From: John Young <jya@pipeline.com>
Date: Sat, 12 Oct 1996 17:33:53 -0700 (PDT)
To: cypherpunks@toad.com
Subject: Not That Smart Cards
Message-ID: <1.5.4.16.19961013003211.370f02a6@pop.pipeline.com>
MIME-Version: 1.0
Content-Type: text/plain


   New Scientist, 12 October 1996, p. 21.


   Smart, but not that smart

   By Mark Ward


   Credit card companies are turning to smartcards to help
   them fight fraud. But manufacturing problems may mean
   that they are no more secure than existing cards.

   Conventional credit cards hold information in a magnetic
   strip that typically holds about 200 bytes of information
   -- enough for the card and version number, expiry date
   and owner's name. Smartcards have a built-in
   microprocessor that can handle several kilobytes of data,
   equivalent to pages of information.

   Having the tiny computer on board means that each card
   can have a unique identity, and this ought to help to
   protect the information held on it. But to give a card an
   individual electronic signature, its built-in processor
   has to do a long calculation. This is a time-consuming
   process, so some card manufacturers intend to issue cards
   with one of several thousand preprogrammed identities.
   Each card will therefore have thousands of duplicates,
   all of which will be vulnerable if a criminal cracks the
   code for any one of them.

   In 1994 the credit card companies Europay, Mastercard and
   Visa got together to draw up a common specification for
   smartcards, known as EMV The cards will rely for security
   on the RSA encryption algorithm. This uses two very large
   numbers, called keys. One is passed around in public and
   the other remains hidden in the card's memory. The keys
   are 155-digit prime numbers which are multiplied together
   to make an even larger number which is then used to code
   and decode the data on the card.

   The problem for card manufacturers is working out the
   large prime numbers in the first place. "Companies making
   smartcards turn one out every 15 seconds," says Dmitri
   Markikis, a security analyst at Mondex, a London-based
   company that is experimenting with smartcards as
   electronic purses. "But it takes longer -- estimates
   range from 6 to 30 seconds -- for the card to generate
   its RSA keys." To speed things up some manufacturers are
   considering generating 10,000 preset keys and inserting
   one as each card is made.

   Louis Guillou, a researcher at France Telecom's
   Commercial Centre for the Study of Television and
   Telecommunications highlighted the problem this summer at
   the Crypto 96 conference in California. The three EMV
   partners circulate over 800 million credit cards between
   them, yet are likely to use a limited population of keys.
   "Trying to reuse the keys several times is very
   dangerous," says Guillou.

   Card manufacturers say the problem will be solved as
   smartcards become more powerful. "Soon the processing
   power of a smartcard will be such that it will be able to
   overcome that kind of issue," says Cyril Annarella, a
   technical consultant for the French company Gemplus,
   which makes cards for the EMV members.

   [End]