On 01/26/2011 08:46 PM, Andreas Jellinghaus wrote: > Am Mittwoch 26 Januar 2011, um 12:12:42 schrieb Nikos > Mavrogiannopoulos: >> I don't understand what you mean by a reasonable enrollment >> system, however having seen the EMV protocol, I believe that the >> available PKCS #11 compatible smart-cards have a much higher >> security level than EMV bank cards. It seems the only criteria for >> banks evaluating protocols and technologies is their complexity. > hu? can you go into details?
On EMV complexity? I suppose that you have read the 4 books describing and he numerous options that might be enabled on not. That complexity leads to attacks like the Murdoch one at: http://www.cl.cam.ac.uk/research/security/banking/nopin/ (which is not theoretical, no matter what EMVCo claims) > I learned a lot about EMV in the past 10 months, and it doesn't seem > hard to me. Of course there is a lot of complexity involved, but it > is a partly online partly offline payment system with a very complex > decission system (accept transaction offline or online or decline > based on many different factors that can be personalized as > parameters). a pure pkcs#11 card has something like 10% of the > number of features that an EMV card has? so comparing those two and > complaining about complexity seems to be quite unfair to me. Not really. If you want to protect keys you must have few operations you can verify, in order to ensure that it is only used as expected. If you make a smart card with functionality that you cannot describe in 2000 pages, then you cannot claim any security about that card. regards, Nikos _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
