Dutch Transport Card Broken

Perry E. Metzger perry at piermont.com
Fri Jan 25 10:27:41 EST 2008 

Aram Perez <aramperez at mac.com> writes:
>> Ed Felten has an interesting post on his blog about a Dutch smartcard
>> based transportation payment system that has been broken. Among other
>> foolishness, the designers used a custom cryptosystem and 48 bit keys.
>
> Not to defend the designers in any way or fashion, but I'd like to
> ask, How much security can you put into a plastic card, the size of a
> credit card, that has to perform its function in a secure manner, all
> in under 2 seconds (in under 1 second in parts of Asia)?

Several other transit systems have payment cards that have proven
remarkably resilient to attack. For example, the NYC "Metrocard"
system has been attacked repeatedly without significant breaks (but it
does not rely on its cards being tamperproof -- it is an online system
using magstripes.)

The authors of the paper on the Dutch break claim that it would have
been possible to use far more secure means even given the basic
design, such as a non-proprietary crypto algorithm and longer keys. I
see no real reason to disbelieve this. In any case, if it was not
possible to do this with smartcards, existing, well proven mechanisms
that are in use in other transit systems could have been adopted. It
is not necessary to use an unimplementable architecture when
implementable and proven architectures exist.

Often we hear of a false need for "engineering tradeoffs" in such
circumstances. Engineering tradeoffs do indeed sometimes become
critical in security design. However, you should be very skeptical
when someone claims that they "need" to use a home grown crypto
algorithm or that they "need" to use a home grown protocol instead of
a well proven one. Generally these are not "engineering tradeoffs" but
reflections of ignorance on the part of the designers.

Perry
-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list