communication components are essentially the same, assuming that we disregard issues of standards that would be too unwieldy to present here. Transmissions are easy to intercept, and in the current state of the technology, it is easy to flood the air with radio waves and make the devices inoperable, whether they are secure cores or not. This is what we described earlier as denial of service attacks. Notwithstanding those attacks, contactless smart cards have on board security processors and they can encrypt information on the radio channel, such that interception of the communication with radio equipment does not necessarily constitute a security breach.

We should mention here that most current contactless smart cards are powered though the air by the reception device. Energy is actually transmitted from the reception device to the contactless smart card via electrical induction, which means that a current is created inside the secure core by a magnetic field produced by for example, the electronic passport reading equipment. This significantly limits the amount of power that the card can use for cryptography. Additionally, one reason why contactless cards are used instead of contact cards is often to allow more convenient physical protocols to be used. Specifically, the act of inserting the contact card into a reader receptacle is avoided. This does have the added impact of making the length of time that the card is in contact with the reader an artifact of the actions of the cardholder. The card might be pressed against the reader, or it might be waved past the reader. Consequently, contactless card not only have less power to bring to the task of cryptography, they may also need to process faster. This has led to continued research into more efficient cryptographic algorithms. Without delving into the mathematics, we’ll simply mention that this can entail the use of elliptic curves, a branch of number theory, to protect the communication channel. As we have suggested, a relatively high level of trust can be derived from contactless cores; however, this requires advanced circuitry that can be quite expensive. This is perhaps acceptable for a passport, but not for a tag affixed to a banana. Therefore, we see again here how cost impacts both trust and privacy.

From Physiology to Sociology

Personal electronic devices are powered by batteries. To be practical, their consumption of electricity must be carefully monitored. In addition to powering themselves, personal electronic devices have to power their secure core. Therefore, the electricity budget extended to secure cores is limited and constantly challenged. This creates limits on what secure cores can do, and therefore careful choices have to be made in what needs to be trusted and what not. Banking accounts and the like are obvious candidates for the secure core of the personal electronic device. What about human interface functions; those operations that enable the interaction of the owner of the personal electronic device with the machine? These can involve relatively heavy graphical operations and consequently require powerful computational capabilities, accompanied with fast transmission of information to the screen. These are all characteristics that are resource intensive to put on a secure core, particularly if one considers that the processing needs to be made secure. In this case, secure generally means much more complex and threat averse. Otherwise, why put it on a secure core to start with? As it happens, since the human interface component of the personal electronic device governs the exchange of information between the machine and the person, it is an ideal place for an impostor to capture information at the source, before there is a chance to encrypt it. So, we are in a situation where we can make a security argument for having human interface functions in the secure core but an efficiency argument for having it in the untrusted part of the personal electronic device. Trust arbitrages of this kind are inevitable. Prioritization is needed, and consequences of prioritization have to be recognized and known. This is very similar to what happens with the house security model we talked about earlier. We may be willing to put a lock and key on the door, but not an alarm system. In technical systems, we also prioritize trust.

Book available at Midori Press (regular)
Book available at Midori Press (signed)
Book available at Amazon (regular)