Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

To: lionel.ferette@xxxxxxxxx
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: Toomas Soome <Toomas.Soome@xxxxxxxxxxxx>
Date: Wed, 04 Aug 2004 23:11:48 +0300
Cc: vuln@xxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200408040845.27609.lionel.ferette@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0408032206440.2149@xxxxxxxxxxxxxxx> <200408040845.27609.lionel.ferette@xxxxxxxxx>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8a1) Gecko/20040520

Lionel Ferette wrote:

Note that this is true for almost all card readers on the market, not only forDatakey's. Having worked for companies using crypto smart cards, I haveconducted a few risk analysis about that. The conclusion has always been thatif the PIN must be entered from a PC, and the attacker has means to installsoftware on the system (through directed viruses, social engineering, etc),the game's over.
The only solution against that problem is to have the PIN entered using akeypad on the reader. Only then does the cost of an attack raisesignificantly. But that is opening another can of worms, because there is(was?) no standard for card readers with attached pin pad (at the time,PC/SCv2 wasn't finalised - is it?).

at least some cards are supporting des passphrases to implement securedcommunication channels but I suppose this feature is not that widely inuse.... how many card owners are prepared to remember both PIN codesand passphrases...


toomas

Follow-Ups:
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Lee Dilkie
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Kevin Sheldrake

References:
- Clear text password exposure in Datakey's tokens and smartcards
  - From: vuln
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Lionel Ferette

Prev by Date: MDKSA-2004:079 - Updated libpng packages fix multiple vulnerabilities
Next by Date: Linux kernel file offset pointer races
Previous by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Next by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Index(es):
- Date
- Thread