Legic Prime Has No Cryptography at All

This is really weird: Karsten Nohl and Hendryk Plötz have shown that the Legic Prime contactless smart cards neither a random generator nor an encryption algorithm. Users of Legic Prime are recommended to upgrade to Legic Advant which contains AES and is compliant to FIPS 201.

Heise article (german)

"Anomalies" in Spain Speed up EMV Transition

It's not really clear what has happened there. It seems that massive amounts of credit card data were lost at a spanish credit card processor. New cards are sent to customers. At least some of these actually have an EMV chip. Another nail in the coffin of the obsolete magnetic stripes.

Update: Tonight it was in the news: more than 100 000 cards have been exchanged.

Secure Online Banking

The Swiss company Crealogix has announced the CLX.Sentinel, a USB device which promises secure online banking. As I was with them team that developed it, it's no surprise that I like it.

But here is why: It uses a smart card to verify the user identity and set up a SSL connection to the bank. Thus, man-in-the middle attacks are prevented. As an additional security benefit it uses an internal list of legitimate banking sites so that phishers can't use the null prefix issue. The CLX.Sentinel won't connect to anything that's not on its list, so the browser infections are next to impossible.

The software is installed on the flash memory inside the token, so it can't be patched and it contains countermeasures against debugging and code injection at runtime.

I believe that this amount of countermeasures is needed nowadays.

Real Time Keylogging

According to New York Times the trojan Clampi is able to send key presses in real time. This means that it can be used to attack one time password (OTP) systems.

From here on, it seems necessary to consider a more complex mode of OTP known as EMV CAP respectively Visa DPA. Here a challenge is sent from the server which is signed by a smart card. Therefore the attacker cannot submit the stolen OTP signature for any other purpose than it was originally intended for.

German Health Smart Card Troubles

The German health smart card is in trouble. My take on that is: On one hand, there are real issues like terminals being too expensive, on the other hand it looks like the doctors who are supposed to use these cards are a little technophobic.

We learn that if security comes with embracing technology it still hard to achieve wide acceptance, at least in germany.

Signature Software for MacOS with CommonCriteria

Intarsys' signature software for MacOS X has been evaluated by the german ffice for information security with the security level EAL3+. It's good that Mac users get something, now we're looking forward to EAL4+.