Full Disclosure mailing list archives
RE: Clear text password exposure in Datakey's tokens and smartcards
From: "Israel Torres" <israel.torres () ssplitronic com>
Date: Thu, 5 Aug 2004 18:29:26 -0700
Simply by exposing "another" vulnerability in a "secure" system allows judgement to be made on what type of hardware is necessary for the "secure system" (i.e. will this system serve as a public kiosk, or will this system be at the user's bidding?). Vulnerabilities should be kept to a minimum and narrow the choice of attack vectors an attacker may choose from when attempting to compromise a target system. Once a system is compromised and rooted there is little that can prevent the attacker from collecting what they are searching for (be it pins, passwords, source code, etc) before they vanish into the darkness. Israel Torres -----Original Message----- From: Kevin Sheldrake [mailto:kev () electriccat co uk] Sent: Thursday, August 05, 2004 3:39 AM To: Toomas Soome; lionel.ferette () belnet be Cc: vuln () hexview com; full-disclosure () lists netsys com; bugtraq () securityfocus com Subject: Re: [Full-disclosure] Clear text password exposure in Datakey's tokens and smartcards Surely if the user is entering a passphrase then the same problem exists - that of effectively eavesdropping that communication from the keyboard? Ignoring the initial expense for a moment, wouldn't it have made a lot of sense to include the keypad actually on the cards? Obviously, card readers would need to be contructed such that the keypad part of the card would be exposed during use. The keypad security could then rely on the tamper resistant properties of the rest of the card. From a costs perspective, I would guess that the actual per-card cost increase would be minimal if hundreds of millions of these cards were produced. Kev
Lionel Ferette wrote:Note that this is true for almost all card readers on the market, not only for Datakey's. Having worked for companies using crypto smart cards, I have conducted a few risk analysis about that. The conclusion has always been that if the PIN must be entered from a PC, and the attacker has means to install software on the system (through directed viruses, social engineering, etc), the game's over. The only solution against that problem is to have the PIN entered using a keypad on the reader. Only then does the cost of an attack raise significantly. But that is opening another can of worms, because there is (was?) no standard for card readers with attached pin pad (at the time, PC/SCv2 wasn't finalised - is it?).at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use.... how many card owners are prepared to remember both PIN codes and passphrases... toomas
-- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Clear text password exposure in Datakey's tokens and smartcards vuln (Aug 03)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Kevin Sheldrake (Aug 05)
- Re: Clear text password exposure in Datakey's tokens and smartcards Seth Breidbart (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Israel Torres (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Lyal Collins (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Bart . Lansing (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Dana Hudes (Aug 06)
- RE: Clear text password exposure in Datakey's tokens and smartcards Curt Sampson (Aug 08)
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 09)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Message not available
- Re: Clear text password exposure in Datakey's tokens and smartcards Steve Kudlak (Aug 10)
- Re: Clear text password exposure in Datakey's tokens and smartcards Toomas Soome (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette (Aug 04)
- Re: Clear text password exposure in Datakey's tokens and smartcards Lee Dilkie (Aug 05)