From RSA Labs:
RSA-PSS offers the long-term benefit of higher assurance by narrowing the gap between the widely held assumption that the RSA problem is hard to solve, and the claim that signatures are hard to forge.
Monday, 3 December 2012
RSA-PSS
The concept of a provably secure signature has been around for a while, but there are few implementations for smart cards.
From RSA Labs:
From RSA Labs:
Friday, 2 November 2012
First CC EAL7 certified smart card - Samsung
Samsung has developed the world's first Common Criteria EAL7 certified smart card. This will certainly help boost the perception of the smart card as Trusted Execution Environment (TEE), and will only be good for m-commerce.
OTI COPNI wave - mobile NFC plug-in module
OTI has demonstrated impressive out-of-the box thinking with this NFC plug-in module for mobile devices. Basically, if your phone has an audio stereo jack, you can have mobile NFC.
Now the only questions are: which mobile OSes will OTI support, and will the API be open?
If only a few mobile OSes are supported within the first year (or two), then the API had better be open... A closed API would mean that freelance/community developers won't be able to fill the software gap for this device and some will opt for creating competing - and most likely open-source - solutions. This has already happened with mobile phones. Furthermore, integrated chips containing NFC controller+secure element are becoming readily available, as are NFC software libraries, so the entry threshold to the market is clearly not high.
If only a few mobile OSes are supported within the first year (or two), then the API had better be open... A closed API would mean that freelance/community developers won't be able to fill the software gap for this device and some will opt for creating competing - and most likely open-source - solutions. This has already happened with mobile phones. Furthermore, integrated chips containing NFC controller+secure element are becoming readily available, as are NFC software libraries, so the entry threshold to the market is clearly not high.
Thursday, 6 September 2012
Friday, 24 August 2012
Onity HT hotel lock vulnerability revealed
Key point:
Another article, this time from The Register.
The vendor has responded with several press releases and a risk mitigation plan. These are quoted and discussed at the Brocious' blog. His comments are incisive and informative.
My opinion: it is hard to design and develop a PACS device which is user-friendly and affordable AND which satisfies a reasonable security target for the intended application. Corners are cut, things are swept under the carpet - it happens. But it should not be considered acceptable. Due to the nature of the market for security products and services, stakes and demands are higher than in e.g. a commodity market. The customer is aware of this, and they willingly pay commensurate prices for the assurance that they will receive products which are fit for the intended purpose. Looking at the above articles, I would say Onity's HT line does not meet this requirement.
The only way to avoid situations like this is through proactive planning:
The system’s vulnerability arises, Brocious says, from the fact that every lock’s memory is entirely exposed to whatever device attempts to read it through that port. Though each lock has a cryptographic key that’s required to trigger its “open” mechanism, that string of data is also stored in the lock’s memory, like a spare key hidden under the welcome mat. So it can be immediately accessed by Brocious’s own spoofed portable device and used to open the door a fraction of a second later.As the hacker (Brocious) pointed out, due to the nature of the security gap, the chances are excellent that it has already been discovered and exploited independently by others. It was just a matter of time before somebody decided to publish and (possibly) be damned.
Another article, this time from The Register.
The vendor has responded with several press releases and a risk mitigation plan. These are quoted and discussed at the Brocious' blog. His comments are incisive and informative.
My opinion: it is hard to design and develop a PACS device which is user-friendly and affordable AND which satisfies a reasonable security target for the intended application. Corners are cut, things are swept under the carpet - it happens. But it should not be considered acceptable. Due to the nature of the market for security products and services, stakes and demands are higher than in e.g. a commodity market. The customer is aware of this, and they willingly pay commensurate prices for the assurance that they will receive products which are fit for the intended purpose. Looking at the above articles, I would say Onity's HT line does not meet this requirement.
The only way to avoid situations like this is through proactive planning:
- the vendor must ensure that the project development leader makes security a part of the design from the beginning;
- the security of the product must be evaluated and certified by an independent external agency;
- potential weakness must be identified and a mitigation plan must be established before releasing the product into the wild.
Thursday, 24 May 2012
Java Card simulator
jCardSim is a simulator for Java Card:
jCardSim is open-source library contains implementation of Java Card API, v.2.2.1: javacard.framework.* javacard.framework.security.* javacardx.crypto.*
Monday, 6 February 2012
EMV card info
Saush gives a fascinating tutorial on accessing the EMV data on a Mastercard (and possibly VISA).
Tuesday, 10 January 2012
Misc. STK source code
RuimTools has interesting tips about interfacing with smart cards from Java and useful STK source code.
Thursday, 5 January 2012
RFID hacking live CD
OpenPCD.org has a live CD for hacking RFID tags (including MIFARE Classic and MIFARE DesFire).
Subscribe to:
Posts (Atom)
