That's not cruel, that's a business and security practice: imagine that card free space is sorta "rented" by card owners to application providers :-) And allowing to install evil applications on already issued cards is always a bad thing, even if it cannot harm other on-card applications : There's an applet firewall that enforces strict data sharing rules, who usually prevent any bit to cross application boundaries!
Sebastien On Wed, Jun 17, 2009 at 1:30 AM, Daniel Benoy <[email protected]> wrote: > Great, thanks for the reply :) I've been googling all over, but I > couldn't really find an explanation for this basic question. For some > reason that baffles me, smart cards aren't popular even among the nerdy > community :p > > So, would I be correct in saying that you get no security benefit from > changing the issuer domain key, except that whoever gets your card would > be unable to use it for their own stuff? That actually sounds like a > cruel 'feature', to poison the cards against competitors. (Prevent me > from wiping out my visa card and installing MuscleCard on it, for > example :p) > > I suppose perhaps there's some hypothetical scenario, though, where > someone could secretly take your card, and install some malicious > program on it, which stores their pin or otherwise does something > tricky... Hm. > > On Tue, 2009-06-16 at 23:11 +0200, Sébastien Lorquet wrote: > > Hi, > > > > GP keys are used to manage the card contents, ie add/remove applets > > and packages. > > > > The worst an attacker can do is remove the applet instance along with > > its data and reinstanciate it. But data allocated in the applet is > > never readable from the outside, otherwise banks would not use chip > > credit cards :-) > > > > You current keys are probably 404142434445464748494A4B4C4D4E4F, like > > all development cyberflex cards :) > > So they're not really secret until you change them using the PUT KEY > > command. > > but don't forget to write them down somwewhere in a secure place :-) > > > > In general if the card is for you only, you don't need to change the > > security domain keys. > > > > Regards, > > Sebastien > > > > _______________________________________________ > > Muscle mailing list > > [email protected] > > http://lists.drizzle.com/mailman/listinfo/muscle > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.drizzle.com/mailman/listinfo/muscle > >
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
