| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <41114304.4090403@microlink.ee> Date: Wed, 04 Aug 2004 23:11:48 +0300 From: Toomas Soome <Toomas.Soome@...rolink.ee> To: lionel.ferette@...net.be Cc: vuln@...view.com, full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com Subject: Re: Clear text password exposure in Datakey's tokens and smartcards Lionel Ferette wrote: > Note that this is true for almost all card readers on the market, not only for > Datakey's. Having worked for companies using crypto smart cards, I have > conducted a few risk analysis about that. The conclusion has always been that > if the PIN must be entered from a PC, and the attacker has means to install > software on the system (through directed viruses, social engineering, etc), > the game's over. > > The only solution against that problem is to have the PIN entered using a > keypad on the reader. Only then does the cost of an attack raise > significantly. But that is opening another can of worms, because there is > (was?) no standard for card readers with attached pin pad (at the time, > PC/SCv2 wasn't finalised - is it?). > at least some cards are supporting des passphrases to implement secured communication channels but I suppose this feature is not that widely in use.... how many card owners are prepared to remember both PIN codes and passphrases... toomas _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists