[cryptography] Smart card with external pinpad
thierry.moreau at connotech.com
Fri Aug 19 10:41:35 EDT 2011
Steven Bellovin wrote:
> On Aug 18, 2011, at 9:19 40PM, Bob Lloyd wrote:
>> Has anyone performed an analysis of the security of any of the available smart card reader/external pin pad solutions? Are they effective at keeping the pin from being accessible at the host to which the reader is connected? Does anyone have any concerns about the security of these products? If you were to test the security of such a solution, any suggestions as to what you'd look for or would be concerned about?
> The question you've asked is unanswerable because you haven't
> said anything about what you want to protect and against whom.
> Are you talking about chip-and-pin credit cards in a store?
> Turnstile access to a high-security facility? Contact or
> contactless cards? Log in to a workstation? To a laptop?
May I suggest another point of view on the question ...
An external keyboard for PIN entry in a smart card has the *stated* goal
of "keeping the pin from being accessible at the host to which the
reader is connected." If this goal is met, then the two factor
authentication principle (something you have / something you know) is
never directly accessible in the "host".
The definition of "host" is almost irrelevant since it is (almost
always) vulnerable to malignant code. This obviously raises the question
of the external pin pad protocol/API, but it is a slightly broader
question than the one asked.
Similarly, the application on the host is outside the scope of the question.
If there were devices meeting the stated goal (commercially available
with a reasonable cost structure), they would be a very useful security
solution element for high security contexts. The user guidance would be:
never enter the PIN anywhere else than on one of these devices. Gone the
About the answer to the question with the narrower point of view, it
really depends on having access to the design and implementation details
and being able to make a security/technological review.
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
More information about the cryptography