In the wise words of Valdis.Kletnieks@xxxxxx, on Thursday 01 December 2005 18:57: [SNIP] > Using crypto all the way from the web server to a smart-card (so all the > compromised system can see is encrypted data it can't get the key for) can > help yere. Even then, you would need a card reader with integrated pinpad. Otherwise, the keylogger can still sniff the PIN code entry - and then generate any signature it wants by accessing the PC/SC layer directly (been there, done that). Lionel -- "To understand how progress failed to make our lives easier, please press 3" Lionel Ferette BELNET CERT Coordinator Tel: +32 2 7903385 http://cert.belnet.be/ Fax: +32 2 7903375 PGP Key Id: 0x5662FD4B
Attachment:
pgpAh109K8eKu.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/