project idea: portable password safe
Paul Boddie
paul at boddie.org.uk
Sun Sep 8 14:40:36 EDT 2013
On Sunday 8. September 2013 18.56.29 Werner Almesberger wrote:
> Paul Boddie wrote:
> > If I had to guess what went on [in a smartcard-based e-banking
> > access "calculator"]
>
> Yes, I think that's how they work. The "calculator" is just a shell
> that provides the user interface and power. You still need to trust
> it, but only to the point that it won't leak the PIN.
Right.
> > Instead, it's a situation where an "official" body signs
> > everything on your behalf, ostensibly because you logged in to their
> > service at some point and said you wanted to do something.
>
> Is this actually how they do it ? I would think they merely provide
> an electronic statement saying that user X has asked us to to Y,
> certified by the respective authority that makes the statement.
According to the following description of one such system, they do the signing
on your behalf:
"The code unit for a bank-stored BankID is often mistaken for a BankID, but a
BankID is an electronic certificate centrally stored with Nets."
https://www.bankid.no/Dette-er-BankID/BankID-in-English/This-is-how-BankID-
works/
Apparently, the above system is also implemented by storing the "security
elements" in a mobile phone's SIM card, which I imagine approximates to a
smartcard situation.
> Well, the difference may be more legal than technical in the end.
Getting banks to admit screwing up is quite a challenge, in my experience.
> > Perhaps I should look around for
> > similar gadgets to the one you propose.
>
> It's always good to know what the competition is doing :)
I did manage to find this:
http://ob-security.info/?p=631
Paul
More information about the discussion
mailing list