Re: [Full-Disclosure] Clear text password exposure in Datakey's tokens and smartcards

From: Toomas Soome (Toomas.Soome_at_microlink.ee)
Date: 08/04/04

  • Next message: Gary E. Miller: "Re: FW: [Full-Disclosure] Question for DNS pros"
    Date: Wed, 04 Aug 2004 23:11:48 +0300
    To: lionel.ferette@belnet.be
    
    

    Lionel Ferette wrote:

    > Note that this is true for almost all card readers on the market, not only for
    > Datakey's. Having worked for companies using crypto smart cards, I have
    > conducted a few risk analysis about that. The conclusion has always been that
    > if the PIN must be entered from a PC, and the attacker has means to install
    > software on the system (through directed viruses, social engineering, etc),
    > the game's over.
    >
    > The only solution against that problem is to have the PIN entered using a
    > keypad on the reader. Only then does the cost of an attack raise
    > significantly. But that is opening another can of worms, because there is
    > (was?) no standard for card readers with attached pin pad (at the time,
    > PC/SCv2 wasn't finalised - is it?).
    >

    at least some cards are supporting des passphrases to implement secured
    communication channels but I suppose this feature is not that widely in
    use.... how many card owners are prepared to remember both PIN codes
    and passphrases...

    toomas


  • Next message: Gary E. Miller: "Re: FW: [Full-Disclosure] Question for DNS pros"