In an alarming revelation, M/s Sergei Skorobogatov
and Ross Anderson of Cambridge University have discovered that sensitive
information stored on a smart card microprocessor can be revealed with a flash
of light using inexpensive, off the shelf equipments.
It has been found that firing light from an ordinary
camera flash at parts of a smart card microchip can assist an attacker in
determining the sensitive information stored on the card.
In the semi invasive attack, the researchers
removed part of a chip's protective covering and then focused the light from
an ordinary camera flash using a microscope on particular parts of a
smart card's microprocessor. It was found that this could reveal the
information stored in the card such as for example, the cryptographic key used
to gain access to a building or to secure internet transactions.
This "Hacking" method raises a question mark on many of the
E-Governance issues based on Smart Cards in India. The undersigned has been
advocating an alternative method for most of the Smart Card applications now
being planned by different State and Central Governments which is far cheaper
and more secure. This gains more relevance in the context of the above finding
and hence is briefly described below.
Most of the smart card applications involve storage of some
data on the card so that it can be read with a smart card reader at any point.
The RTO of Kerala and TN seem to be working on such a methodology to store
driving license or vehicle registration information on the smart card. In
connection with this application, the undersigned had made an observation some
time back that the smart card route is more expensive and less secure than the
"Remote Information Retrieval System".
Under this system, the critical data is stored in a secure
central data base and access is provided through a proprietary call center
approach.
If the entry in to the system is to be restricted, a
suitable authentication mechanism can be introduced before the information is
provided.
Such authentication can be by means of a "Bar Coded ID
card" accompanied by a Bar code reader or a specifically designed
variable password system, details of which cannot be discussed here.
Either of these will be commercially much cheaper to
implement and more secure.
I hope the State Governments who are working on such
applications of smart card that involve information storage and retrieval give
a serious look at the suggestions made here in.
Naavi
May 15, 2002
Related Articles:
Camera Flash Opens up Smart Cards
Your Views
can be sent here