Re: Smart card Authentification

From: lyal (lyalc_at_no.spam.no.ozemail.com.au)
Date: 08/10/04 

Date: Tue, 10 Aug 2004 17:51:42 +1000

Several versions of this already exist, using either certificates or
symmetric key processes - EMV is one such model, and a lot of more
proprietary ones in smaller closed groups.
Note that this means the reader is customised to a specific series of
smartcard issuing - and vice versa. Cards and readers without the necessary
key(s) can't be used in the readers, thus the reader/smartcard may form a
closed group (which may have many members, but still a closed, exclusionary
group).

Secondly, Visa almost never issues certificates, or takes any other form of
liability. They (and Mastercard) often contract with others to do such
functionality for them, and wear all financial exposure.

Finally, there are several certificate transfers occuring here. With a
guaranteed speed of 2400 bits/sec, usually 9600 bps, and sometimes 115kbps,
each 5-10kbyte cert transfer may take several seconds, plus processing time.
I, for one have better things to do than wait more than a couple of seconds
for machines to trust each other. Custom-specifc readers and smartcards
will guarantee higher transfer (i.e smartcard I/O) speeds, but they may no
long conform to all requirements of, say the ISO 7816 smartcard spec.

"Rony" <joe_the_black@yahoo-dot-com.no-spam.invalid> wrote in message
news:411852e0$1_2@127.0.0.1...
> Hi,
>
> I'm curios about how a smart card and a smart card reader,
> comunicate in a secure way.
>
> I'm thinking that they use public key cryptography to exhange the
> simmetrical keys. (For example the use, RSA to exchange the DES
> keys.)
>
> For example, the credit cards, have as authority some central point,
> like visa, that an terminal (ATM) can connect to, and retrieve the
> public key of VISA.
>
> I will describe you, the way that I think this is happening.
>
> First the public key of an issuer bank is signed with the private
> key of VISA. After this the smart card's own public key is signed by
> the private key.
>
> First , the reader(ATM) requests, the card's issuer public key(that
> was previously signed by VISA), and the card, sends this key to the
> reader, the reader then verifys the card's issuer public key, that it
> has received, using the VISA public key(that he can aquire securely).
>
> After this, the reader, requests the card's own public key (that
> was signed with the issuer's private key), and the reader, verifys,
> the publik key of the smart card.
>
> After this , the reader, knows that he can use the public key of
> the smart card to encrypt data and send them to the card.
>
> Now the reader can generate a random number to the card, and encrypt
> it, using the public key of the smart card, that he now has, and send
> it to the smart card. The smart card can decrypt it, and send the
> random number back to the reader, in this way the reader trusting the
> smart card , that the smart card poseses the smart card's own private
> key associated with the previously verified smart card's own public
> key.
>
> The reverse, the authentification of the reader to the smart card
> should happen similarly, this meaning that the smart card, must poses
> allready the VISA public key.
>
> After this authentification, all the messages sent from the reader
> to the smart card should be encrypted using the smart card's public
> key, and the messages sent from the smartcard to the reader should be
> encrypted using the reader's public key. They should do this way to
> exchange the simmetric keys.
>
> In my opinion, using this way of authentification that I can think
> of, this might take some time, and maybe I'm wrong, or maybe it takes
> less time.
>
> Please tell me, were I'm wrong.
>
> I used the example of the credit cards, to be more simple, as VISA,
> can be associated with a central authority.
>
>
> Thank you.
>

Relevant Pages

  • Smart card Authentification
    ... I'm curios about how a smart card and a smart card reader, ... I'm thinking that they use public key cryptography to exhange the ... public key of VISA. ...
    (sci.crypt)
  • Re: Smart Cards?
    ... A smart card uses PKI for authentication and the users smart ... require smart card for logon then there is no way for someone else to logon ... A private key can decrypt what a public key encrypts and can be ...
    (microsoft.public.security)
  • Re: Implementation of CardSignData() in smart card modules (minidrivers)
    ... You should not always add the DigestInfo DER into signature in step 3. ... I'm trying to write a smart card minidriver interfacing the Base CSP ... Performing AT_SIGNATURE public key matching test... ... Provider = Microsoft Base Smart Card Crypto Provider ...
    (microsoft.public.platformsdk.security)
  • Implementation of CardSignData() in smart card modules (minidrivers)
    ... I'm trying to write a smart card minidriver interfacing the Base CSP ... Performing AT_SIGNATURE public key matching test... ... Provider = Microsoft Base Smart Card Crypto Provider ...
    (microsoft.public.platformsdk.security)
  • Re: Smartcard Security - Suggested Hardware
    ... They sell readers, card emulators and inline sniffers to see the data being passed between a smart card and a reader. ... They make quality hardware I've used on a couple of assessments, they also make a great magstripe analysis tool. ... The Smartcard Explores Set is a good starting point. ...
    (Pen-Test)