On Sun, Jan 27, 2002 at 10:00:25PM +0100, Tom Buelens wrote: > > What would you mean by "peal off"? Would that be some kind of physical > > tampering? Most smart cards often have some kind of "Tamper Resistant > > Sealing". Also if you try to peal of the adhesive coating, you will most > > probably break the delicate fuse wire which most Smart Card companies run > > in that adhesive coating, thereby making the whole smart-card completely > > useless. > "The Netherlands Organisation for Applied Scientific Research" has the tools > for 'pealing' of the chip layer by layer (thus not the card). They are BTW very good at what they do. > Again I do not know the exact technology they use but it is not just > your ordenary knive and skrewdriver. Some of these attacks can be done with standard tools available in a university lab, see Markus Kuhn at al in <URL:http://www.cl.cam.ac.uk/ Research/Security/tamper/>. IBM has very interesting research on defense. For non-invasive techniques, look for side-channel attacks in cryptography such as the power analysis attackt (DPA, SPA etc). > More like elektron microscope and the likes. And I do not > think they are the only ones on the planet who can. No, they are not the only ones. Reverse engineering of semiconductors is common and has a legitimate role in quality control, research and search for patent infringements. To get an idea of the proliferation of this kind of work, just take a look at the doodles found in chips in the Silicon Zoo <URL:http://micro.magnet. fsu.edu/creatures/> and imagine how many chips need to be looked at in that kind of detail to make a collection that large. > > Tom, if what you are saying is correct, people can make large amounts of > > money, just copying smart cards with applications like "Pre Paid Telephone > > Cards", "Electronic Purses" etc. Labs like these are not cheap :-) Even so, a smart (no pun intended) implementer of a system with smartcards makes sure that the compromise of a few of them does not make the whole system insecure, for example by changing the cryptographic keys every batch of X-thousand cards. You're looking to make the costs of cracking one and making the counterfeits too high to make a decent profit (the badguys are in it for the money too). VISA has an extensive model for calculating the costs for an attacker, for just this purpose. Balancing this against the additional costs of the security (remember, this is a bulk, low-profit-per-unit market) is non-trivial. With kind regards, Wouter Slegers -- Wouter Slegers Your Creative Solutions "Security solutions you can trust and verify."
This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 09:52:06 PST