RE: [Muscle] MCardApplet Getting PIN tries

Tue, 18 Oct 2005 04:30:01 -0700 

1) The number of tries and the retry reset value are specified in the relevant 
standards available free for the downloading.
 
2) Before considering remedies we have to know the attack and its probability 
of success.  What attacks does knowing the current and reset retry value 
enable? 
 
3) Said another way, if these cards are so damn secure why does everybody in 
the industry get their pants in such a bunch when information about how they 
work is discussed? Because of this head-in-the sand, "hear no evil, speak no 
evil, see no evil" approach to security the industry missed power attacks, 
timing attacks, error attacks, and electromagnetic attacks.  
 
4) Security by group agreement gave us ISO/IEC 7816, CEPS, IAS, IETP, etc.  
Security designed by a committee doesn't have the deep coherency and 
consistency that is required.
 
IMHO as always.
 
Cheers, Scott

        -----Original Message----- 
        From: [EMAIL PROTECTED] on behalf of Peter Tomlinson 
        Sent: Tue 10/18/2005 4:58 AM 
        To: MUSCLE 
        Cc: David Everett (SCG) 
        Subject: Re: [Muscle] MCardApplet Getting PIN tries
        
        

         From the viewpoint of someone involved in advising on technical content
        of the methods to be used to deliver secure services using smart cards
        (i.e. I'm not a software developer), I am very concerned that such a
        function is even being suggested. More generally, I have been looking in
        vain for any security model work in the MCardApplet area, as changes
        should only be made with the agreement of a security group.
        
        DC any comment?
        
        Regards,
        
        Peter
        
        Peter Tomlinson
        Iosis Associates
        UK
        
        
        Karsten Ohme wrote:
        
        > Hello,
        >
        > I need a function for libmusclecard and the MCardApplet which returns
        >  the current number of tries left and the total number of tries of a
        > PIN/ID. I could extend (MSC)GetStatus, but is this the right place?
        > Are there any security considerations being able to read this
        > information?
        >
        > Thanks, Karsten _______________________________________________
        > Muscle mailing list [email protected]
        > http://lists.drizzle.com/mailman/listinfo/muscle
        >
        
        _______________________________________________
        Muscle mailing list
        [email protected]
        http://lists.drizzle.com/mailman/listinfo/muscle
        


_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle

Reply via email to