lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <011201c47b57$130f0860$6500a8c0@kpllaptop>
Date: Fri, 6 Aug 2004 11:45:33 +1000
From: "Lyal Collins" <lyalc@...mail.com.au>
To: "'Kevin Sheldrake'" <kev@...ctriccat.co.uk>,
   "'Toomas Soome'" <Toomas.Soome@...rolink.ee>, <lionel.ferette@...net.be>
Cc: <vuln@...view.com>, <full-disclosure@...ts.netsys.com>,
   <bugtraq@...urityfocus.com>
Subject: RE: Clear text password exposure in Datakey's tokens and smartcards


This exposure, of PIN compromise, is genric in all smartcard products today,
unless a dedicated PINpad or biometric-sensor  equipped readers are used -
putting cost of ownership towards $1000 in some cases.
PC/SC doesn't help - as a data interfcae API spec, it excludes human
interface aspects.  STIP (Small Terminal Interoperability Platform at
www.stip.org) moves in this direction, but has evolved into many variants to
interoperate with proprietary vendors and proprietary industry standards.

The challenges in putting biometric sensors or PINpads onto cards include
the need to conform to ISO 7816 for form factor, physical resilience etc,
and that the cards are unpowered.  Or, someone redesigns the entire
form-factor, user interface model, portability and business model -
something that has previously failed to go anywhere.

Something like a mobile phone or PDA is a good compromise tool to this
overall exposure, imho.

Lyal



-----Original Message-----
From: Kevin Sheldrake [mailto:kev@...ctriccat.co.uk] 
Sent: Thursday, 5 August 2004 8:39 PM
To: Toomas Soome; lionel.ferette@...net.be
Cc: vuln@...view.com; full-disclosure@...ts.netsys.com;
bugtraq@...urityfocus.com
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's
tokens and smartcards


Surely if the user is entering a passphrase then the same problem exists -  
that of effectively eavesdropping that communication from the keyboard?

Ignoring the initial expense for a moment, wouldn't it have made a lot of  
sense to include the keypad actually on the cards?  Obviously, card  
readers would need to be contructed such that the keypad part of the card  
would be exposed during use.  The keypad security could then rely on the  
tamper resistant properties of the rest of the card.

 From a costs perspective, I would guess that the actual per-card cost  
increase would be minimal if hundreds of millions of these cards were  
produced.

Kev


> Lionel Ferette wrote:
>
>> Note that this is true for almost all card readers on the market, not  
>> only for Datakey's. Having worked for companies using crypto smart  
>> cards, I have conducted a few risk analysis about that. The conclusion  
>> has always been that if the PIN must be entered from a PC, and the  
>> attacker has means to install software on the system (through directed  
>> viruses, social engineering, etc), the game's over.
>>  The only solution against that problem is to have the PIN entered  
>> using a keypad on the reader. Only then does the cost of an attack  
>> raise significantly. But that is opening another can of worms, because  
>> there is (was?) no standard for card readers with attached pin pad (at  
>> the time, PC/SCv2 wasn't finalised - is it?).
>>
>
> at least some cards are supporting des passphrases to implement secured  
> communication channels but I suppose this feature is not that widely in  
> use....  how many card owners are prepared to remember both PIN codes  
> and passphrases...
>
> toomas
>
>



-- 
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ