-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi
On Sunday 15 March 2015 at 10:24:29 PM, in <mid:354b50b8-9726-487a-a7a5-e7fd5839f...@gmail.com>, Jose Castillo wrote: > Sorry about the improper threading; I’ve switched off > digest mode, hopefully this will help. That one threaded properly. Thanks. > I may have phrased my point inartfully. I think the > goal here is to minimize the harm done in the case of > compromise. That should be a goal everywhere. (-; > You do > have to trust the firmware and the operating system on > the smart card, I thought there were some open-source smart cards around. > but that’s made easier by the fact that > chips in these cards [2] and the operating system [3] > are certified to be secure based on international > standards, and are widely deployed in sensitive areas > like access control, payments and telephone SIM cards. It's quite a few years since I heard of SIM cards being cloned. I guess the spec was improved. (-; > With NFC the main mitigation is physical rather than > cryptographic in nature. Since the card has no battery, > the attacker would have to supply an RF field > sufficient for powering up the chip to perform the math > and transmit a response. In theory, that maxes out at > 10 centimeters; in practice, it’s about half that. I thought it could be done from a few yards away, if the attacker used bigger aerials. [0] says that for passports, the RFID tag can be powered up from about 50cm away and messages can be sent and received over several metres. > You > can negate this attack with an RF blocking sleeve, > which I’ll almost certainly be adding to the kit after > this conversation. Glad to hear it. Shame the banks who issue NFC-enabled payment cards don't provide such sleeves. Although, Faraday-cage wallets and passport holders are available. > Thank you for your critical responses, by the way; I > appreciate the chance to be transparent about the > challenges involved. Thank you. I have enjoyed the discussion, and hope to have [0] <http://www.cs.bham.ac.uk/~tpc/Papers/PassportTrace.pdf> - -- Best regards MFPA <mailto:2014-667rhzu3dc-lists-gro...@riseup.net> Dollar sign - An S that's been double crossed -----BEGIN PGP SIGNATURE----- iQF8BAEBCgBmBQJVBjDtXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2 QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXw0gkIAItIP08Cr44QNmVAowjUgcFs /Ln2sB2Qrgee5089W60Dtq7iEKH3NPPvIHGbf/uz0v02jUNzkIPM94/kftZzWOIC Ve7JKwPn3xGGdgh7IBQ6MrSMe5LruhwpaWZrbzZOnT9oagCJJzmwaD3HLafHqnym FALwqhyiCOqsz9J0FUrPh95AYPctgsx9lEaEdAlQGCniUf4sW1fIszCYYiqe+rXW hOAlJRXYUv3PMXyoHQ9X8AbTlZlsxI8yMRCtorBC8hGxQ+7ndbLjk1lBn3Nes/y+ BJswSsI1rTxg1nValmH5Qv7TLNNUUFg6xYs9hDPUamnIq+6q5HS4bZZpFCrNdReI vgQBFgoAZgUCVQYw9V8UgAAAAAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45GocAQDCo1BmBbKYnyP93IcEm9+63Qac 1PeXIlB2FxYCDPICBAEAK9zz53rrVMJi1IabIsZkEIdDDJVt/0IIyHdEQy30egc= =O4LR -----END PGP SIGNATURE----- _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
