| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: vuln at hexview.com (vuln@...view.com) Subject: Clear text password exposure in Datakey's tokens and smartcards -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Clear text password exposure in Datakey's tokens and smartcards Classification: =============== Level: [LOW]-med-high-crit ID: HEXVIEW*2004*08*03*1 Overview: ========= Datakey (http://www.datakey.com) delivers smartcard and token-based authentication and identity management solutions. Datakey's latest smartcards and USB tokens are based on Philips 5032 cryptoprocessor running DKCCOS (Datakey Cryptographic Card Operating System). An implementation flaw makes possible to retrieve user's PIN by sniffing communication channel between smartcard/token and smartcard driver. Affected products: ================== All tests were performed using Rainbow iKey2032 USB token and Datakey's up-to-date CIP client package. Since the same firmware is also used in Datakey's 330-series smartcards, all of them are also vulnerable. Cause and Effect: ================= The communication channel between the token and the driver is not encrypted. User's PIN can be retrieved using proxy driver or hardware sniffer. Retrieved password can later be used by attacker to authenticate against the token and logon to the system, decrypt confidential information, or perform other unauthorized activities depending on what a specific smartcard implementation is used for. Note that LOW risk level reflects overall industry impact. Since Datakey's tokens and smartcards are used by many organizations to secure critical information, the issue may be of much higher concern for some users. History Tour: ============= The vulnerability described in this advisory is not the first and only problem with Datakey's smartcards. There was an earlier (also resolved) issue with smartcard driver caching user's PIN in clear text on a local filesystem. It looks like Datakey may need to send its programmers to attend some classes on how to write a secure code. Vendor Status: ============== Although HexView did not notify the vendor, Datakey was well aware of the vulnerability and put significant efforts in order to address the issue. As per reliable source of information, Datakey's new firmware version encrypts communication channel utilizing Diffie-Hellman to exchange encryption keys. Please note that HexView does not notify vendors unless there is a prior agreement to do so. Vendors interested in receiving notifications prior to public disclosure or receiving more detailed analysis may obtain more information by writing to the e-mail address provided at the end of the document. About HexView: ============== HexView contributes to online security-related lists for almost a decade. The scope of our expertize spreads over Windows, Linux, Sun, MacOS platforms, network applications, and embedded devices. The chances are you read our advisories or disclosures. For the sake of readability and easy web indexing we recently decided to use the HexView alias to publish all the information. Distribution: ============= This document may be freely distributed through any channels as long as the contents are kept unmodified. Commercial use of the information in the document is not allowed without written permission from HexView signed by our pgp key. Feedback and comments: ====================== Feedback and questions about this disclosure are welcome at vtalk@...view.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBEG9pDPV1+KQrDqQRAjJzAKCTwJkfQmv9kKCmsgei7VZgaEHsagCcCwMl /Hdru/H6y4HEmkFIHPbpOkU= =p84D -----END PGP SIGNATURE-----
Powered by blists - more mailing lists