Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

To: "Toomas Soome" <Toomas.Soome@xxxxxxxxxxxx>, lionel.ferette@xxxxxxxxx
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: "Kevin Sheldrake" <kev@xxxxxxxxxxxxxxxxx>
Date: Thu, 05 Aug 2004 11:39:18 +0100
Cc: vuln@xxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <41114304.4090403@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Electric Cat
References: <Pine.LNX.4.58.0408032206440.2149@xxxxxxxxxxxxxxx> <200408040845.27609.lionel.ferette@xxxxxxxxx> <41114304.4090403@xxxxxxxxxxxx>
User-agent: Opera M2/7.52 (Win32, build 3834)

Surely if the user is entering a passphrase then the same problem exists -that of effectively eavesdropping that communication from the keyboard?

Ignoring the initial expense for a moment, wouldn't it have made a lot ofsense to include the keypad actually on the cards? Obviously, cardreaders would need to be contructed such that the keypad part of the cardwould be exposed during use. The keypad security could then rely on thetamper resistant properties of the rest of the card.

From a costs perspective, I would guess that the actual per-card costincrease would be minimal if hundreds of millions of these cards wereproduced.

Kev

Lionel Ferette wrote:
Note that this is true for almost all card readers on the market, notonly for Datakey's. Having worked for companies using crypto smartcards, I have conducted a few risk analysis about that. The conclusionhas always been that if the PIN must be entered from a PC, and theattacker has means to install software on the system (through directedviruses, social engineering, etc), the game's over.The only solution against that problem is to have the PIN enteredusing a keypad on the reader. Only then does the cost of an attackraise significantly. But that is opening another can of worms, becausethere is (was?) no standard for card readers with attached pin pad (atthe time, PC/SCv2 wasn't finalised - is it?).
at least some cards are supporting des passphrases to implement securedcommunication channels but I suppose this feature is not that widely inuse.... how many card owners are prepared to remember both PIN codesand passphrases...
toomas




--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd

Follow-Ups:
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Seth Breidbart

References:
- Clear text password exposure in Datakey's tokens and smartcards
  - From: vuln
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Lionel Ferette
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Toomas Soome

Prev by Date: Re: International DNS compromise?
Next by Date: [ GLSA 200408-03 ] libpng: Numerous vulnerabilities
Previous by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Next by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Index(es):
- Date
- Thread