[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: OT: Smartcards and Physical Security [Was: Re: Backport of the integer overflow in the brk system call]

On Wed, 3 Dec 2003 12:34, Don Armstrong <don@donarmstrong.com> wrote:
> Smartcards are not a magical panacea either.


> The problems associated
> with them aren't too terribly different from those associated with
> keys or other forms of physical security, notably, that they can be
> stolen, or the output from them duplicated.

Using a smart-card means that logging in does not merely require "something 
you know" but also "something you have".  All the good security guides say 
that security should depend on "something you know and something you have", 
smart-cards plus a password meets this criteria.

> Refer to the ongoing saga
> between DirectTV and satelite pirates for a trivially applicable
> example.

That's a case of a smart-card used to decode distributed content (IE something 
like DECSS in principle).  Encryption of one to many is a very different 
problem to individual encryption/authentication.  The problem we are trying 
to solve is easier.  Also in the DirectTV saga cracking the cards allegedly 
cost $25M.

GPG smart-cards are entering the market.  If GPG is crackable then we have 
lost regardless.  If GPG is secure then GPG smart-cards will do as long as 
they are not stolen.  Having revokation proceedures for stolen cards and DD's 
reliable enough to follow them should deal with this.

> From my perspective, Smartcards do little to raise the bar. They
> merely move the bar sideways.

I think that they raise the bar a lot.  They raise it from something that can 
be cracked by any script kiddie to something that requires a lot of money and 
expertise.  That is a significant benefit.

http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

Reply to: