UK Detects Chip-And-PIN Security Flaw
Anne & Lynn Wheeler
lynn at garlic.com
Wed Jun 7 11:43:06 EDT 2006
re:
http://www.garlic.com/~lynn/aadsm23.htm#54 Status of SRP
http://www.garlic.com/~lynn/aadsm23.htm#55 UK Detects Chip-And-PIN
Security Flaw
http://www.garlic.com/~lynn/2006l.html#32 Google Architecture
as i mentioned, the x9a10 financial standards working group had been
given the requirement to preserve the integrity of the financial
infrastructure for all retail payments .... this included at least all
kinds of internet, all kinds of POS, and all kinds of payments (debit,
credit, stored-value, etc).
part of the resulting x9.59 financial standard was transaction
authentication. session authentication had been looked at, and it was
felt (compared to transaction authentication) it was much more
vulnerable to end-point threats, mitm threats, as well as insider threats.
from at least some retailers comments that chip&pin wasn't appropriate
for internet transactions ... it might be implied that chip&pin does
session-like (as opposed to transaction) authentication ... regardless
of whether it is SDA or DDA (possibly making it vulnerable to some of
the end-point threats, mitm threats, and/or insider threats considered
by the x9a10 financial standard effort).
UK Detects Chip-And-PIN Security Flaw
http://www.cardtechnology.com/article.html?id=20060606I2K75YS
using the x9.59 transaction authentication paradigm, i had started on
the aads chips strawman.
http://www.garlic.com/~lynn/x959.html#aads
at the NISSC conference in 98, i had quiped that I was going to take a
mil-spec security token, cost reduce it by two orders of magnitude while
increasing its security. in a chip&pin reference this met having a chip
doing "DDA" at higher integrity than the chip&pin DDA chip ... but at
lower cost than the chip&pin SDA chip. The aads chip strawman also
needed to be able to do x9.59 transaction authentication within iso14443
contactless power profile and within the transit industry turnstyle
timing requirements. a number of aads strawman chips were demonstrated
in dec. 1999 at the world-wide retail banking show in miami,
authenticating a variety of different kinds of financial and
non-financial transactions.
i gave a presentation on assurance at the 2001 intel developer's forum
(in the tpm track). I happened to quip during the presentation that it
was nice to see that the TPM chip design had started to look more and
more like the aads chip strawman over the previous year or so. the guy
leading the TPM chip effort was in the front row and quiped back that it
was because i didn't have a committee of 200 people helping me with my
design.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list