A computer scientist at DCU is working out how to make smart cards safer - with an unexpected spin-off, reports Dick Ahlstrom
It is a battle of wits with huge rewards for the winner. Crooks are finding new ways to attack "smart card" bank and credit-card technology while card manufacturers counter with increasingly complex defences.
A Dublin City University graduate student is engaged in this battle royal while working towards a PhD on computer security. Claire Whelan, of DCU's computer-science department, benefits from a research collaboration agreed between the university and Gemplus, a Luxembourg-based smart-card manufacturer.
It is all about protecting the security systems build in to smart cards, explains Whelan. "These are plastic cards with an embedded microprocessor." Examples include the SIM card in your mobile phone, the next generation of credit cards and, in the future, passports and driving licences, she says.
The chips carry highly sensitive coded information of value to thieves, providing a financial incentive to overcome each new security barrier as it is installed. Whelan is working on both sides of this fence, trying to crack systems as a way to make them safer.
"We are finding new attacks and defending against them," she says. "There are countermeasures, but nothing can guard against them 100 per cent."
Even so, Whelan must be a formidable investigator, given her recent involvement in a new method to read blacked-out sections of declassified government documents.
She and Dr David Naccache of Gemplus decoded the hidden words in a memo to President Bush that was released last month for an inquiry in to September 11th. The pair also read concealed words in documents from the Hutton Inquiry in to the death of the UK government scientist Dr David Kelly.
The two devised a way to measure the width of the blacked-out word, first identifying the font, then measuring the covered word down to a small fraction of a letter width. A computer interrogates an online dictionary to find words of similar width; then grammatical analysis rules out most of these. A simple human scan of the remaining candidate words will reveal the most likely hidden one. The context of the sentence helps this, she says.
The two researchers presented their technique earlier this month at the Eurocrypt 2004 conference, in Switzerland, where they caused quite a stir.
This work is some distance, however, from her real research interests, which relate to "side channel attacks" on smart cards. The work focuses on the tiny electronic signals given off by a smart card while it is in operation. "When smart cards are put in to the reader they do certain operations," she says. "Information leaks naturally from the card. You can pick this up and find ways to take information from the card."
They use several techniques, including studying how much power the card uses. "We look down at the very low-level operations and try to make a correlation between the power used by the card and these low-level operations," she says. If they can make the connection they can work out the hidden encryption key used to conceal the data, which in turn will open up whatever details the card holds.
Whelan received a three-year €60,000 scholarship to pursue the work from the Irish Research Council for Science, Engineering and Technology. "I wouldn't be here if it wasn't for them," she says.