Is Gemalto’s NIM Secure?

In my two most recent security posts, I talked about USB key solutions to Internet security. A comment from Schlum led me to contact Gemalto about a USB product that they promise will make your on-line experience secure. Their YouTube video doesn't give enough information to make any sort of recommendation, so I sent them an email. I asked what differentiates their product from the True Crypt/Portable Firefox key that I carry. Here is their reply:

Hi,

Thank you for your email.
The TrueCrypt seems to be a portable Password wallet and is primarily aimed at user convenience and not security.

The NIM is for now a issuer deployed (by your bank, or stock trading portal or any issuer who needs to make sure that the users are securely logging into their portals and can mutually authenticate them).

There can be multiple issuers who could use the same device avoiding a necklace of devices effect.

The key difference between a password wallet and the NIM is that the NIM is not prone to man-in-the--middle or phishing attacks

I hope that they make a deal with my bank soon, so I can truly evaluate this product. But until then, I don't have any specific information to go by. So I can only make the following general precautionary statements.

Do not use your True Crypt or any other USB key on an untrusted computer. Any USB key that does not have its own processor is no more secure than a floppy disk. Any program on the host computer can read and write data on the USB key. If you mount an encrypted drive, then it becomes clearly visible to any program on that machine. And if you have to enter a password, like you do for True Crypt, then a key logger can steal the password. Just like Gemalto says, the True Crypt/Portable Firefox USB key is for convenience, not for security on unknown systems.

Any device that lacks a processor to perform encryption and decryption must share the key with the host. If the host is compromised, then the key can be stolen. Similarly, any device that lacks a keypad must collect the password from the host. If that host is compromised, the password can be lifted.

Just remember when using any USB solution: the computer sits between you and your key. A man-in-the-middle attack doesn't have to come from outside the system.

One Response to “Is Gemalto’s NIM Secure?”

  1. Sonic Says:

    Hi,

    if I'm correct, the NIM will be "multimedia smartcard" based solution (smartcard + flash memory + usb interface). The keys & security will be handled in smartcard (it has CPU, RAM, FLASH, etc... - it's like small computer hosting Java VM) and the host computer will just transmit encrypted data.

    Best regards,
    Sonic

Leave a Reply

You must be logged in to post a comment.