Full Disclosure mailing list archives
RE: Clear text password exposure in Datakey's tokens and smartcards
From: Dana Hudes <dhudes () tcp-ip info>
Date: Fri, 6 Aug 2004 14:48:05 -0400 (EDT)
as I understand it a "PIN Card" is a card with an EEPROM on it that contains a PIN. Possibly encrypted but its the same effect as any other file. The host decides if the PIN matches. A smart card has onboard microprocessor with software that includes encryption support (in my day it was DES). The reader presents the PIN to the card and the *card* not only can authenticate but also provide authorization information (or any other supplementary response, such as not just a PGP key pair (i.e. the secret and public keys) but the user's keyring as well. Even more interesting and useful is the use of this card to run algorithms to provide one-time pad ciphers. While you could do that host-based from a regular EEPROM card it requires that the host know the pad selection algorithm . On Fri, 6 Aug 2004 Bart.Lansing () kohls com wrote:
Guys... RSA has been doing PIN cards for ages...I don't get the hangup on SmartCards vs "plain old" something you have/something you know two factor http://www.rsasecurity.com/node.asp?id=1311 Cost of entry/ownership is nothing remotely close to the $1000 you mention Lyal...in fact, it's under 1/10 of that on a per seat basis... Why get hung up on it being a smartcard, when you can do two factor with a much lower entry cost and do it, frankly, easier? Bart Lansing Manager, Desktop Services Kohl's IT full-disclosure-admin () lists netsys com wrote on 08/05/2004 08:45:33 PM:This exposure, of PIN compromise, is genric in all smartcard productstoday,unless a dedicated PINpad or biometric-sensor equipped readers are used-putting cost of ownership towards $1000 in some cases. PC/SC doesn't help - as a data interfcae API spec, it excludes human interface aspects. STIP (Small Terminal Interoperability Platform at www.stip.org) moves in this direction, but has evolved into manyvariants tointeroperate with proprietary vendors and proprietary industrystandards.The challenges in putting biometric sensors or PINpads onto cardsincludethe need to conform to ISO 7816 for form factor, physical resilienceetc,and that the cards are unpowered. Or, someone redesigns the entire form-factor, user interface model, portability and business model - something that has previously failed to go anywhere. Something like a mobile phone or PDA is a good compromise tool to this overall exposure, imho. Lyal -----Original Message----- From: Kevin Sheldrake [mailto:kev () electriccat co uk] Sent: Thursday, 5 August 2004 8:39 PM To: Toomas Soome; lionel.ferette () belnet be Cc: vuln () hexview com; full-disclosure () lists netsys com; bugtraq () securityfocus com Subject: Re: [Full-disclosure] Clear text password exposure in Datakey's tokens and smartcards Surely if the user is entering a passphrase then the same problem exists-that of effectively eavesdropping that communication from the keyboard? Ignoring the initial expense for a moment, wouldn't it have made a lotofsense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of thecardwould be exposed during use. The keypad security could then rely on thetamper resistant properties of the rest of the card. From a costs perspective, I would guess that the actual per-card cost increase would be minimal if hundreds of millions of these cards were produced. KevLionel Ferette wrote:Note that this is true for almost all card readers on the market, notonly for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. Theconclusionhas always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (throughdirectedviruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms,becausethere is (was?) no standard for card readers with attached pin pad(atthe time, PC/SCv2 wasn't finalised - is it?).at least some cards are supporting des passphrases to implementsecuredcommunication channels but I suppose this feature is not that widelyinuse.... how many card owners are prepared to remember both PIN codes and passphrases... toomas-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.htmlCONFIDENTIALITY NOTICE: This is a transmission from Kohl's Department Stores, Inc. and may contain information which is confidential and proprietary. If you are not the addressee, any disclosure, copying or distribution or use of the contents of this message is expressly prohibited. If you have received this transmission in error, please destroy it and notify us immediately at 262-703-7000. CAUTION: Internet and e-mail communications are Kohl's property and Kohl's reserves the right to retrieve and read any message created, sent and received. Kohl's reserves the right to monitor messages by authorized Kohl's Associates at any time without any further consent.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Clear text password exposure in Datakey's tokens and smartcards vuln (Aug 03)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 05)
- Re: Clear text password exposure in Datakey's tokens and smartcards Seth Breidbart (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Israel Torres (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Lyal Collins (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Bart . Lansing (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Dana Hudes (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Curt Sampson (Aug 08)
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 09)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lee Dilkie (Aug 05)