Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

To: "Lyal Collins" <lyalc@xxxxxxxxxxxxxx>, "'Toomas Soome'" <Toomas.Soome@xxxxxxxxxxxx>, lionel.ferette@xxxxxxxxx
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards
From: "Kevin Sheldrake" <kev@xxxxxxxxxxxxxxxxx>
Date: Fri, 06 Aug 2004 12:25:04 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <011201c47b57$130f0860$6500a8c0@kpllaptop>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Electric Cat
References: <011201c47b57$130f0860$6500a8c0@kpllaptop>
User-agent: Opera M2/7.52 (Win32, build 3834)

I don't doubt the widespread inherent nature of this vulnerability.

Smart cards used with PCs as the man-machine-interface is simply askingfor trouble IMHO. Unless I'm mistaken, there is very little that can bedone about this without redesigning/replacing current smart cards.Obviously, bespoke MMIs (such as door access systems) are less vulnerableto this issue. My problem is that people seem to view smart cards as apanacea, as a place to store digital certificates or 'identities' and thenuse them to 'prove' who they are.

Don't even start me on biometrics; if there is a PC (or anything that runssoftware) between the reader and the authenticator then couldn't you justreplace the reader with another bit of software that pretends to be areader? Where can I get the biometric info required? Police stationshave a large quantity of finger prints, as have practically every surfaceyou've touched recently...

Kev

This exposure, of PIN compromise, is genric in all smartcard productstoday,unless a dedicated PINpad or biometric-sensor equipped readers are used-

putting cost of ownership towards $1000 in some cases.
PC/SC doesn't help - as a data interfcae API spec, it excludes human
interface aspects.  STIP (Small Terminal Interoperability Platform at

www.stip.org) moves in this direction, but has evolved into manyvariants to

interoperate with proprietary vendors and proprietary industry standards.

The challenges in putting biometric sensors or PINpads onto cards include
the need to conform to ISO 7816 for form factor, physical resilience etc,
and that the cards are unpowered.  Or, someone redesigns the entire
form-factor, user interface model, portability and business model -
something that has previously failed to go anywhere.

Something like a mobile phone or PDA is a good compromise tool to this
overall exposure, imho.

Lyal



-----Original Message-----
From: Kevin Sheldrake [mailto:kev@xxxxxxxxxxxxxxxxx]
Sent: Thursday, 5 August 2004 8:39 PM
To: Toomas Soome; lionel.ferette@xxxxxxxxx
Cc: vuln@xxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxx;
bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Clear text password exposure in Datakey's
tokens and smartcards

Surely if the user is entering a passphrase then the same problem exists-

that of effectively eavesdropping that communication from the keyboard?

Ignoring the initial expense for a moment, wouldn't it have made a lot of
sense to include the keypad actually on the cards?  Obviously, card
readers would need to be contructed such that the keypad part of the card
would be exposed during use.  The keypad security could then rely on the
tamper resistant properties of the rest of the card.

 From a costs perspective, I would guess that the actual per-card cost
increase would be minimal if hundreds of millions of these cards were
produced.

Kev

Lionel Ferette wrote:

Note that this is true for almost all card readers on the market, not
only for Datakey's. Having worked for companies using crypto smart
cards, I have conducted a few risk analysis about that. The conclusion
has always been that if the PIN must be entered from a PC, and the
attacker has means to install software on the system (through directed
viruses, social engineering, etc), the game's over.
 The only solution against that problem is to have the PIN entered
using a keypad on the reader. Only then does the cost of an attack
raise significantly. But that is opening another can of worms, because
there is (was?) no standard for card readers with attached pin pad (at
the time, PC/SCv2 wasn't finalised - is it?).


at least some cards are supporting des passphrases to implement secured
communication channels but I suppose this feature is not that widely in
use....  how many card owners are prepared to remember both PIN codes
and passphrases...

toomas




--
Kevin Sheldrake MEng MIEE CEng CISSP
Electric Cat (Bournemouth) Ltd

Prev by Date: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
Next by Date: [OpenPKG-SA-2004.036] OpenPKG Security Advisory (cvstrac)
Previous by thread: Re: SuSE Linux K-Menu YAST Control Center Priviledge Escalation Vulnerability
Next by thread: [OpenPKG-SA-2004.036] OpenPKG Security Advisory (cvstrac)
Index(es):
- Date
- Thread