Smart-Card Hacking?

W3bbo asks: "With the ever-increasing information being stored on so-called 'Smart-Cards', including credit cards with the chips, how do we know what data is read by stores when you hand over your plastic? Seaching for 'smart-card hacking' just turns up satelite TV piracy websites and virtually nothing for (sort-of) legitimate investigation to our cards. So what methods are available to hack smart-card chips and see what information about us our banks store on our cards?"

Re:Kind of Esoteric, But...

[fuzzybunny]

Oh yeah? OH YEAH? Well, if you're going to provide actually _useful_ information, I might as well. Sigh. :-)

One common implementation of the key store Cthefuture mentioned uses the concept of a fixed-size "private" store on the card to protect your private keys via some sort of applet (as on a Javacard) or similar application. A "smart card" is basically a tiny computer with an external power source--it provides a processor and storage on board.

Your public keys will reside in a "public" store, typically 3x or more the size of the private store. The rest of the card can, in some instances and depending on the middleware present on the host computer, be used for application storage and execution, not just storage of personal data.

What you might also look into, if you're interested in hardware crypto, is the concept of hardware key storage units, such as the Chrysalis-ITS Luna, often used to protect master keys of smart card distributions, or CA signing keys.

Lastly, if you're getting yourself into a smart card-related deployment, you really should be aware that the technology, while occasionally fiddly, isn't going to be your core problem--especially if you're doing authentication, it's going to be the management of the cards and credentials (think: "what to do when called up with 'mommy I forgot my card at home'".)