security of limits in mondex (Re: Spending velocity limit implementation in smart cards)

[R. A. Hettinga]

--- begin forwarded text


Status: RO
Sender: <dbs at philodox.com>
Date: Tue, 12 Nov 2002 13:31:49 -0500
From: IanG <iang at systemics.com>
Reply-To: iang at systemics.com
To: Adam Back <adam at cypherspace.org>
Cc: anders.rundgren at telia.com,	Digital Bearer Settlement List
 <dbs at philodox.com>
Subject: Re: security of limits in mondex (Re: Spending velocity limit
 implementation in smart cards)

Adam Back wrote:

> I was wondering about this recently to do with mondex.  They claim as
> you say have limits on transaction uploads, so the user could hide
> some transactions.  Indeed the user need never reconnect to the bank,
> always refilling via other users and spending to other users.
> Although they could if they chose implement something on the card to
> force it to connect within some maxium interval to the bank.
>
> And yet I thought they claimed to be able to have some liability
> limiting factors such as limits on card spending per month, and
> perhaps card spending ever.
>
> And the card itself is just a tamper resistant counter, and signed
> receipts are exchanged between cards to add to the counter (received
> payment) and subtract from the counter (send payment)>.
>
> But I think these claims are contradictory unless the limiting factors
> are implemented on the card, in which case they offer limited
> protection against someone extracting private keys from the card.
>
> So are they really uploading everything to bank via other cards even
> in peer to peer, or perhaps enough information (value, but not user or
> transaction description) to notice imbalances (corresponding to hacked
> bottomless cards)?  Or is it that the limits in fact implemented on
> card and their likely effectivness in combatting fraud from tampered
> cards exaggerated?

It's a real mess.  The first thing to realise is that
all the smart card money players practice security by
obscurity.  Mondex is particularly bad, as even people
trying to help them get slammed with NDAs that slow
down the information;  working with Mondex is like
swimming in molasses, it smells sweet, and you can do
it for a year without leaving the side of the pool.

What happens then is that actually, very few people
within the organisation know how it works.  And, those
that do are constrained to not reveal.  So what results
is a case of institutional cognitive dissonance, that
is, the various parts of the organisation holding
contradictory beliefs at the same time.

Do you recall when the Power Analysis thing was published
in America?  I was working in such a company at the time.
I didn't sign an NDA, but I won't reveal their name.

I took the work over to the security people and asked
them about it.  To my surprise, they knew all about it.
It turns out that all that stuff that had been published
had been known of in the European smart card industry,
all along.  But it was secret.  I saw the slides of the
presentations from TNO people where they listed the
attacks that the tests that they used on smart cards.
The didn't use the same words at TNO, but you could
match up the dots and draw the same picture.  These
slides were 5 years old at the time.

It was that work that got the security guys to admit
- to me - that the smart cards were defeatable.  Up
until then, they hadn't admitted it.  But, the rest
of the organisation remained convinced the cards were
undefeatable.

Why?  Because all the security was subject to a NDA or
secrecy order.  Which allowed all sorts of problems to
arise.

I have no internal knowledge of Mondex, but I see the
same process.  Those that know can't say, and those
that don't know (the truth) don't tell you they don't
know the truth.

It is for reasons similar to this (but not precisely
the same issues) that I don't think smart card money
has a chance.  Some disagree.  Notably, Dave B is a
loyal pundit of the chip card.  Also, Rachel has
tramped that path for 7 long years.  If you ever need
to see proof that smart card money is doomed, look at
Intertrader.  For all that time, they demonstrated
that smart cards could be used as money over the net.

Mondex remain blithely ignorant of this, in an
institutional sense.  Sure, 100 meetings later, the
names are all known, but are they aware, in a sentient
sense?  No.  My observations have led me to believe,
that, like Mars, there is no possibility of useful
life in smart card companies.

PS: I know I haven't answered the real question, as to
how Mondex does it.  the following is speculative:

There are 10 slots on the card for transactions, and
it is possible for the oldest ones to be wiped by
inserting new transactions.  Those transactions can
be read off by another card, if so organised, hence,
when doing an upload to the "bank", it can read off
the transactions.  Now, if the "bank" detects that
some of the transactions have been wiped, it can issue
a freeze command.

Here's where the cognitive dissonance comes in:  all
of the above is configurable.  That is, one Mondex
issue might do it that way, or it not.  So, when asking
the question, the answer is yes, and no.  Hence, it
takes a long time and a lot of questions to figure
out how it works.

Even worse, any authority can simply say, no, that's
not the way it works, and refuse to elaborate.  And,
they would be correct.  And incorrect.  That's the
great thing about Mondex, it is everything you want
it to be.

-- 
iang

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com