project idea: portable password safe

Paul Boddie paul at boddie.org.uk
Sun Sep 8 14:40:36 EDT 2013


On Sunday 8. September 2013 18.56.29 Werner Almesberger wrote:
> Paul Boddie wrote:
> > If I had to guess what went on [in a smartcard-based e-banking
> > access "calculator"]
> 
> Yes, I think that's how they work. The "calculator" is just a shell
> that provides the user interface and power. You still need to trust
> it, but only to the point that it won't leak the PIN.

Right.

> > Instead, it's a situation where an "official" body signs
> > everything on your behalf, ostensibly because you logged in to their
> > service at some point and said you wanted to do something.
> 
> Is this actually how they do it ? I would think they merely provide
> an electronic statement saying that user X has asked us to to Y,
> certified by the respective authority that makes the statement.

According to the following description of one such system, they do the signing 
on your behalf:

"The code unit for a bank-stored BankID is often mistaken for a BankID, but a 
BankID is an electronic certificate centrally stored with Nets."

https://www.bankid.no/Dette-er-BankID/BankID-in-English/This-is-how-BankID-
works/

Apparently, the above system is also implemented by storing the "security 
elements" in a mobile phone's SIM card, which I imagine approximates to a 
smartcard situation.

> Well, the difference may be more legal than technical in the end.

Getting banks to admit screwing up is quite a challenge, in my experience.

> > Perhaps I should look around for
> > similar gadgets to the one you propose.
> 
> It's always good to know what the competition is doing :)

I did manage to find this:

http://ob-security.info/?p=631

Paul



More information about the discussion mailing list


interactive