[Muscle] Protecting a PIN with keyed hashing?
Joao Pedro
countzero at sapo.pt
Fri Jul 17 06:30:03 PDT 2009
Thanks Sébastien and everyone else who is participating!
Sébastien Lorquet <squalyl at gmail.com> wrote:
> the muscle applet is for global platform javacards right?
>
> Then about the GP secure channel already implemented
> (org.globalplatform.SecureChannel
> org.globalplatform.GPSystem.getSecureChannel() ) in these cards for
> secure messaging? it provides a mac+tdes encryption. also, writing
a
> software implementation is not difficult, if needed (to use other
> keys than SD's ones)
>
I think secure messaging could work well (I'm still trying to
understand all the mechanisms involved in it).
But, if I'm not mistaken, secure messaging involves the existence of
pre-shared keys. They can be symmetric (3DES), or assymetric (RSA) +
Diffie-Hellman parameters to establish the session keys. So, this
could be a bit of a hassle for users? I.e. the middleware would have
to know/generate these keys, etc.
> sebastien
>
> ps: the muscle applet also support strong authentication with a
> challenge/response exchange. A 128 bits TDES key can be seen as a
> 16-character PIN, that can be right padded with zeroes or other if
> needed. what do you think of this?
It's an idea, but what are the security implications of just zero
padding a PIN? It's an honest question :)
More information about the Muscle
mailing list