Even Smart Cards Can Make Dumb Mistakes
Bits are a lie. The difference between the fiction of bits and the truth of actual hardware is a fundamental threat to secure computing.
The software pretense of bits depends on an upstream hardware reality of voltages, currents, stray radio-frequency emissions and other artifacts that our abstract models omitbut that a determined attacker can study and exploit. Its especially important to think about the oft-ignored behaviors of the physical machine if were going to depend on ubiquitous devices such as "smart cards."
Portable, active security tokens have to be built inexpensivelyand have to be compact and lightweightto be useful in their intended applications; the problem is that these attributes often go hand-in-hand with revealing behaviors. Timing attacks, for example, correlate smart card response times against an attackers knowledge of encryption algorithms to dramatically shrink the search space for possible keys. Differential power analysis uses the power consumption patterns of smart card hardware to provide similar clues.
Yes, smart cards offer far more protection than many alternative forms of portable data packaging, such as magnetic stripes: being able to perform local computations, a smart card can take active measures in its own defense that a passive data record can not. The current political environment makes it likely that smart card readers will proliferate more rapidly than might otherwise be the caseand smart card vendors are happy to encourage thisbut these installations must be designed with care to avoid introducing new vulnerabilities at the same time that they promote a possibly false confidence.
If we start to believe that the model is the reality, were making the same mistake as someone who puts a $100 lock on a steel-reinforced end flap on a cardboard box: Our model says that you have to open the lock and open the flap to get inside, but the pragmatic intruder can merely cut through the side of the box and take whatever he wants.
Smart cards are good locks, and with encrypted interfaces they can be used to construct well-reinforced doors, but we need to think like spies and burglars: The storehouses of our precious data must not have uncovered windows or fragile walls.