Eurosmart proposes security segmentation
Eurosmart White Paper goes into details about the various risks attached witheach smart card application. It makes a distinction between four basic types ofattacks: physical, side channel, faults and logical.
The White Paper aims at establishing Security Levels:
- Basic, associated with memory cards. Many RFID or contactless chips fall into the category of basic security. Most allow value to be read but not freely modified. Some simply transmit a serial number.
- Medium, associated with systems where there are some assets to protect and a basic level of protection only would pose unacceptable risk. To determine the correct security measures to take, a risk analysis is needed. However, typical measures taken at this medium level might include a strong algorithm with sufficient key length and a robust authentication protocol to avoid any disclosure of the keys.
- High and Very High, generally associated with very sensitive systems where attacks are made against the entire system rather than against individual smart tokens and where the potential level of return is high. One example might be mobile television but the exact meaning of high security will differ from area to area. Other examples might be banking cards or government ID cards.
Two other factors are important to consider. In all of these areas, the userperception of the security level is just as important as the actual security level,however ill-informed that perception might be. Furthermore, Eurosmart alsorecommends mandating an external laboratory to perform an independentevaluation of the efficiency of the counter-measures used.Eurosmart "Smart Security Market Segmentation" provides a series of use cases,with a discussion about security issue for each application. This section includescorporate ID, passports, national ID, driver's license, healthcare, basic prepaidSIM cards, SIM cards, payment cards, internet banking.
The document also provides a list of questions helping the potential applicationdeveloper to assess the required security level:
- . Is a full copy necessary for an attack or just a functional copy?
- . Potential income for the hackers from attack?
- . How quickly will the attack produce a payback?
- . How long is the lifecycle of my product?
- . How cheaply can the hacker fake or manipulate my product?
- . How much skill does a hacker need to attack my product?
- . How easily can a hacker access my sensitive data?
- . How widely available are samples of my product?
- . How motivated is the product end user to protect the product from attack?
- . Is my product also a target for ethical or recreational hackers?
- . How much will an attack damage the image of my product?
- . If my product is successfully attacked how much will this damage my company?
In the future Eurosmart members selling Smart Security may also use thesecriteria to describe the security of their products. To support this industry ratingof products, Eurosmart has adopted a new label of ‘Smart Security’ that shouldbe associated with this list of criteria and the definition of security levels. Thepurpose is to give an idea of the value of the product (in terms of security)behind the label.
Basic, medium and high levels will be self-awarded. A grading of very high for aproduct must be checked and endorsed by Eurosmart. The award of a level canbe represented by an exclusive Eurosmart graphic.Eurosmart White Paper can be downloaded from the association web site.