Interesting People mailing list archives
IP: Not That Smart Cards
From: Dave Farber <farber () central cis upenn edu>
Date: Wed, 16 Oct 1996 05:57:21 -0400
New Scientist, 12 October 1996, p. 21. Smart, but not that smart By Mark Ward Credit card companies are turning to smartcards to help them fight fraud. But manufacturing problems may mean that they are no more secure than existing cards. Conventional credit cards hold information in a magnetic strip that typically holds about 200 bytes of information -- enough for the card and version number, expiry date and owner's name. Smartcards have a built-in microprocessor that can handle several kilobytes of data, equivalent to pages of information. Having the tiny computer on board means that each card can have a unique identity, and this ought to help to protect the information held on it. But to give a card an individual electronic signature, its built-in processor has to do a long calculation. This is a time-consuming process, so some card manufacturers intend to issue cards with one of several thousand preprogrammed identities. Each card will therefore have thousands of duplicates, all of which will be vulnerable if a criminal cracks the code for any one of them. In 1994 the credit card companies Europay, Mastercard and Visa got together to draw up a common specification for smartcards, known as EMV The cards will rely for security on the RSA encryption algorithm. This uses two very large numbers, called keys. One is passed around in public and the other remains hidden in the card's memory. The keys are 155-digit prime numbers which are multiplied together to make an even larger number which is then used to code and decode the data on the card. The problem for card manufacturers is working out the large prime numbers in the first place. "Companies making smartcards turn one out every 15 seconds," says Dmitri Markikis, a security analyst at Mondex, a London-based company that is experimenting with smartcards as electronic purses. "But it takes longer -- estimates range from 6 to 30 seconds -- for the card to generate its RSA keys." To speed things up some manufacturers are considering generating 10,000 preset keys and inserting one as each card is made. Louis Guillou, a researcher at France Telecom's Commercial Centre for the Study of Television and Telecommunications highlighted the problem this summer at the Crypto 96 conference in California. The three EMV partners circulate over 800 million credit cards between them, yet are likely to use a limited population of keys. "Trying to reuse the keys several times is very dangerous," says Guillou. Card manufacturers say the problem will be solved as smartcards become more powerful. "Soon the processing power of a smartcard will be such that it will be able to overcome that kind of issue," says Cyril Annarella, a technical consultant for the French company Gemplus, which makes cards for the EMV members. [End]
Current thread:
- IP: Not That Smart Cards Dave Farber (Oct 16)