Caught in the Maze of Security Standards

摘要

We analyze the interactions between several national and international standards relevant for eCard applications, noting deficiencies in those standards, or at least deficiencies in the documentation of their dependencies. We show that smart card protocols are currently specified in a way that standard compliant protocol implementations may be vulnerable to attacks. We further show that attempts to upgrade security by increasing the length of cryptographic keys may fail when message formats in protocols are not re-examined at the same time. We argue that the entities responsible for accrediting smart card based applications thus require security expertise beyond the knowledge encoded in security standards and that a purely compliance based certification of eCard applications is insufficient.