Smart card with LCD

Posted by Jonas Elfström Tue, 31 Jul 2007 21:10:00 GMT

This company is presenting a smart card with built in display. I do not know the underlying protocol for making debit/credit card payments by smart card instead of using the magnetic stripe but if the protocol is sophisticated enough this could help blocking some of the known attacks of those. As Chip and SPIN points out the smart cards has some issues. One of them is that if the terminal is compromised you as a customer have no way to know that you are actually confirming the transaction you think you are while entering your pin code. If your smart card shows the amount, you could at least not be deceived into emptying your account.

Lightning crashes

Posted by Jonas Elfström Mon, 09 Jul 2007 21:37:00 GMT

Three weeks ago lightning struck nearby. Today my ISP finally tried to change the switch in the central even though I reported back to them that my VSDL modem worked just fine at a friend’s house only a couple of days after my connection died.

The Zodiac Killer Cipher 5

Posted by Jonas Elfström Fri, 25 May 2007 16:31:00 GMT

The Zodiac Killer was a serial killer in the late sixties and maybe early seventies. He sent a number of letters to the press, including four ciphers or cryptograms and only one of them has been solved. The killer's identity remains unknown.

Chris McCarthy has a nice page about the cipher and he also has an ASCII version of the cipher.

Here's a small Ruby hack that calculates the character frequency using the ASCII version of the cipher. Feel free to use it if you like to have a go at cracking it!

EDIT: At this page you can have a go at cracking it real-time. I am not convinced it's really a homophonic substition cipher since the frequency analysis shows that the 340 does not have a flat frequency distribution.

It would be nice to know what cryptographic literature was available for the public in northern California in the late sixties.

Huge number factored into primes

Posted by Jonas Elfström Wed, 23 May 2007 05:12:00 GMT

Recently 2^1039-1 were factored. Is this the end of 1024 RSA encryption? Lenstra, one of the researchers, addresses this question: "Last time, it took nine years for us to generalize from a special to a non-special hard-to factor number (155 digits). I won't make predictions, but let's just say it might be a good idea to stay tuned."

2^1039-1 is a special number that the RSA algorithm would never use so 1024 RSA might still be secure for the time being but if you want to be future safe 2048 bits or more would be the way to go.

Client side security

Posted by Jonas Elfström Mon, 30 Apr 2007 10:54:00 GMT

Recently a friend of mine got problems while trying to book a hotel room online. The JavaScript-driven calendar was IE-only and he is on Mac OS X. My friend then checked the source and saw that the JavaScript actually just set a value to an hidden input field. He fired up Firebug and edited the field manually and then submitted the form. When he got the confirmation of the booking he saw that he accidently had typed 2006 instead of 2007. The only protection against booking at dates in the past, already fully booked or in the year 2100 were the JavaScript that ran the calendar.

When building a web application you can never ever trust that any of the data from the client will be untampered with.

Some problems I've seen in the past:

  • Relying on JavaScript-validation. JavaScript can be turned off or ran through a debugger.

  • Having sensitive data in hidden input fields.

  • Storing sensitive data in cookies.

    • This is not a very common problem since almost all web application frameworks handles this for you by only storing a session id in the cookie and the actual data on the server.

Older posts: 1 ... 7 8 9 10 11 12