The blog of content protection

Since the seminal work of Paul KOCHER (founder of CRI), side channel attacks have challenged many cryptographers and implementers. In a nutshell, side channel attacks use side information to guess secret keys. A simplified explanation: let’s imagine that your AES implementation takes longer when processing a “1” of the secret key than a “0”, by measuring the processing time you may guess the secret keys (without any intrusion). This is called a timing attack. There are other available side channel pieces of information such as power, electro-magnetic … Side channel attacks are devastating.

There is no standard way to compare the efficiency of different side channel attacks. Under the initiative of Telecom Paris Tech, the DPA contest expects to benchmark these attacks.

The second edition, DPA contest V2, allows different teams to compare their respective Differential Power Analysis attacks (DPA) against an unprotected AES implementation. Results will be presented in one coming crypto conference.

This book (Springer 2008), by Keith Mayes and Konstantinos Markantonakis (editors), provides an overview of secure chips and their applications. It mainly focuses on two types of tokens: contact and contactless. Excepted a brief introduction to Trusted Platform Modules (TPM), the book does not detail embedded IC or Hardware Secure Modules (HSM). The book depicts the major operating systems and environments (Java Card, Global Platform, MultOS…) and describes in details the application development environments for Java and SIM toolkit. The book explores different fields of application: mobile, banking, Pay TV and ID cards. A special focus is given to the mobile applications.

In my mind, smart card is strongly associated to security. Security is the absent one from this book. The book never speaks about the hacks. In the contactless field, often the transport cards are cited. Never the recent hacks have been cited. In the ID cards, never the recent problems of passports have been disclosed.

Should you read it? If you are looking for a basic introduction to smart cards, this may be one of the references to read. Thus, it may interest non-security students, people who want to have a first level of understanding, journalists… If you are looking for a good understanding of one of the domains of use of smart cards, then look for a more specialized book. If you are a security expert, definitively this book is not for you.

A more complete review is available on the IACR web site.

The Visual Cryptogram 2 (VC2) was created by VISA in 2005 to protect against online fraud. The VC2 code is the three-digit number printed at the back of your credit card. The rationale of VC2 is that to access this code, you need to have the card insight. I always thought that the rationales to print it at the back was to avoid camera capture used with card skimmers (see for instance http://www.darknet.org.uk/2008 … ao-gives-out-atm-hacking-tips/).

It seems I was wrong, or at least that AMEX does not fear this type of skimmers. AMEX uses also a visual cryptogram. But AMEX’s VC is four-digit long and printed on the front side of credit card. I do not understand the rationale for using a different scheme (Different size, different location). In fact, I learned it the hard way. When using the first time my AMEX online, I used the three digit at the back of the card. There was one! And of course, it did not work.

Has somebody a clue?