[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Not That Smart Cards
New Scientist, 12 October 1996, p. 21.
Smart, but not that smart
By Mark Ward
Credit card companies are turning to smartcards to help
them fight fraud. But manufacturing problems may mean
that they are no more secure than existing cards.
Conventional credit cards hold information in a magnetic
strip that typically holds about 200 bytes of information
-- enough for the card and version number, expiry date
and owner's name. Smartcards have a built-in
microprocessor that can handle several kilobytes of data,
equivalent to pages of information.
Having the tiny computer on board means that each card
can have a unique identity, and this ought to help to
protect the information held on it. But to give a card an
individual electronic signature, its built-in processor
has to do a long calculation. This is a time-consuming
process, so some card manufacturers intend to issue cards
with one of several thousand preprogrammed identities.
Each card will therefore have thousands of duplicates,
all of which will be vulnerable if a criminal cracks the
code for any one of them.
In 1994 the credit card companies Europay, Mastercard and
Visa got together to draw up a common specification for
smartcards, known as EMV The cards will rely for security
on the RSA encryption algorithm. This uses two very large
numbers, called keys. One is passed around in public and
the other remains hidden in the card's memory. The keys
are 155-digit prime numbers which are multiplied together
to make an even larger number which is then used to code
and decode the data on the card.
The problem for card manufacturers is working out the
large prime numbers in the first place. "Companies making
smartcards turn one out every 15 seconds," says Dmitri
Markikis, a security analyst at Mondex, a London-based
company that is experimenting with smartcards as
electronic purses. "But it takes longer -- estimates
range from 6 to 30 seconds -- for the card to generate
its RSA keys." To speed things up some manufacturers are
considering generating 10,000 preset keys and inserting
one as each card is made.
Louis Guillou, a researcher at France Telecom's
Commercial Centre for the Study of Television and
Telecommunications highlighted the problem this summer at
the Crypto 96 conference in California. The three EMV
partners circulate over 800 million credit cards between
them, yet are likely to use a limited population of keys.
"Trying to reuse the keys several times is very
dangerous," says Guillou.
Card manufacturers say the problem will be solved as
smartcards become more powerful. "Soon the processing
power of a smartcard will be such that it will be able to
overcome that kind of issue," says Cyril Annarella, a
technical consultant for the French company Gemplus,
which makes cards for the EMV members.
[End]