biometrics

[Dan Geer]

|    At 07:59 PM 1/26/2002 -0500, Scott Guthery wrote:
|    >(A test GSM authentication algorithm, COMP128, was attacked
|    >but it is not used in any large GSM networks.  And it
|    >was the algorithm not the SIM that was attacked.)
|    
|    and at "Sun, 27 Jan 2002 13:56:13 EST." Greg Rose answered:
|    There are two problems with this statement. The first is that while
|    COMP128 was a "demonstration" (not "test") algorithm, it turns out
|    that well over half of the deployed GSM systems do in fact use it.
|    And there is a very interesting paper coming soon to a conference
|    but the program hasn't yet been announced, so I can't yet say any
|    more, but it attacks the SIM. Ross Anderson and Markus Kuhn and
|    their group at Cambridge have done some very impressive work on
|    getting secrets out of SIMs and smartcards in general.

The "if you knew what I knew" thing always encourages me to,
shall we say, write, but notwithstanding that, Ross and Markus,
as much as I admire them, are not exactly scalable as attack
tools.  Perhaps it is because of my workaday preoccupation with
helping the user community spend economically rational amounts
of money for economically rational amounts of security, but
unless someone is about to can Ross_&_Markus in a script and
put that on IRC for our everlasting global amusement, I'd score
Round One for Scott.

Best,

--dan


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com