PaulDotCom mailing list archives
Re: Soft Tokens??
From: Conrad Constantine <conrad () 1211 net>
Date: Sat, 10 Nov 2012 11:38:27 -0500
Not saying the app is as secure as the hardware token just a different way to implement it.
yeah, but security is all about the implementation, and a hardware implementation has a completely different attack surface from a purely software one. (look at the attack against RSA Soft-Tokens earlier this year, or the smartcard-hijack trojan that Alienvault Labs (plug plug!) dissected back in January...
For instance, the RSA hard tokens have a bunch of anti-tamper mechanisms in them that aren't possible with a soft token. (Travis Goodspeed's awesome work in bypassing that aside for the moment)
(Hell, I got to tell a bunch of .gov types just that - 'Security is all in the implementation, and attackers are not Intimidated by your Specifications')
So yeah, I'd say that it is anything but 'just' a different way to implement it.
The sykipot variant that hijacked military smartcards, would have been completely worthless, if the smartcard readers had physical PIN pads instead of using a software PIN unlock for example, but implementing it in software made the card readers cheaper and easier to deploy. Same functionality, completely different attack surface.
_______________________________________________ Pauldotcom mailing list Pauldotcom () mail pauldotcom com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
Current thread:
- Soft Tokens?? Julian Makas (Nov 09)
- <Possible follow-ups>
- Re: Soft Tokens?? Herndon Elliott (Nov 10)
- Re: Soft Tokens?? Robin Wood (Nov 10)
- Re: Soft Tokens?? Tony Turner (Nov 10)
- Re: Soft Tokens?? Jack Daniel (Nov 10)
- Re: Soft Tokens?? Conrad Constantine (Nov 10)
- Re: Soft Tokens?? Todd Haverkos (Nov 21)
- Re: Soft Tokens?? Archanet.co.uk (Nov 10)
- Re: Soft Tokens?? Robin Wood (Nov 10)