lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <012301c47e58$780323b0$6500a8c0@kpllaptop>
Date: Tue, 10 Aug 2004 07:33:04 +1000
From: "Lyal Collins" <lyalc@...mail.com.au>
To: <Bart.Lansing@...ls.com>
Cc: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <full-disclosure-admin@...ts.netsys.com>
Subject: RE: Clear text password exposure in	Datakey's	tokens and smartcards


I think we are in agreement - witout necessarily having started out that
way!

The admin, training and back office costs associated with any authentication
mechanism have to be part of the TCO.
Secure and partable as smartcard are, their TCO is often prohibitive.
Among my customers, OTP devices like SecureID can also be cost prohibitive -
but more affordable than Smartcards.  Biometrics appear to be somewhere
between those two cost levels, and password regimes are the lowest TCO.

For these reasons, I suspect, many choose to rely on ID/password regimes,
since the admin cost of password regimes is only partially replaced by the
equivalent function's overheads in OTP and smartcard regimes - lets not
forget permission changes, revocations, and other user maintenance costs.
When the cost of password support is added up along side those aspects, then
passwords are very cost effective.   

As we've just discussed the cost of better authentication tools like
biometrics and OTP, then a risk/value judgment will occur inevitably
depending on each site's perception of risk.  
I deliberately exclude PKI from the preceding since imho, PKI is merely a
tool that verifies after the fact, that the correct password was entered at
some time.

Lyal




-----Original Message-----
From: Bart.Lansing@...ls.com [mailto:Bart.Lansing@...ls.com] 
Sent: Tuesday, 10 August 2004 1:01 AM
To: Lyal Collins
Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com;
full-disclosure-admin@...ts.netsys.com
Subject: RE: [Full-Disclosure] Clear text password exposure in Datakey's
tokens and smartcards



Why yes Lyal, it is...

Mea culpa...but:

TCO is not as simple as you lay it out for your smartcard either.  We were 
apples-to-apples there for a bit...but, let's drive into your purported 
TCO costs on the smartcard there, shall we?  First, you seem to have no 
back-end administration (this is a self-maintained model you have? please 
explain how that works) to deal with lost cards, forgotten PINs, 
failed/trashed hardware, etc.  Additionally, in any reasonably sized 
enterprise, you'll need resources allocated to handle new hires, machine 
moves, upgrades, etc.  If you intend to cost-burden the existing staff 
that's fine...but it's still there.  System integration? You're telling me 
your smartcard system has none?  Unless you just have your system doing 
authentications at boot, you most certainly do have intergration.  If you 
intend to secure some environments more than others, like, at the 
application level, you have the same integration issues with either system 
(and probably worse with yours, as RSA has been banging around at this a 
long time, and the list of apps that RSA can bolt onto is extensive)...so 
let's call that a wash too.

So let's jack your per-seat price up accordingly, ok?  But you know, tell 
you what, let's leave your TCO where it is and bear in mind that I was 
responding to a $1000/seat number from you, not the $210 + consultant you 
just tossed back. (Sorry if this sounds sarcastic, but you've changed the 
parameters and ommited factors as important to the TCO as I did, and then 
lowered your number just to sound more cost-effective...not cricket, old 
boy)

Now, let's take a look at a typical RSA solution, street prices, for 250 
users, and remember that the cost scales down from here:

server software (w/24x7 support), about $20,000 US
server hardware (trivial, but let's toss a couple of blades at it just for 
fun) $10,000 US
Cards (generous here, very) @ $70.00 US X 250 = $17,500 US

I'm going to burden my existing staff with back-end support and admin, 
just like you did.  So, we have a per-seat, fully burdened TCO of 
$190/seat

In a mobile workforce there are additional benefits as well, Lyal...like 
not having laptop users lug around a card reader that they have to a) 
remember, and b) plug in every time they want to use the PC.  You may well 
respond by saying that's trivial...but then, you aren't the user, he won't 
say that.  The easier we can make his use of secure products and systems 
the more likely he is to use them, would you agree?



Bart Lansing
Manager, Desktop Services
Kohl's IT


"Lyal Collins" <lyalc@...mail.com.au> wrote on 08/08/2004 02:32:15 AM:

> $10 smartcard
> $200 reader (with pinpad)
> $500-$1000 to have someone (at consultant dates) spend up to a day
> installing the necessary proprietary drivers, install batteries (or AC
> adapter/plugpacks, because Smartcards can require more power than a 
serial
> port, particularly when just inserted and training the (typically 
non-techo)
> user on how to use the PINpad.
> Then 2-3 years later, repeating the whole process again because they
> upgraded/rebeuilt their machine, and can't get the proporietary drivers 
to
> talk to the proprietary reader w/PINpad, or to repalce the batteries 
etc.
> 
> One-time token are so much cheaper, and $120-$150 AUD (about US$80) plus
> $10-$25k for the server software, and a bunch of people time 
deistributing
> the right token to the right person, plus system integration etc. 
> 
> Sorry if this sounds sarcastic, but the cost of ownership issue is way 
more
> complex than just the device unit cost.
> 
> Lyal
> 
> 
> 
> -----Original Message-----
> From: Bart.Lansing@...ls.com [mailto:Bart.Lansing@...ls.com] 
> Sent: Friday, 6 August 2004 11:54 PM
> To: bugtraq@...urityfocus.com; full-disclosure@...ts.netsys.com;
> full-disclosure-admin@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Clear text password exposure in Datakey's
> tokens and smartcards
> 
> 
> 
> Guys...
> 
> RSA has been doing PIN cards for ages...I don't get the hangup on 
> SmartCards vs "plain old" something you have/something you know two 
factor
> 
> http://www.rsasecurity.com/node.asp?id=1311
> 
> Cost of entry/ownership is nothing remotely close to the $1000 you 
mention 
> Lyal...in fact, it's under 1/10 of that on a per seat basis...
> 
> Why get hung up on it being a smartcard, when you can do two factor with 
a 
> much lower entry cost and do it, frankly, easier?
> 
> Bart Lansing
> Manager, Desktop Services
> Kohl's IT
> 
> 
> full-disclosure-admin@...ts.netsys.com wrote on 08/05/2004 08:45:33 PM:
> 
> > This exposure, of PIN compromise, is genric in all smartcard products 
> today,
> > unless a dedicated PINpad or biometric-sensor  equipped readers are 
used 
> -
> > putting cost of ownership towards $1000 in some cases.
> > PC/SC doesn't help - as a data interfcae API spec, it excludes human
> > interface aspects.  STIP (Small Terminal Interoperability Platform at
> > www.stip.org) moves in this direction, but has evolved into many 
> variants to
> > interoperate with proprietary vendors and proprietary industry 
> standards.
> > 
> > The challenges in putting biometric sensors or PINpads onto cards 
> include
> > the need to conform to ISO 7816 for form factor, physical resilience 
> etc,
> > and that the cards are unpowered.  Or, someone redesigns the entire
> > form-factor, user interface model, portability and business model -
> > something that has previously failed to go anywhere.
> > 
> > Something like a mobile phone or PDA is a good compromise tool to this
> > overall exposure, imho.
> > 
> > Lyal
> > 
> > 
> > 
> > -----Original Message-----
> > From: Kevin Sheldrake [mailto:kev@...ctriccat.co.uk] 
> > Sent: Thursday, 5 August 2004 8:39 PM
> > To: Toomas Soome; lionel.ferette@...net.be
> > Cc: vuln@...view.com; full-disclosure@...ts.netsys.com;
> > bugtraq@...urityfocus.com
> > Subject: Re: [Full-Disclosure] Clear text password exposure in 
Datakey's
> > tokens and smartcards
> > 
> > 
> > Surely if the user is entering a passphrase then the same problem 
exists 
> - 
> > that of effectively eavesdropping that communication from the 
keyboard?
> > 
> > Ignoring the initial expense for a moment, wouldn't it have made a lot 

> of 
> > sense to include the keypad actually on the cards?  Obviously, card 
> > readers would need to be contructed such that the keypad part of the 
> card 
> > would be exposed during use.  The keypad security could then rely on 
the 
> 
> > tamper resistant properties of the rest of the card.
> > 
> >  From a costs perspective, I would guess that the actual per-card cost 

> > increase would be minimal if hundreds of millions of these cards were 
> > produced.
> > 
> > Kev
> > 
> > 
> > > Lionel Ferette wrote:
> > >
> > >> Note that this is true for almost all card readers on the market, 
not 
> 
> > >> only for Datakey's. Having worked for companies using crypto smart 
> > >> cards, I have conducted a few risk analysis about that. The 
> conclusion 
> > >> has always been that if the PIN must be entered from a PC, and the 
> > >> attacker has means to install software on the system (through 
> directed 
> > >> viruses, social engineering, etc), the game's over.
> > >>  The only solution against that problem is to have the PIN entered 
> > >> using a keypad on the reader. Only then does the cost of an attack 
> > >> raise significantly. But that is opening another can of worms, 
> because 
> > >> there is (was?) no standard for card readers with attached pin pad 
> (at 
> > >> the time, PC/SCv2 wasn't finalised - is it?).
> > >>
> > >
> > > at least some cards are supporting des passphrases to implement 
> secured 
> > > communication channels but I suppose this feature is not that widely 

> in 
> > > use....  how many card owners are prepared to remember both PIN 
codes 
> > > and passphrases...
> > >
> > > toomas
> > >
> > >
> > 
> > 
> > 
> > -- 
> > Kevin Sheldrake MEng MIEE CEng CISSP
> > Electric Cat (Bournemouth) Ltd
> > 
> > 
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> CONFIDENTIALITY NOTICE: 
> This is a transmission from Kohl's Department Stores, Inc.
> and may contain information which is confidential and proprietary.
> If you are not the addressee, any disclosure, copying or distribution or 
use
> of the contents of this message is expressly prohibited.
> If you have received this transmission in error, please destroy it and
> notify us immediately at 262-703-7000.
> 
> CAUTION:
> Internet and e-mail communications are Kohl's property and Kohl's 
reserves
> the right to retrieve and read any message created, sent and received.
> Kohl's reserves the right to monitor messages by authorized Kohl's
> Associates at any time
> without any further consent.
> 
> 


CONFIDENTIALITY NOTICE: 
This is a transmission from Kohl's Department Stores, Inc.
and may contain information which is confidential and proprietary.
If you are not the addressee, any disclosure, copying or distribution or use
of the contents of this message is expressly prohibited.
If you have received this transmission in error, please destroy it and
notify us immediately at 262-703-7000.

CAUTION:
Internet and e-mail communications are Kohl's property and Kohl's reserves
the right to retrieve and read any message created, sent and received.
Kohl's reserves the right to monitor messages by authorized Kohl's
Associates at any time
without any further consent.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ