Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap"
• In reply to: Lionel Ferette: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Next in thread: Kevin Sheldrake: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Kevin Sheldrake: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Lee Dilkie: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Kevin Sheldrake: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Lee Dilkie: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: lionel.ferette@belnet.be
Date: Wed, 04 Aug 2004 23:11:48 +0300

Lionel Ferette wrote:

> Note that this is true for almost all card readers on the market, not only for
> Datakey's. Having worked for companies using crypto smart cards, I have
> conducted a few risk analysis about that. The conclusion has always been that
> if the PIN must be entered from a PC, and the attacker has means to install
> software on the system (through directed viruses, social engineering, etc),
> the game's over.
>
> The only solution against that problem is to have the PIN entered using a
> keypad on the reader. Only then does the cost of an attack raise
> significantly. But that is opening another can of worms, because there is
> (was?) no standard for card readers with attached pin pad (at the time,
> PC/SCv2 wasn't finalised - is it?).
>

at least some cards are supporting des passphrases to implement secured
communication channels but I suppose this feature is not that widely in
use.... how many card owners are prepared to remember both PIN codes
and passphrases...

toomas

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-Disclosure] Defcon spelled half backwards is Fedcon and you dumfucks walked into a trap"
• In reply to: Lionel Ferette: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Next in thread: Kevin Sheldrake: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Kevin Sheldrake: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Lee Dilkie: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Kevin Sheldrake: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Reply: Lee Dilkie: "Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]