[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

To: "Kevin Sheldrake" <kev@xxxxxxxxxxxxxxxxx>, "Toomas Soome" <Toomas.Soome@xxxxxxxxxxxx>, <lionel.ferette@xxxxxxxxx>
Subject: RE: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: "Israel Torres" <israel.torres@xxxxxxxxxxxxxxx>
Date: Thu, 5 Aug 2004 18:29:26 -0700

Simply by exposing "another" vulnerability in a "secure" system allows 
judgement to be made on what type of hardware is necessary for the "secure 
system" (i.e. will this system serve as a public kiosk, or will this system be 
at the user's bidding?). Vulnerabilities should be kept to a minimum and narrow 
the choice of attack vectors an attacker may choose from when attempting to 
compromise a target system. Once a system is compromised and rooted there is 
little that can prevent the attacker from collecting what they are searching 
for (be it pins, passwords, source code, etc) before they vanish into the 
darkness. 

Israel Torres

-----Original Message-----
From: Kevin Sheldrake [mailto:kev@xxxxxxxxxxxxxxxxx]
Sent: Thursday, August 05, 2004 3:39 AM
To: Toomas Soome; lionel.ferette@xxxxxxxxx
Cc: vuln@xxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxx;
bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's
tokens and smartcards

Surely if the user is entering a passphrase then the same problem exists -  
that of effectively eavesdropping that communication from the keyboard?

Ignoring the initial expense for a moment, wouldn't it have made a lot of  
sense to include the keypad actually on the cards?  Obviously, card  
readers would need to be contructed such that the keypad part of the card  
would be exposed during use.  The keypad security could then rely on the  
tamper resistant properties of the rest of the card.

 From a costs perspective, I would guess that the actual per-card cost  
increase would be minimal if hundreds of millions of these cards were  
produced.

Kev

> Lionel Ferette wrote:
>
>> Note that this is true for almost all card readers on the market, not  
>> only for Datakey's. Having worked for companies using crypto smart  
>> cards, I have conducted a few risk analysis about that. The conclusion  
>> has always been that if the PIN must be entered from a PC, and the  
>> attacker has means to install software on the system (through directed  
>> viruses, social engineering, etc), the game's over.
>>  The only solution against that problem is to have the PIN entered  
>> using a keypad on the reader. Only then does the cost of an attack  
>> raise significantly. But that is opening another can of worms, because  
>> there is (was?) no standard for card readers with attached pin pad (at  
>> the time, PC/SCv2 wasn't finalised - is it?).
>>
>
> at least some cards are supporting des passphrases to implement secured  
> communication channels but I suppose this feature is not that widely in  
> use....  how many card owners are prepared to remember both PIN codes  
> and passphrases...
>
> toomas
>
>

-- 
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Kevin Sheldrake

Prev by Date: [Full-Disclosure] Re: MS04-025 - Ignorance is truly bliss....
Next by Date: [Full-Disclosure] waa waa (was Finally the truth slips out)
Previous by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Next by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Index(es):
- Date
- Thread