verify a PIN with an invalid PIN. This returns the maximum tries + 1 or the tries left for a PIN. I believe there is a use for this function in the PKCS#11 specification. > >>More generally, I have been looking in >>vain for any security model work in the MCardApplet area, as changes >>should only be made with the agreement of a security group. > Are there any specifications for a protocol which can be used for the verification of this smart card protocol? Does GSM or EMV define one? I have not found one. Karsten > > This list _is_ the security group :-) > > I agree that a security model would be great. Please provide a draft. > > Regards, > > -- > Dr. Ludovic Rousseau > For private mail use [EMAIL PROTECTED] and not "big brother" Google > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
