[cryptography] Smart card with external pinpad

Thierry Moreau thierry.moreau at connotech.com
Fri Aug 19 10:41:35 EDT 2011


Steven Bellovin wrote:
> On Aug 18, 2011, at 9:19 40PM, Bob Lloyd wrote:
> 
>> Has anyone performed an analysis of the security of any of the available smart card reader/external pin pad solutions?  Are they effective at keeping the pin from being accessible at the host to which the reader is connected?  Does anyone have any concerns about the security of these products?  If you were to test the security of such a solution, any suggestions as to what you'd look for or would be concerned about?
>>  
> The question you've asked is unanswerable because you haven't
> said anything about what you want to protect and against whom.
> Are you talking about chip-and-pin credit cards in a store?
> Turnstile access to a high-security facility?  Contact or
> contactless cards?  Log in to a workstation?  To a laptop?
> 

May I suggest another point of view on the question ...

An external keyboard for PIN entry in a smart card has the *stated* goal 
of "keeping the pin from being accessible at the host to which the 
reader is connected." If this goal is met, then the two factor 
authentication principle (something you have / something you know) is 
never directly accessible in the "host".

The definition of "host" is almost irrelevant since it is (almost 
always) vulnerable to malignant code. This obviously raises the question 
of the external pin pad protocol/API, but it is a slightly broader 
question than the one asked.

Similarly, the application on the host is outside the scope of the question.

If there were devices meeting the stated goal (commercially available 
with a reasonable cost structure), they would be a very useful security 
solution element for high security contexts. The user guidance would be: 
never enter the PIN anywhere else than on one of these devices. Gone the 
phishing threat!

About the answer to the question with the narrower point of view, it 
really depends on having access to the design and implementation details 
and being able to make a security/technological review.

Regards,


-- 
- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691



More information about the cryptography mailing list