Full Disclosure mailing list archives
Re: Clear text password exposure in Datakey's tokens and smartcards
From: Lee Dilkie <lee_dilkie () mitel com>
Date: Thu, 05 Aug 2004 09:03:03 -0400
Toomas Soome wrote:
Lionel Ferette wrote:Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over.The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?).at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use.... how many card owners are prepared to remember both PIN codes and passphrases...toomas
Perhaps I'm missing something here. As far as I can tell, no keys located on the card were compromised, only the PIN was. Since this is a two factor authentication system, possession of the PIN is of little value without possession of the token itself.
Am I missing the point here? regards, -lee -- __|__ --@--@--(_)--@--@-- "You can't be a real country unless you have a BEER and an airline. It helps if you have some kind of a football team, or some nuclear weapons, but at the very least you need a BEER."--Frank Zappa __|__
--@--@--(_)--@--@-- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Clear text password exposure in Datakey's tokens and smartcards, (continued)
- Re: Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 05)
- Re: Clear text password exposure in Datakey's tokens and smartcards Seth Breidbart (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Israel Torres (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Lyal Collins (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Bart . Lansing (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Dana Hudes (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Curt Sampson (Aug 08)
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 09)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lee Dilkie (Aug 05)