New $2B Dutch Transport Card is Insecure
,----[ Quote ]
| Kerckhoffs’s Principle, one of the bedrock maxims of cryptography, says that
| security should never rely on keeping an algorithm secret. It’s okay to have
| a secret key, if the key is randomly chosen and can be changed when needed,
| but you should never bank on an algorithm remaining secret.
|
| Unfortunately the designers of Mifare Classic did not follow this principle.
| Instead, they chose to combine a secret algorithm with a relatively short
| 48-bit key. This is a problem because once you know the algorithm it’s
| possible for an attacker to search the entire 48-bit key space, and therefore
| to forge cards, in a matter or days or weeks.
|
| [...]
|
| Now the Dutch authorities have a mess on their hands. About $2 billion have
| been invested in this project, but serious fraud seems likely if it is
| deployed as designed. This kind of disaster would have been more likely had
| the design process been more open. Secrecy was not only an engineering
| mistake (violating Kerckhoffs’s Principle) but also a policy mistake, as it
| allowed the project to get so far along before independent analysts had a
| chance to critique it. A more open process, like the one the U.S. government
| used in choosing the Advanced Encryption Standard (AES) would have been
| safer. Governments seem to have a hard time understanding that openness can
| make you more secure.
`----
http://www.freedom-to-tinker.com/?p=1250
Related:
FCC ignores more than 100 years of wisdom
,----[ Quote ]
| In 1883 French cryptographer Auguste Kerckhoffs published a set of six
| design principles for military encryption systems. The second of these
| principles is generally known today under the observation that security
| through obscurity is not security. The Federal Communications Commission
| (FCC) seems not to have read the history books or to be aware of how its
| sister federal agencies develop security standards....
`----
http://www.infoworld.nl/idgns/bericht.phtml?id=002570DE00740E1800257313005EC092
Consumer-control industry and their security damnation
.-----[ Quote ]
| By some ironic fortune, proprietary vendors like Apple and
| Microsoft will likely always suffer this damnation that their
| consumer-control inspired proprietary nature always brings with
| itself: security problems - exactly the thing they claim to prevent
| by being so control obsessed. You can stay damned with them or you
| can break free.
`----
http://www.libervis.com/article/consumer_control_industry_and_their_security_damnation
Open source key to anti-terrorism efforts
,----[ Quote ]
| Open source = more security, not less. It's no surprise, then, that
| many of my own company's customers include those that place a premium
| on safety and security (US Federal Aviation Administration, UK's
| Ministry of Defense, French Air Force, plus others, including one
| that would surprise you...).
`----
http://weblog.infoworld.com/openresource/archives/2007/05/open_source_key.html
|
|
