Welome to the Internet, here's your private key
Arnold G. Reinhold
reinhold at world.std.com
Wed Feb 6 09:37:06 EST 2002
At 6:18 PM -0500 2/5/02, Ryan McBride wrote:
>On Tue, Feb 05, 2002 at 11:16:40AM -0800, Bill Frantz wrote:
>> I expect you could initialize the random data in that memory during
>> manufacture with little loss of real security. (If you are concerned about
>> the card's manufacturer, then you have bigger problems. If anyone does,
>> the manufacturer has the necessary equipment to extract data from secret
>> parts of the card, install Trojans etc.)
>
>"They say a secret is something you tell one other person"
> -- U2, "The Fly"
>
>While it is true that most users of smartcards will choose to simply
>trust the manufacturer, paranoid users could use a n choose m type of
>approach to achieve a certain level of assurance. In most cases
>verifying that a card is trojan free is a destructive process, so the
>user would test a relatively low percentage of cards and make the
>penalty for cheating high enough to ensure that the manufacturer stays
>honest.
One criteria for a cryptographic system that is rarely mentioned is
auditability. To the maximum extent possible users should be able to
verify every component of the system that affects security. We have
gotten too used to systems so bloated that they no one can know
what's in them. There are historic reasons for this but that is no
excuse. Finding out how to simplify systems is far more important
today than designing the next great cipher. A great virtue of doing
all crypto on a smart card is that they can be verified, at least
with some effort.
>Having the manufacturer provide the random data changes the burden of
>proof drastically - there is no way for to _prove_ that they did not
>retain a copy of the random data, while it can be proved that they did
>not try to cheat simply by testing all the cards.
And creates a potential legal liability for the smart card
manufacturer. This gets to the original question of this thread. I
wonder why the CA's lawyers let them generate private keys
themselves. If it ever came out that private keys were misused by CA
employees or even someone who penetrated their security, they would
be legally defenseless, all the gobbledygook in their practice
statements not withstanding. There is no good business reason for a
CA to generate private keys and very powerful business reasons for
them not to.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list