Re: EZ Pass and the fast lane ....
On Sat, 10 Jul 2004, Perry E. Metzger wrote: > another purpose -- preserving the privacy of drivers by using more > complicated protocols. However, as the benefit of such systems is to > people who are unlikely to have much voice in the construction of the > system, and who are also unlikely to be willing to pay more money to > gain privacy, I think the implementation of such tags is unlikely. I think it would be easier to provide drivers with a simpler method of turning off their transponder. Recently ordered FasTrak tokens come with a mylar bag for this purpose, which is too unwieldy. A switch, however, might be enough. This would not prevent an adversary from recording the IDs of cars that pass through toll gates. It would, however, prevent reading those IDs at other times. -David - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
FasTrak information
Back in Fall 2003, David Wagner and I were looking at the FasTrak transponders used in the San Francisco Bay Area. We were more interested in the privacy aspects than in security, but we found some basic information that may be of interest given the current discussion about EZPass issues. * FasTrak transponders use a spec called "Title 21," so called because it is specified in Title 21 of the California Code. You can find a copy here: http://www.dot.ca.gov/hq/traffops/elecsys/title21/title21a.htm Highlights - 915Mhz band - Protocol includes a 16-bit "Agency ID" and a 32-bit "Reader ID" in the message from reader to transponder. (Unfortunately, neither appear to be authenticated in any way.) - 32-bit transponder ID * In principle, anyone can manufacture Title 21 compliant equipment. In practice, SIRIT Technologies is a major vendor of Title 21 transponders and readers in the Bay Area. You can find them at http://www.sirit.com/default.asp?sectionID=2&action=open&pageID=79 (includes data sheets - check the reader controller card) Another such vendor is TransCore (aka AmTech) http://www.transcore.com/technology/techapps.htm We looked into purchasing a reader controller card and antenna from SIRIT, but were informed a) such a kit would cost $7K+ b) they would not sell to anyone w/o CalTrans authorization. We asked CalTrans about b) and were told that they would not authorize SIRIT to sell transponders to us, but we were free to build our own. They also suggested we talk to the university's transportation department to come up with a research proposal "acceptable to CalTrans." We then became occupied with library RFID and didn't come back to FasTrak. I don't have the EE skills to build FasTrak readers, and right now don't have the time to spend acquiring them. If anyone out there feels like building this sort of thing, though, please let me know. * Automatic number plate recognition (ANPR) has apparently improved greatly in recent years. I gather this from reading recent articles in transportation magazines and journals -- do not have the references on me but can look them up this weekend. Unfortunately I didn't find any hard data on how much, exactly, it has improved. >From what I understand, the London congestion charging scheme relies entirely on automatic plate recognition. See also this web page on police uses of ANPR in the UK: http://www.pito.org.uk/what_we_do/identification/anpr.htm Also interesting is this list of cities with congestion pricing, which has some information on the technologies they use for vehicle identification: http://www.tfl.gov.uk/tfl/cc_fact_sheet_other_schemes.shtml --- We were interested in the setting where a 3rd party has FasTrak readers, but not access to the database mapping ID to account. This seems like the weakest reasonable threat model, but there are still some interesting things you can do. For example, you could set up a device that takes photographs of cars and associates them with FasTrak IDs. Then buy a lot of pop-under ads, put the photos on them, and offer people a prize if they identify the make of car correctly. (You could use something like the ESP Game framework of Blum and Von Ahn to make sure the answers are right, or at least right more often.) Now filter out everything but the expensive (or easy to steal) cars. This gives you the FasTrak IDs of expensive cars. Place a few readers in parking garages, and then you know when expensive cars have been left alone and where they are. That might be useful. By the way, a friend mentioned that someone at AT&T had some recent work on EZPass privacy issues. Does anyone know more? -David Molnar - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: AES timing attacks, why not "whiten" the implementation?
On Thu, 23 Jun 2005, Beryllium Sphere LLC wrote: Can you destroy the relationship between key contents and timing without hurting average run time? Each round of AES has sixteen table lookups. If you permute the order in which the implementation does the lookups, then you get a completely different pattern of cache hits and misses. If you permute the order of lookups in a key-independent fashion for every encryption operation then each key has 16! or almost 21 trillion possible timings. If I'm not making sense in English, schematic pseudocode would look like Let indirection_array=random permutation of (0..15) 1) How do you generate this in a way that does not leak information about the permutation generated? 2) How many times can you re-use a single indirection array? 3) How quickly can you generate new indirection arrays? -David Molnar - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: EMV [was: Re: Why Blockbuster looks at your ID.]
On Sat, 9 Jul 2005, [UNKNOWN] Jörn Schmidt wrote: less attractive to commit credit card fraud. You are, however, not making it harder. That's why I believe the credit cards companies will indeed have a good, long look at smartcards. Probably not tomorrow or next week but in the near future. Actually, smart cards are here today. My local movie theatre in Berkeley, California is participating in a trial for "MasterCard PayPass." There is a little antenna at the window; apparently you can just wave your card at the antena to pay for tickets. I haven't observed anyone using it in person, but the infrastructure is there right now. Here's the MasterCard fact sheet about PayPass: http://www.paypass.com/fact_sheet.html It appears to be a contactless smart card/RFID that uses the ISO 14443 standard for the RF interface. There is some documentation available, unfortunately most of it restricted to licensees. https://mbe2stl101.mastercard.net/hsm2stl101/public/login/ebusiness/mobile_commerce/paypass/documentation/index.jsp You can do some Google searching to find MasterCard's involvement in standards-setting for EMV via smart cards over the years. From that it is possible to guess what PayPass might be doing, but I would prefer to know for sure. By the way, Visa is doing it too: http://usa.visa.com/personal/cards/contactless/ Chase appears to be issuing them now; you can apply for one online. www.chaseblink.com From what I understand, contactless transactions are currently limited to $25 or less. This should reduce the incentive for someone to carry out the kind of relay/chess grandmaster attack described by Gerhard Hancke "A Practical Relay Attack on ISO 14443 Proximity Cards" http://www.cl.cam.ac.uk/~gh275/relay.pdf Hancke and Markus Kuhn have a paper on "distance bounding" protocols to combat this kind of relay attack. Unfortunately it does not appear to be on Hancke's web page yet. One of the nice things about these cards is that they also support the standard card number on the front and magstripe. So you could imagine a situation where the number is used as normal until fraud is detected, then revoked, but the contactless pay capability is not revoked. I have no idea if that is what they actually do, though. -David Molnar
Re: [fc-discuss] Financial Cryptography Update: On Digital Cash-like Payment Systems
On Thu, 20 Oct 2005, cyphrpunk wrote: system without excessive complications. Only the fifth point, the ability for outsiders to monitor the amount of cash in circulation, is not satisfied. But even then, the ecash mint software, and procedures and controls followed by the issuer, could be designed to allow third party audits similarly to how paper money cash issuers might be audited today. One approach, investigated by Hal Finney, is to run the mint on a platform that allows remote attestation. Check out rpow.net - he has a working implementation of a proof of work payment system hosted on an IBM 4758. -David Molnar - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]