> Security protocols have a short list of moving parts and trade offs and where to attack them. RNGs, key storage, key derivation, counters, and access modes, to name a few. They're only completely different to people who don't understand them.
Funny, I would have said that they only look very similar to one another to people who aren't deep enough in the weeds of a particular one.
Yes, they're ultimately all built out of the same building blocks. But just with these few you've mentioned, together with possibly having more than two actors in your system and corresponding privileged keys, the complexity of the aggregate protocol hockey sticks very quickly, and you absolutely can't reduce all problems to one another anymore.
Humans are made of atoms, yet when you're sick you go to a physician, not to a physicist.
> If you are using symmetric secrets in smart cards, you're using something within a degree of EMV
Oh, absolutely not. Sorry, but with this statement you show that you aren't familiar with other protocols in this space. There are so many smartcard (and adjacent, e.g. stored-value cards like MIFARE) protocols that use symmetric keys, yet don't share any of EMVs historical problems. I mean, even GlobalPlatform itself uses symmetric cryptography!
That's like saying that SSH and TLS are very similar protocols, since they both use asymmetric key exchanges to secure and authenticate a symmetrically-encrypted application layer channel.
A two party protocol that involves mutual authentication and key exchange has a short set of essential variations, with some features and even some theatre wrapped around it. Not sure if you're being obtuse or misleading, but yes, GlobalPlatform used symmetric cryptography because that's the literal compatability problem they impose that is a constraint on developing more modern smart card based protocols. There are also only a few main smart card vendors and they have ecosystem constraints that favor compromises like the ones discussed. Yeah, I totally don't know what I'm talking about.
The protocols and proposals I did evaluations for implemented the trade offs I mentioned above. The reason it's important for hackers to focus on these technologies is because this is literally the bar institutions use to make decisions about infrastructure security. What the original post demonstrated was the protocol implemented in these cards had vulnerabilities that were consistent with the limitations of using symmetric keys that incorporate constraints from legacy protocols.
My follow up was that there are some very obvious places to check for futher vulnerabilities, and the research is important to do so because it antagonizes just the sort of authoritarian personalities you want to keep in check in a free society. This is what hackers are for. I've made my contributions to ensuring privacy laws were upheld and that backdoored digital identity schemes could not survive, and I'm very glad a younger generation of hackers is taking up this most important work.
To anyone working on these problems, don't let the personalities discourage you, it means you're over the target.
Funny, I would have said that they only look very similar to one another to people who aren't deep enough in the weeds of a particular one.
Yes, they're ultimately all built out of the same building blocks. But just with these few you've mentioned, together with possibly having more than two actors in your system and corresponding privileged keys, the complexity of the aggregate protocol hockey sticks very quickly, and you absolutely can't reduce all problems to one another anymore.
Humans are made of atoms, yet when you're sick you go to a physician, not to a physicist.
> If you are using symmetric secrets in smart cards, you're using something within a degree of EMV
Oh, absolutely not. Sorry, but with this statement you show that you aren't familiar with other protocols in this space. There are so many smartcard (and adjacent, e.g. stored-value cards like MIFARE) protocols that use symmetric keys, yet don't share any of EMVs historical problems. I mean, even GlobalPlatform itself uses symmetric cryptography!
That's like saying that SSH and TLS are very similar protocols, since they both use asymmetric key exchanges to secure and authenticate a symmetrically-encrypted application layer channel.