Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

To: Toomas Soome <Toomas.Soome@xxxxxxxxxxxx>
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: Lee Dilkie <lee_dilkie@xxxxxxxxx>
Date: Thu, 05 Aug 2004 09:03:03 -0400
Cc: lionel.ferette@xxxxxxxxx, vuln@xxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <41114304.4090403@xxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0408032206440.2149@xxxxxxxxxxxxxxx> <200408040845.27609.lionel.ferette@xxxxxxxxx> <41114304.4090403@xxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 0.7.2 (Windows/20040707)

Toomas Soome wrote:

Lionel Ferette wrote:
Note that this is true for almost all card readers on the market, notonly for Datakey's. Having worked for companies using crypto smartcards, I have conducted a few risk analysis about that. Theconclusion has always been that if the PIN must be entered from a PC,and the attacker has means to install software on the system (throughdirected viruses, social engineering, etc), the game's over.
The only solution against that problem is to have the PIN enteredusing a keypad on the reader. Only then does the cost of an attackraise significantly. But that is opening another can of worms,because there is (was?) no standard for card readers with attachedpin pad (at the time, PC/SCv2 wasn't finalised - is it?).
at least some cards are supporting des passphrases to implementsecured communication channels but I suppose this feature is not thatwidely in use.... how many card owners are prepared to remember bothPIN codes and passphrases...
toomas

Perhaps I'm missing something here. As far as I can tell, no keyslocated on the card were compromised, only the PIN was. Since this is atwo factor authentication system, possession of the PIN is of littlevalue without possession of the token itself.


Am I missing the point here?

regards,

-lee

--
                     __|__
              --@--@--(_)--@--@--
"You can't be a real country unless you have a BEER and an airline. It
helps if you have some kind of a football team, or some nuclear weapons,
but at the very least you need a BEER."

--Frank Zappa__|__

              --@--@--(_)--@--@--

Follow-Ups:
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Kevin Sheldrake

References:
- Clear text password exposure in Datakey's tokens and smartcards
  - From: vuln
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Lionel Ferette
- Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
  - From: Toomas Soome

Prev by Date: Re: International DNS compromise?
Next by Date: GNU/Linux 'info Buffer Overflow
Previous by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Next by thread: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
Index(es):
- Date
- Thread