[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
- To: lionel.ferette@xxxxxxxxx
- Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
- From: Toomas Soome <Toomas.Soome@xxxxxxxxxxxx>
- Date: Wed, 04 Aug 2004 23:11:48 +0300
Lionel Ferette wrote:
Note that this is true for almost all card readers on the market, not only for
Datakey's. Having worked for companies using crypto smart cards, I have
conducted a few risk analysis about that. The conclusion has always been that
if the PIN must be entered from a PC, and the attacker has means to install
software on the system (through directed viruses, social engineering, etc),
the game's over.
The only solution against that problem is to have the PIN entered using a
keypad on the reader. Only then does the cost of an attack raise
significantly. But that is opening another can of worms, because there is
(was?) no standard for card readers with attached pin pad (at the time,
PC/SCv2 wasn't finalised - is it?).
at least some cards are supporting des passphrases to implement secured
communication channels but I suppose this feature is not that widely in
use.... how many card owners are prepared to remember both PIN codes
and passphrases...
toomas
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html