lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: Toomas.Soome at microlink.ee (Toomas Soome)
Subject: Clear text password exposure in Datakey's tokens
 and smartcards

Lionel Ferette wrote:

> Note that this is true for almost all card readers on the market, not only for 
> Datakey's. Having worked for companies using crypto smart cards, I have 
> conducted a few risk analysis about that. The conclusion has always been that 
> if the PIN must be entered from a PC, and the attacker has means to install 
> software on the system (through directed viruses, social engineering, etc), 
> the game's over.
> 
> The only solution against that problem is to have the PIN entered using a 
> keypad on the reader. Only then does the cost of an attack raise 
> significantly. But that is opening another can of worms, because there is 
> (was?) no standard for card readers with attached pin pad (at the time, 
> PC/SCv2 wasn't finalised - is it?).
> 

at least some cards are supporting des passphrases to implement secured 
communication channels but I suppose this feature is not that widely in 
use....  how many card owners are prepared to remember both PIN codes 
and passphrases...

toomas


Powered by blists - more mailing lists