From mboxrd@z Thu Jan 1 00:00:00 1970 To: 9fans@cse.psu.edu Subject: Re: [9fans] Re: secret stuff From: Richard Miller MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Message-Id: <20020616190522.D752119980@mail.cse.psu.edu> Date: Sun, 16 Jun 2002 20:05:11 +0100 Topicbox-Message-UUID: af61d3de-eaca-11e9-9e20-41e7f4b1d025 Wow. This is what happens when you think out loud in 9fans. I think I was careful to say that smart cards were tamper-resistant not tamper-proof. If my secstore lives on a PC it can be compromised by anyone who happens along with a boot disk. If I keep it on a smart card it will take a bit more work to get into. That seems to me like an incremental improvement. I mentioned the idea in 9fans to see if anyone else would think so too. The idea of using 9P is to have something at a higher level than ISO 7816-3 APDU protocol for talking to multiple services on a card. This seems a simpler approach than implementing a subset of IP on the card (as, for example, Andy Tanenbaum's group have done). The files which appear when the card is mounted are channels to active programs rather than passive chunks of memory; individual channels can be authenticated and encrypted as appropriate for each service. In particular the secstore channel would use the pak protocol, exactly as before. If you're going to mount a physical attack on the card, I can't see that the communication protocol with the host is likely to make much difference. Patterns of computation and memory access in the applet on the card are much more vulnerable to side-channel leakage of information. I'm sorry I haven't got a "system" to describe and defend. It's just a notion for a project -- partly to build something that I think might be useful, and partly to demonstrate some of the ideas of Plan 9 to my colleagues. -- Richard