Cryptography Reference
In-Depth Information
MasterCard and Visa began developing two types. JavaCard, sponsored by Visa,
and
Multi-application Operating System
(MULTOS), sponsored by MasterCard.
Two announcements were made in April of 2004. One was that residents of
Lakhpat, Taluka, India, would be the first to be issued a processor card, called
the multipurpose National Identification Card to serve as citizenship proof. An-
other was the fact that many governments were gearing up for a transformation
of existingpassports to include microprocessor chips embeddingbiometrics.
Attacks on Smart Cards
: There are numerous attacks against smart
cards that need to be reviewed so we may better understand the threats and
not fall victim to them. Two attacks already discussed are power cryptanalysis
and the small RSA encipheringexponent attack (see pae 178). These attacks
are especially effective against smart cards due to their limited computing power
and relatively slow processors, such as the choice of a small encipheringexponent
to communicate between the smart card and a larger computer.
Power cryptanalysis (sometimes called
power analysis
) attacks are examples
of what are called
side-channel attacks
wherein a cryptanalyst, Mallory, say, has
an additional channel of information about the system he is tryingto break.
Timing analysis of message encryption falls into this category. The reason that
side-channel attacks are so effective against smart cards is that Mallory may
have full control of the card. Countermeasures for side-channel attacks come
from a combination of software implementations and actual hardware.
Countermeasures against timing attacks include the following: (1) blinding
signatures (see page 177); (2) avoiding delays (make all operations take the
same amount of time); (3) equalization of multiplication and squaring(the time
taken to execute multiplication and exponentiation should be set to be very
similar); (4) power consumption balancing(operations should be made to appear
constant from outside the card, which can be accomplished with dummy gates
and the like to even out the power consumption to some constant value); (5)
add random noise (enough to stop an attack); and (6) physical shielding.
Magnetic strip cards, havingno computingpower at all, are subject to what
is known as a
skimming attack
. In this case, an illegal card reader can be used
to copy the data in the card (once it is swiped through the illegal device) for the
purpose of counterfeiting cards and incurring illegal charges. Some criminals
have even resorted to plantingthese devices in leal ATM machines for the
purpose of gathering this data. Once the data has been captured, the card
owner might be presented with a screen that says there has been a malfunction.
In some cases, the criminals engineer the card reader so that it does not interfere
with the ATM's function. In this case, the customer will get their cash, when
makinga withdrawal, say, but their data are still captured for later use by the
criminal element. The ATM machines most susceptible to this kind of attack
are not usually the ones at banks themselves, but rather at convenience stores,
bars, hotel lobbies and the like. Moreover, they are typically the kind of ATM
where the card is swiped rather than inserted into the machine directly. Also,
skimmingmay be accomplished by dishonest businesses when your card is taken
out of your sight for payment, say at a restaurant, and run through a skimmer.
Search WWH ::
Custom Search