Re: Dutch Transport Card Broken
Not to defend the designers in any way or fashion, but I'd like to ask, How much security can you put into a plastic card, the size of a credit card, that has to perform its function in a secure manner, all in under 2 seconds (in under 1 second in parts of Asia)? And it has to do this while receiving its power via the electromagnetic field being generated by the reader. You are raising a very interesting point. The constraints under which RFIDs and contactless smart-cards need to operate seem to vary widely depending on the application. The Mifare Classic cards, for example, authenticate in under 2 ms, but wouldn't need to be that fast as you point out. Their crypto is also very small, much smaller even than their flash memory. What good is it, though, to have a lot of memory that is badly protected? Last, the power consumption of the Mifare cards is certainly lower than others, which doesn't matter, though, in the near-field where even micro-processor based designs can operate. This is where contactless smart-cards and RFIDs get confused often. Only for the latter ones power consumption is a limiting constraint. To answer your question directly: Within the limits of Mifare Classic (48-bit cipher, 16-bit RNG), one can build a 64-bit cipher that generates 'random' numbers internally. Within the same limits, one could almost implement TEA which at least has undergone its share of peer-review. Again: Trading some of the memory for this much higher level of security would certainly have been worth it. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: VaultID
Leichter, Jerry [EMAIL PROTECTED] writes: Anyone know anything about these guys? (www.vaultid.com). They are trying to implement one-time credit card numbers on devices you take with you - initially cell phones and PDA's, eventually in a credit card form factor. The general idea seems good, but their heavy reliance on fingerprint recogition is troubling (though it may be appropriate in their particular application). From what I can gather from their black text on a dark-grey background, all they're implementing is one-time CC numbers on various devices. Banks have been using one-time CC numbers for awhile now, all this is doing is garnishing them with an extra layer of biometric magic. The important thing isn't the biometrics, it's the one-use-only CC number that provides the security, and that's not really new. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
Perry E. Metzger wrote: The call-the-customer-and-reissue mechanism is a mediocre solution to the fraud problem, but it is the one we have these days. Why is it a mediocre solution? The credit card number is a widely shared secret. It has been known for centuries that widely shared secrets have a short life expectancy and should be frequently re-issued. The only better solution is unshared secrets. Is that what you had in mind? Instead of the customer sharing his secret with the merchant, and the merchant checking it with the bank, customer should prove to bank that the person who knows the secret wishes to pay the merchant for the identified promise. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
fyi: independent contactless card e-money scheme called sQuid (UK)
independent contactless card e-money scheme called sQuid (UK) squidcard.com From:Peter Tomlinson [EMAIL PROTECTED] Subject: Re: Fwd: ID Stronghold To: [EMAIL PROTECTED] Date:Mon, 28 Jan 2008 16:02:51 + Roland Perry wrote: In article [EMAIL PROTECTED], Peter Tomlinson [EMAIL PROTECTED] writes I have yet to find a Paywave enabled retailer. Saw one on Saturday in London - a small newsagent. Although I should perhaps mention that Barclays variously call it OnePulse and OneTouch, and never mention Paywave; just to keep the confusion marketing in top gear. I'm looking for a Mastercard Paypass Is this yet another brand name? (Four and counting...) Does it interoperate with Paywave/OnePulse/OneTouch ? Here is another one: Barclays use the Visa method, which was initially called Visa Wave, and early news of it came out of Singapore. Both methods (Mastercard and Visa) should work through the same terminal, but I don't yet have proof. Then there is a independent contactless card e-money scheme called sQuid just launching (squidcard.com), and they will want to use the same terminals... Peter -- - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: malware in digital photo frames infects users computers
John Ioannidis [EMAIL PROTECTED] writes: Alex Alten wrote: Great. What next? I guess air-gap transfer of flash memory might be the best solution. Malware's new infection route: photo frames http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2008/01/26/MNE7UHOOQ.DTL For starters, you can turn off the feature that auto-runs code from the inserted media. And if thine eye offend thee, pluck it out. It's not that easy. Windows relies on autoplay for software installs (that is, it's intended use is to automatically run the installer when you insert a software CD). Turning this off is probably going to cause an avalanche of user support calls when their software stops working. It is possible to turn off autoplay just for USB devices through an obscure registry hack, but this may turn off automatic handling of your digital camera (and scanner, and ...) as well. In other words when you plug in your digital camera to copy photos across, nothing happens, and the camera isn't recognised by Windows (I've seen this happen when you turn off the Still Image Service, there's no way to access your camera any more). Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Lack of fraud reporting paths considered harmful.
James A. Donald [EMAIL PROTECTED] writes: Perry E. Metzger wrote: The call-the-customer-and-reissue mechanism is a mediocre solution to the fraud problem, but it is the one we have these days. Why is it a mediocre solution? The credit card number is a widely shared secret. It has been known for centuries that widely shared secrets have a short life expectancy and should be frequently re-issued. The only better solution is unshared secrets. Is that what you had in mind? Naturally. However, given what we have now, reissue is the only reasonable option. -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]