Re: SC-based link encryption
At 7:58 PM -0800 1/3/07, Steve Schear wrote: I haven't been following the smartcard scene for a while. I'm looking to create a low-cost and portable link encryptor, with D-H or similar key exchange, for lower 100kbps data speeds. Is this possible? You could take an IPsec stack and repurpose it down one layer in the stack. At least that way you'll know the security properties of what you create. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: Tamperproof, yet playing Tetris.
Perry E. Metzger [EMAIL PROTECTED] writes: Handheld Chip Pin terminals for reading credit cards in the UK are required to be tamperproof to avoid the possibility of people suborning them. Here is a report from a group that has not merely tampered with such a terminal, but has (as a demo) converted it into a tetris game to demonstrate that they can make it do whatever they like. From the Now it can be told department: Back in the early days of the WWW, there was no online credit-card based Internet payment system. This was before STT and SEPP and SET and all the others. There were things like Cybercash, but they were too complex to make much headway. There was however one company that could set up anyone to do live credit card processing over the Internet (they had a travelling dog pony show where they could demonstrate this to potential customers). This was (for the time) pretty amazing, something that no major CC vendor could offer. What they had done was set up an Internet front-end to hacked tamperproof POS terminals that effectively turned them into Internet-controlled remote payment devices, so as far as the acquirer was concerned the purchaser had swiped their card at the terminal and entered their PIN when in fact it was someone sitting at a laptop on the other side of the world. Peter. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: SC-based link encryption
On 01/05/2007 10:53 AM, Paul Hoffman wrote: You could take an IPsec stack and repurpose it down one layer in the stack. At least that way you'll know the security properties of what you create. That is a Good Idea that can be used in a wide range of situations. Here is some additional detail: This can be understood as follows: Half of IPsec tunnel mode can be described as IPIP encapsulation layered on top of transport mode which does the encryption and arranges for transport of the encrypted packets. The other half of IPsec is the SPDB, which is an important part of IPsec but is often underappreciated by non-experts. So ... one obvious way forward is to do what might be called L2sec (layer 2 security) in analogy to IPsec. That is, do layer-2-in-IP encapsulation using GRE or the like, and then layer that on top of IPsec transport mode. Then you make some straightforward tweaks to the SPDB and you've something pretty nice. As PH said, the security properties will be well known. This may sound like overkill, but it is likely to be /easier/ than anything else you can think of (not to mention more secure and more richly featured). - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]