project idea: portable password safe
paul at boddie.org.uk
Sun Sep 8 14:40:36 EDT 2013
On Sunday 8. September 2013 18.56.29 Werner Almesberger wrote:
> Paul Boddie wrote:
> > If I had to guess what went on [in a smartcard-based e-banking
> > access "calculator"]
> Yes, I think that's how they work. The "calculator" is just a shell
> that provides the user interface and power. You still need to trust
> it, but only to the point that it won't leak the PIN.
> > Instead, it's a situation where an "official" body signs
> > everything on your behalf, ostensibly because you logged in to their
> > service at some point and said you wanted to do something.
> Is this actually how they do it ? I would think they merely provide
> an electronic statement saying that user X has asked us to to Y,
> certified by the respective authority that makes the statement.
According to the following description of one such system, they do the signing
on your behalf:
"The code unit for a bank-stored BankID is often mistaken for a BankID, but a
BankID is an electronic certificate centrally stored with Nets."
Apparently, the above system is also implemented by storing the "security
elements" in a mobile phone's SIM card, which I imagine approximates to a
> Well, the difference may be more legal than technical in the end.
Getting banks to admit screwing up is quite a challenge, in my experience.
> > Perhaps I should look around for
> > similar gadgets to the one you propose.
> It's always good to know what the competition is doing :)
I did manage to find this:
More information about the discussion