Full Disclosure mailing list archives
Re: Clear text password exposure in Datakey's tokens and smartcards
From: Lionel Ferette <lionel.ferette () belnet be>
Date: Wed, 4 Aug 2004 08:45:21 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, In the wise words of vuln () hexview com, on Wednesday 04 August 2004 07:08:
Clear text password exposure in Datakey's tokens and smartcards
[SNIP]
Cause and Effect: ================= The communication channel between the token and the driver is not encrypted. User's PIN can be retrieved using proxy driver or hardware sniffer.
Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?). [SNIP] Cheers, Lionel - -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- Benjamin Franklin Lionel Ferette BELNET CERT Coordinator Rue de la Science 4 Tel: +32 2 7903385 1000 Brussels Fax: +32 2 7903375 Belgium PGP Key Id: 0x5662FD4B -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBEIYGDd3gqVZi/UsRAqEMAKDAISNaTuvH8eH37ER1wSO/zUq22gCgsG9W PqY79HOMC3f+CWkUQXLPp1E= =k9PO -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Clear text password exposure in Datakey's tokens and smartcards vuln (Aug 03)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 05)
- Re: Clear text password exposure in Datakey's tokens and smartcards Seth Breidbart (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Israel Torres (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Lyal Collins (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Bart . Lansing (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Dana Hudes (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Curt Sampson (Aug 08)
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 09)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)