UK Detects Chip-And-PIN Security Flaw

Anne & Lynn Wheeler lynn at garlic.com
Wed Jun 7 11:43:06 EDT 2006


re:
http://www.garlic.com/~lynn/aadsm23.htm#54 Status of SRP
http://www.garlic.com/~lynn/aadsm23.htm#55 UK Detects Chip-And-PIN 
Security Flaw
http://www.garlic.com/~lynn/2006l.html#32 Google Architecture

as i mentioned, the x9a10 financial standards working group had been 
given the requirement to preserve the integrity of the financial 
infrastructure for all retail payments .... this included at least all 
kinds of internet, all kinds of POS, and all kinds of payments (debit, 
credit, stored-value, etc).

part of the resulting x9.59 financial standard was transaction 
authentication. session authentication had been looked at, and it was 
felt (compared to transaction authentication) it was much more 
vulnerable to end-point threats, mitm threats, as well as insider threats.

from at least some retailers comments that chip&pin wasn't appropriate 
for internet transactions ... it might be implied that chip&pin does 
session-like (as opposed to transaction) authentication ... regardless 
of whether it is SDA or DDA (possibly making it vulnerable to some of 
the end-point threats, mitm threats, and/or insider threats considered 
by the x9a10 financial standard effort).

UK Detects Chip-And-PIN Security Flaw
http://www.cardtechnology.com/article.html?id=20060606I2K75YS

using the x9.59 transaction authentication paradigm, i had started on 
the aads chips strawman.
http://www.garlic.com/~lynn/x959.html#aads

at the NISSC conference in 98, i had quiped that I was going to take a 
mil-spec security token, cost reduce it by two orders of magnitude while 
increasing its security. in a chip&pin reference this met having a chip 
doing "DDA" at higher integrity than the chip&pin DDA chip ... but at 
lower cost than the chip&pin SDA chip. The aads chip strawman also 
needed to be able to do x9.59 transaction authentication within iso14443 
contactless power profile and within the transit industry turnstyle 
timing requirements. a number of aads strawman chips were demonstrated 
in dec. 1999 at the world-wide retail banking show in miami, 
authenticating a variety of different kinds of financial and 
non-financial transactions.

i gave a presentation on assurance at the 2001 intel developer's forum 
(in the tpm track). I happened to quip during the presentation that it 
was nice to see that the TPM chip design had started to look more and 
more like the aads chip strawman over the previous year or so. the guy 
leading the TPM chip effort was in the front row and quiped back that it 
was because i didn't have a committee of 200 people helping me with my 
design.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list