| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Aug 2004 12:25:04 +0100 From: "Kevin Sheldrake" <kev@...ctriccat.co.uk> To: "Lyal Collins" <lyalc@...mail.com.au>, "'Toomas Soome'" <Toomas.Soome@...rolink.ee>, lionel.ferette@...net.be Cc: bugtraq@...urityfocus.com Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards I don't doubt the widespread inherent nature of this vulnerability. Smart cards used with PCs as the man-machine-interface is simply asking for trouble IMHO. Unless I'm mistaken, there is very little that can be done about this without redesigning/replacing current smart cards. Obviously, bespoke MMIs (such as door access systems) are less vulnerable to this issue. My problem is that people seem to view smart cards as a panacea, as a place to store digital certificates or 'identities' and then use them to 'prove' who they are. Don't even start me on biometrics; if there is a PC (or anything that runs software) between the reader and the authenticator then couldn't you just replace the reader with another bit of software that pretends to be a reader? Where can I get the biometric info required? Police stations have a large quantity of finger prints, as have practically every surface you've touched recently... Kev > This exposure, of PIN compromise, is genric in all smartcard products > today, > unless a dedicated PINpad or biometric-sensor equipped readers are used > - > putting cost of ownership towards $1000 in some cases. > PC/SC doesn't help - as a data interfcae API spec, it excludes human > interface aspects. STIP (Small Terminal Interoperability Platform at > www.stip.org) moves in this direction, but has evolved into many > variants to > interoperate with proprietary vendors and proprietary industry standards. > > The challenges in putting biometric sensors or PINpads onto cards include > the need to conform to ISO 7816 for form factor, physical resilience etc, > and that the cards are unpowered. Or, someone redesigns the entire > form-factor, user interface model, portability and business model - > something that has previously failed to go anywhere. > > Something like a mobile phone or PDA is a good compromise tool to this > overall exposure, imho. > > Lyal > > > > -----Original Message----- > From: Kevin Sheldrake [mailto:kev@...ctriccat.co.uk] > Sent: Thursday, 5 August 2004 8:39 PM > To: Toomas Soome; lionel.ferette@...net.be > Cc: vuln@...view.com; full-disclosure@...ts.netsys.com; > bugtraq@...urityfocus.com > Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's > tokens and smartcards > > > Surely if the user is entering a passphrase then the same problem exists > - > that of effectively eavesdropping that communication from the keyboard? > > Ignoring the initial expense for a moment, wouldn't it have made a lot of > sense to include the keypad actually on the cards? Obviously, card > readers would need to be contructed such that the keypad part of the card > would be exposed during use. The keypad security could then rely on the > tamper resistant properties of the rest of the card. > > From a costs perspective, I would guess that the actual per-card cost > increase would be minimal if hundreds of millions of these cards were > produced. > > Kev > > >> Lionel Ferette wrote: >> >>> Note that this is true for almost all card readers on the market, not >>> only for Datakey's. Having worked for companies using crypto smart >>> cards, I have conducted a few risk analysis about that. The conclusion >>> has always been that if the PIN must be entered from a PC, and the >>> attacker has means to install software on the system (through directed >>> viruses, social engineering, etc), the game's over. >>> The only solution against that problem is to have the PIN entered >>> using a keypad on the reader. Only then does the cost of an attack >>> raise significantly. But that is opening another can of worms, because >>> there is (was?) no standard for card readers with attached pin pad (at >>> the time, PC/SCv2 wasn't finalised - is it?). >>> >> >> at least some cards are supporting des passphrases to implement secured >> communication channels but I suppose this feature is not that widely in >> use.... how many card owners are prepared to remember both PIN codes >> and passphrases... >> >> toomas >> >> > > > -- Kevin Sheldrake MEng MIEE CEng CISSP Electric Cat (Bournemouth) Ltd
Powered by blists - more mailing lists