Re: [Opensc-devel] Android 4.3 Hardware-Backed Security Features

[Andreas J. <an...@io...>]

2013/8/27 Anders Rundgren <and...@gm...>

>
> http://nelenkov.blogspot.com/2013/08/credential-storage-enhancements-android-43.html
>
> Unlike the situation for discrete smart card there's no middeware to
> install; it is provided by the OS vendor.
>
> Unless the smart card industry manage getting the same support they will
> sooner or later face severe adoption issues except in isolated government
> markets like e-passports.
> This obivoisly calls for a completely standard PKI card...
>

Wow, you are still a huge believer in the smart card industry. Is there a
good reason for that?

Smart cards are incompatible !"/%"!"! and they don't work well anywhere,
other in protected environments like closed systems - national eid cards,
banking cards, access control cards etc.

I can even understand well why that is: managing a single use card is so
much easier than cooperating on a multi use card, with all the management
nightmare as a fall out.

Thus I believe there is no reason to hope the smart card situation will
change, as there is no benefit for any player to change its behaviour.

Still thank you for sharing that article. I find it very interesting to see
how the security system moves into the HSM like direction with no
integrated storage. I worked with ibm HSM systems, and there you too only
have the master encryption key inside the HSM, and all other credentials
are stored in encrypted form on the host, and handed in to the HSM on
demand for performing some operation.

Sure, a smart card can do more, and for having a card that is powered only
when in a reader / next to the reader, an integrated system of storage and
crypto functions is nicer. But for security in the device environment: why
isn't the HSM like mechanism superior? it seems easier to implement to me,
and is far more flexible - no fuzzing around with PKCS#15 structures,
storing the credentials on the host is far easier.

Regards, Andreas